FreeBSD Manual Pages
spfmilter(1) General Commands Manual spfmilter(1) NAME spfmilter - SPF mail filter module SYNOPSIS spfmilter [--localpolicy|-l spf-mechanisms] [--trustedforwarders|-t] [--guess|-g spf-mechanisms] [--fallback|-f filename] [--al- lowlist/--whitelist|-a/-w filename] [--recipientmx|-r] [--explana- tion|-e spf-message] [--markonly|-m] [--user|-u user] [--pidfile|-p filename] [--nodaemon|-X] [--debug|-d] socket DESCRIPTION Sendmail includes a facility for plugging in custom mail filters, called milters. It's documented here: http://www.milter.org/mil- ter_api/ Spfmilter implements the Sender Policy Framework (SPF) as a milter, using either the libspf or libspf2 libraries. OPTIONS All milters take a standardized socket argument, which specifies how they communicate with sendmail. This will look something like "unix:/var/run/spfmilter.sock" for a unix-domain socket, or "inet:2525@localhost" for an internet-domain socket. The same string gets used in the INPUT_MAIL_FILTER macro in sendmail.mc. In addition to the required socket argument, there are a number of flags: --localpolicy or -l Additional SPF mechanisms to apply before a sender site's own rules. --trustedforwarders or -t Whether to check trusted-forwarder.org. This is basically equivalent to "-l include:spf.trusted-forwarder.org". --guess or -g SPF mechanisms to use for any site which doesn't specify SPF rules of its own. Something like "+a/24 +mx/24 +ptr ~all" might be good. --fallback or -f A file of SPF mechanisms to use for specific sites that don't specify any SPF rules of their own. The format for each line is a shell-style wildcard pattern (? and *), whitespace, and then the SPF mechanisms to use on rule-less domains matching the pat- tern. Hash mark starts a comment, and blank lines are ignored. The --guess option is equivalent to a --fallback file entry of "*". --allowlist/--whitelist or -a/-w A file of IP addresses to always accept mail from. This could be used to add exceptions for sites that forward mail to you site but don't do sender-rewriting. Hash mark starts a comment, and blank lines are ignored. --recipientmx or -r Before doing the regular SPF check, this option says to first check if the sending system is an MX-secondary for the recipi- ent. If it is, then the regular SPF check is not done and the message gets an automatic "pass". If there are multiple recipi- ents, then this MX check gets done for each of them. The as- sumption here is that your MX-secondaries are themselves running SPF and have already done the real check when they initially re- ceived the message. --explanation or -e The explanation message that gets returned in mail bounce mes- sages. If a site's SPF record has an "exp=" declaration, then that gets used; if the site doesn't specify one, then this gets used. And if you don't specify this option then there's a stan- dard default message. --markonly or -m Normally spfmilter rejects mail that fails the SPF test and ac- cepts other mail, adding a Received-SPF header with an explana- tion. This flag tells spfmilter to also accept mail that fails the test, and add the Received-SPF header to that too. A later layer of the mail delivery process, such as procmail, can look for this header and handle the mail appropriately. --user or -u The user to switch to after starting up as root. This is just for convenience, there is no need to start the program as root and if you want to switch users external to this program via su, that will work fine. --pidfile or -p Write the process i.d. to the specified file. --nodaemon or -X With this flag, spfmilter will not fork itself into a background process. Normally it does fork itself. --debug or -d Turns on debugging messages in the SPF library. You probably want to use --nodaemon with this, or the messages might get lost. INSTALLATION This is very abbreviated, intended mainly as a reminder for those who have worked with milters before. If it's your first milter, you should look on the web for more thorough documentation. Also, these instruc- tions are pretty specific to FreeBSD, and will have to be adapted for other OSs. 1) Make sure your sendmail is compiled with the MILTER option. (Starting with version 8.13 this is enabled by default.) You can use this command to check: sendmail -d0.1 -bt < /dev/null | grep MILTER If you don't see MILTER in the compilation options, you will have to re-build sendmail. 2) Fetch, build, and install either libspf (http://www.libspf.org/) or libspf2 (http://www.libspf2.org/). 3) Build and install the spfmilter executable, by doing a './con- figure ; make ; make install'. 4) Edit your sendmail.mc and add a mail filter macro, for example: INPUT_MAIL_FILTER(`spfmilter',`S=unix:/var/run/spfmilter.sock') Rebuild and install sendmail.cf. 5) Run spfmilter, with the same socket argument you used in send- mail.mc: # spfmilter unix:/var/run/spfmilter.sock 6) Stop and re-start sendmail. 7) Look in /var/log/maillog for messages from spfmilter. 8) When you've verified that it's working, add lines to your /etc/rc.conf so it starts up at boot time: spfmilter_enable="YES" spfmilter_socket="unix:/var/run/spfmilter.sock" AUTHOR Copyright (C) 2004,2025 by Jef Poskanzer <jef@mail.acme.com>. All rights reserved. 12 June 2020 spfmilter(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | INSTALLATION | AUTHOR
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=spfmilter&sektion=8&manpath=FreeBSD+Ports+15.0>