blackmilter - blacklist mail filter module

Sendmail includes a facility for plugging in custom mail filters, called milters. It's documented here. Blackmilter implements a blacklist of IP addresses which are not permitted to send mail to this host. Any mail attempts from blacklisted addresses are rejected immediately upon connection, before the mail gets transmitted.

This could also be accomplished by turning the blacklists into a set of firewall rules for port 25. However, current firewall implementations process their rules sequentially, one by one. If you have a lot of hosts you want blocked, this is too costly. Blackmilter stores the IP addresses in a data structure that is both fast and reasonably compact. If you wanted to, you could block millions of addresses quite efficiently.

A more reasonable alternative is the access database built into sendmail. However, benchmarking shows that blackmilter is much faster at this task - from thirty to sixty times faster. Same for using a DNS-based RBL - blackmilter is vastly faster. If you are getting a lot of mail and blocking a lot of IP addresses, this can make a difference. Also blackmilter has some advantages in flexibility, such as the autoupdate and socket update features.

Blackmilter does not specify any particular blacklisting policy. It is merely a clean and simple tool to let you efficiently implement whatever policy you choose.

Release Notes

Version 2.001, 25feb2015:

• IPv6 portability fix.

Version 2.0, 10feb2015:

• Updated to the current milter API.
• Updated the FreeBSD rc.conf script to modern standards.
• Replaced the underlying data structure with one that handles IPv6.
• Got rid of the -threshold option.

Version 0.81, 14aug2014:

• A few more cleanups.

Version 0.80, 16jul2014:

• Added the long-promised-but-not-previously-implemented realtime update socket code (Eric Murray).
• Added pidfile.
• Updated for clang, and general cleanup.

Version 0.75, 03aug2005:

• Changed the regular SMTP response code used in -graylist mode from 450 to 421. (Jobst Schmalenbach)

Version 0.74, 20jun2005:

• Deal with the unknown-family connections which occasionally show up on some OSs, such as Solaris. (Joel Lord)i

Version 0.73, 08jun2005:

• Added include of signal.h.

Version 0.72, 06jun2005:

• Changed the enhanced response code used in -graylist mode from 4.3.0 back to 4.3.2.

Version 0.71, 31may2005:

• Changed the enhanced response code used in -graylist mode from 4.3.2 to 4.3.0.

Version 0.70, 09dec2004:

• Added a flag to log which blacklist/whitelist got hit, instead of just a generic rejected/accepted log entry. This costs a few more CPU cycles to run but provides valuable data on which lists are being effective.

Version 0.60, 14sep2004:

• Added autoconf stuff.

Version 0.50, 26may2004:

• First release.

Installation

This is very abbreviated, intended mainly as a reminder for those who have worked with milters before. If it's your first milter, you should look on the web for more thorough documentation. Also, these instructions are pretty specific to FreeBSD, and will have to be adapted for other OSs.

1. Make sure your sendmail is compiled with the MILTER option. (Starting with version 8.13 this is enabled by default.) You can use this command to check:

   
   sendmail -d0.1 -bt < /dev/null | grep MILTER
           

   If you don't see MILTER in the compilation options, you will have to re-build sendmail.
2. Build and install the blackmilter executable, by doing a 'make install'.
3. Edit your sendmail.mc and add a mail filter macro, for example:

   
   INPUT_MAIL_FILTER(`blackmilter',`S=unix:/var/run/blackmilter.sock')
           

   Rebuild and install sendmail.cf.
4. Run blackmilter, with your blacklist args and the same socket argument you used in sendmail.mc:

   
   # blackmilter -b /etc/smtp_blacklist unix:/var/run/blackmilter.sock
           

5. Stop and re-start sendmail.
6. Look in /var/log/maillog for messages from blackmilter.
7. When you've verified that it's working, add lines to your /etc/rc.conf so it starts up at boot time:

   
   blackmilter_enable="YES"
   blackmilter_flags="-a -b /etc/smtp_blacklist"
   blackmilter_socket="unix:/var/run/blackmilter.sock"
           

See also: spfmilter, sfcmilter, graymilter, sample_milter.
ACME Labs / Software / blackmilter