sfcmilter - sender-forgery-checker mail filter module

Fetch version 0.63. Release notes.
This software is still in beta test. Use at your own risk. Current status:
  • Installed and running on acme.com under fairly heavy load.
  • Evaluating false-positive cases.

Sendmail includes a facility for plugging in custom mail filters, called milters. It's documented here. Sfcmilter is a plug-in that checks whether the SMTP-level mail sender is the same as the headers-level mail sender. It is intended to be used in conjunction with spfmilter. Spfmilter only checks the sender address in the SMTP transaction - that's not a bug, it's just how SPF is defined. But it does leave you open to messages which use an honest SMTP-level address but fake the address in the message itself. Sfcmilter closes this hole by checking that the address in the message matches the address in the SMTP transaction.

Since spfmilter doesn't need to look at the message body, it's more efficient to run; therefore, you should run spfmilter first. Any messages that spfmilter lets through then get checked by sfcmilter, and if they are possible forgeries sfcmilter will add a header saying "X-Sender-Check: possibly forged". Then a third layer of the delivery process, such as bogofilter or spamassassin, can look for that header and weigh it appropriately to decide if the message is junk or not.


False Positives

There are some cases where email legitimately has different SMTP-sender and header-sender. Sfcmilter will incorrectly mark these cases as possible forgeries - false positives. That's why we can't have this milter simply block mail, and instead we use it as one input of many to a later filter layer. The theory is that the filter layer will be able to tell from other aspects of these messages that they are legitimate. Some of the known false-positive cases are:

Mailing lists that do re-mailing, which are more common these days, will not trigger the possible-forgery warning.


Release Notes

Version 0.63, 16jul2014:

Version 0.62, 20jun2005:

Version 0.61, 12feb2005:

Version 0.60, 11feb2005:

Version 0.51, 14sep2004:

Version 0.50, 14sep2004:


Installation

This is very abbreviated, intended mainly as a reminder for those who have worked with milters before. If it's your first milter, you should look on the web for more thorough documentation. Also, these instructions are pretty specific to FreeBSD, and will have to be adapted for other OSs.

  1. Make sure your sendmail is compiled with the MILTER option. (Starting with version 8.13 this is enabled by default.) You can use this command to check:
    
    sendmail -d0.1 -bt < /dev/null | grep MILTER
            
    If you don't see MILTER in the compilation options, you will have to re-build sendmail.
  2. Build and install the sfcmilter executable, by doing a 'make ; make install'.
  3. Edit your sendmail.mc and add a mail filter macro, for example:
    
    INPUT_MAIL_FILTER(`sfcmilter',`S=unix:/var/run/sfcmilter.sock, T=S:4m;R:4m')
            
    Rebuild and install sendmail.cf.
  4. Run sfcmilter, with the same socket argument you used in sendmail.mc:
    
    # sfcmilter unix:/var/run/sfcmilter.sock
            
  5. Stop and re-start sendmail.
  6. Look in /var/log/maillog for messages from sfcmilter.
  7. When you've verified that it's working, add lines to your /etc/rc.conf so it starts up at boot time:
    
    sfcmilter_enable="YES"
    sfcmilter_flags=""
    sfcmilter_socket="unix:/var/run/sfcmilter.sock"
            

See also: spfmilter, blackmilter, graymilter, sample_milter.
ACME Labs / Software / sfcmilter
email