sfcmilter - sender-forgery-checker mail filter module

Sendmail includes a facility for plugging in custom mail filters, called milters. It's documented here. Sfcmilter is a plug-in that checks whether the SMTP-level mail sender is the same as the headers-level mail sender. It is intended to be used in conjunction with spfmilter. Spfmilter only checks the sender address in the SMTP transaction - that's not a bug, it's just how SPF is defined. But it does leave you open to messages which use an honest SMTP-level address but fake the address in the message itself. Sfcmilter closes this hole by checking that the address in the message matches the address in the SMTP transaction.

Since spfmilter doesn't need to look at the message body, it's more efficient to run; therefore, you should run spfmilter first. Any messages that spfmilter lets through then get checked by sfcmilter, and if they are possible forgeries sfcmilter will add a header saying "X-Sender-Check: possibly forged". Then a third layer of the delivery process, such as bogofilter or spamassassin, can look for that header and weigh it appropriately to decide if the message is junk or not.

False Positives

There are some cases where email legitimately has different SMTP-sender and header-sender. Sfcmilter will incorrectly mark these cases as possible forgeries - false positives. That's why we can't have this milter simply block mail, and instead we use it as one input of many to a later filter layer. The theory is that the filter layer will be able to tell from other aspects of these messages that they are legitimate. Some of the known false-positive cases are:

• Mail from systems with multiple domain names.
• Messages relayed through a Unix .forward file.
• Old-style mailing lists based on a Unix aliases file.

Mailing lists that do re-mailing, which are more common these days, will not trigger the possible-forgery warning.

Release Notes

Version 2.01, 19Oct2015:

• Avoid using strcpy for overlapping strings; use memmove instead.

Version 2.0, 10feb2015:

• Updated to the current milter API.
• Updated the FreeBSD rc.conf script to modern standards.

Version 0.64, 14aug2014:

• Some more cleanup.

Version 0.63, 16jul2014:

• Updated for clang, and general cleanup.

Version 0.62, 20jun2005:

• Deal with the unknown-family connections which occasionally show up on some OSs, such as Solaris. (Joel Lord)

Version 0.61, 12feb2005:

• Tweak to the hostname matching algorithm. No heuristics needed now, it should just work.

Version 0.60, 11feb2005:

• Added -strict flag, and made the default check be non-strict via some heuristics on the envelope-from and message-from strings.

Version 0.51, 14sep2004:

• Fixed hard-loop caused by addresses with too many right-parentheses.

Version 0.50, 14sep2004:

• First release.

Installation

This is very abbreviated, intended mainly as a reminder for those who have worked with milters before. If it's your first milter, you should look on the web for more thorough documentation. Also, these instructions are pretty specific to FreeBSD, and will have to be adapted for other OSs.

1. Make sure your sendmail is compiled with the MILTER option. (Starting with version 8.13 this is enabled by default.) You can use this command to check:

   
   sendmail -d0.1 -bt < /dev/null | grep MILTER
           

   If you don't see MILTER in the compilation options, you will have to re-build sendmail.
2. Build and install the sfcmilter executable, by doing a 'make ; make install'.
3. Edit your sendmail.mc and add a mail filter macro, for example:

   
   INPUT_MAIL_FILTER(`sfcmilter',`S=unix:/var/run/sfcmilter.sock')
           

   Rebuild and install sendmail.cf.
4. Run sfcmilter, with the same socket argument you used in sendmail.mc:

   
   # sfcmilter unix:/var/run/sfcmilter.sock
           

5. Stop and re-start sendmail.
6. Look in /var/log/maillog for messages from sfcmilter.
7. When you've verified that it's working, add lines to your /etc/rc.conf so it starts up at boot time:

   
   sfcmilter_enable="YES"
   sfcmilter_flags=""
   sfcmilter_socket="unix:/var/run/sfcmilter.sock"
           

See also: spfmilter, blackmilter, graymilter, sample_milter.
ACME Labs / Software / sfcmilter