Sendmail includes a facility for plugging in custom mail filters, called milters. It's documented here. Sfcmilter is a plug-in that checks whether the SMTP-level mail sender is the same as the headers-level mail sender. It is intended to be used in conjunction with spfmilter. Spfmilter only checks the sender address in the SMTP transaction - that's not a bug, it's just how SPF is defined. But it does leave you open to messages which use an honest SMTP-level address but fake the address in the message itself. Sfcmilter closes this hole by checking that the address in the message matches the address in the SMTP transaction.
Since spfmilter doesn't need to look at the message body, it's more efficient to run; therefore, you should run spfmilter first. Any messages that spfmilter lets through then get checked by sfcmilter, and if they are possible forgeries sfcmilter will add a header saying "X-Sender-Check: possibly forged". Then a third layer of the delivery process, such as bogofilter or spamassassin, can look for that header and weigh it appropriately to decide if the message is junk or not.
There are some cases where email legitimately has different SMTP-sender and header-sender. Sfcmilter will incorrectly mark these cases as possible forgeries - false positives. That's why we can't have this milter simply block mail, and instead we use it as one input of many to a later filter layer. The theory is that the filter layer will be able to tell from other aspects of these messages that they are legitimate. Some of the known false-positive cases are:
Mailing lists that do re-mailing, which are more common these days, will not trigger the possible-forgery warning.
Version 2.0, 10feb2015:
Version 0.64, 14aug2014:
Version 0.63, 16jul2014:
Version 0.62, 20jun2005:
Version 0.61, 12feb2005:
Version 0.60, 11feb2005:
Version 0.51, 14sep2004:
Version 0.50, 14sep2004:
This is very abbreviated, intended mainly as a reminder for those who have worked with milters before. If it's your first milter, you should look on the web for more thorough documentation. Also, these instructions are pretty specific to FreeBSD, and will have to be adapted for other OSs.
If you don't see MILTER in the compilation options, you will have to re-build sendmail.
sendmail -d0.1 -bt < /dev/null | grep MILTER
Rebuild and install sendmail.cf.
# sfcmilter unix:/var/run/sfcmilter.sock
sfcmilter_enable="YES" sfcmilter_flags="" sfcmilter_socket="unix:/var/run/sfcmilter.sock"
ACME Labs / Software / sfcmilter