Man Linux: Main Page and Category List

NAME

       batv-filter - BATV (Bounce Address Tag Validation) filter for sendmail

SYNOPSIS

       batv-filter   -p  socketspec  -k  key  [-a  allowlist]  [-A]  [-b]  [-d
       domainlist] [-D debuglevel] [-f] [-i ilist] [-l] [-n] [-P pidfile] [-s]
       [-S] [-u user] [-V] [-x]

DESCRIPTION

       batv-filter  implements  the experimental Bounce Address Tag Validation
       specification as a means to filter mail which claims to come  from  the
       local domain which in fact does not.

       For details regarding the proposal, consult the draft text.

OPTIONS

       -a allowlist
              Identifies   a  file  of  envelope  addresses  which  should  be
              immediately allowed (not processed) by the filter.  Matching  is
              done  on  both  sender  (MAIL  FROM)  and  recipient  (RCPT  TO)
              addresses.  The hash character ("#")  denotes  comments  in  the
              usual  shell  script  style;  data after a hash character on any
              given line is ignored.   Blank  lines  are  also  ignored.   The
              entries in this file may include wildcard ("*") characters.

       -A     Automatically  re-start  on  failures.  Use with caution; if the
              filter fails instantly after it starts, this can cause  a  tight
              fork(2) loop.

       -b     By  default,  arriving  messages  addressed  to users in domains
              listed by the -d option must be signed if they are bounces (i.e.
              empty  envelope  sender)  but not otherwise; bounces to unsigned
              addresses  will  be   rejected.    This   option   applies   the
              verification to all envelope senders, not just the empty sender.

       -d domainlist
              Specifies a comma-separated list  of  domain  names  whose  mail
              should  be  signed  and  verified  by  this filter.  Specify all
              possible subdomains by prefixing a dot (".") to the  appropriate
              entries.   If  no domains are specified, mail for all domains is
              signed.  See also the -i option below.

       -D debuglevel
              Requests milter debugging at the specified debug level.

       -f     Suppresses the call to fork(), so that the filter  runs  in  the
              foreground.

       -h     Causes  batv-filter  to  add a header indicating the presence of
              this filter in  the  path  of  the  message  from  injection  to
              delivery.   The  product’s  name,  version,  and  the job ID are
              included in the header’s contents.

       -i ilist
              Specifies  a  file  which  contains  a  list  of  hostnames,  IP
              addresses     or     CIDR-style    IP    specifications    (e.g.
              "192.168.1.0/24").  Mail coming from  these  sources  should  be
              signed  rather  than  being  verified.   See  also the -d option
              above.   If  unspecified,  a  single-entry  list  referring   to
              "127.0.0.1/32" is assumed.

       -k key Specifies  the  file  in  which  to find the key to be used when
              signing outgoing mail and verifying arriving mail.  The key  can
              be  any  arbitrary  text  string and should appear one the first
              line of this file.

       -l     Log via calls to syslog(3) any interesting activity.

       -M macro[=value][,...]
              Defines a set of MTA-provided macros which should be checked  to
              see  if  the  sender  has been determined to be a local user and
              therefore whether or not the message should  be  signed.   If  a
              value  is specified, the value of the macro must match the value
              specified (matching is case-insensitive),  otherwise  the  macro
              must  be  defined but may contain any value.  Multiple tests may
              be specified, separated by commas.  The set is empty by default,
              meaning  macros  are  not  used  when  deciding whether or not a
              message should be signed.

              The general format of the string is test1[,test2[,...]]  where a
              "test"  is  of the form macro[=value1[|value2[|...]]]; if one or
              more value is defined then the macro must be set to one  of  the
              listed  values,  otherwise the macro must be set but can contain
              any value.

       -n     Don’t reject things which fail validation.

       -p socketspec
              Specifies the socket that should be established by the filter to
              receive   connections  from  sendmail(8)  in  order  to  provide
              service.  socketspec is in one of two  forms:  local:path  which
              creates   a  UNIX  domain  socket  at  the  specified  path,  or
              inet:port[@host] which creates a TCP  socket  on  the  specified
              port.   If  the  host is not given as either a hostname or an IP
              address, the socket will be listening on all  interfaces.   This
              option is mandatory.

       -P pidfile
              Writes  the  process  ID  of  the  filter,  once started, to the
              filename given.

       -s     Causes mail from clients authenticated to the MTA to be  ignored
              (passed)  by  the  filter.   The  default  is  to  process  even
              authenticated messages.

       -S     Requests that the MTA provide meaningful SMTP reply  codes  when
              rejecting messages rather than their un-descriptive defaults.

       -u userid
              Attempts  to  be  come  the  specified  userid  before  starting
              operations.

       -V     Print the version number and exit without doing anything else.

       -x     Activates an experimental Sendmail variant  of  BATV.   See  the
              SENDMAIL MODIFICATIONS section below for details.

OPERATION

       A  message will be verified unless it conforms to the signing criteria,
       which are: (1) the domain on the envelope sender address must be listed
       by the -d command line switch, and (2) the client connecting to the MTA
       must (a) have authenticated, or (b) be listed in the file referenced by
       the -i command line switch.

LOCAL MODIFICATIONS

       Adding  -x to the command line will cause the filter to sign and verify
       using a Sendmail, Inc. variant of BATV.  This  method  uses  the  basic
       idea  of  BATV  but appends the tag rather than prepending it, and uses
       the "+" character instead of the "=" character to separate the BATV tag
       from  the  actual address.  This is more compatible with configurations
       and filters that accomodate the existing MTA-supported address  tagging
       system which has been around since at least the mid 1990s.

VERSION

       This man page covers version 0.4.0 of batv-filter.

COPYRIGHT

       Copyright  (c)  2007-2009 Sendmail, Inc. and its suppliers.  All rights
       reserved.

SEE ALSO

       sendmail(8)

       Sendmail Operations Guide

       RFC2821 - Simple Mail Transfer Protocol

                                Sendmail, Inc.                  batv-filter(8)