What is spfmilter?
spfmilter is a Sender Policy Framework (SPF) mail filter module for Sendmail on FreeBSD. spfmilter makes Sendmail reject mail, that has been sent from a mail server, that is not allowed by the policy for the domain. spfmilter s the other half of the framework.
Install spfmilter for Sendmail on FreeBSD
Search for spfmilter in the package repository.
# pkg search spf
spfmilter-2.001_2 SPF milter for sendmail
Install the spfmilter.
# pkg install spfmilter
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
libspf2: 1.2.11_2
spfmilter: 2.001_2
144 KiB to be downloaded.
Configure spfmilter.
# nano /etc/mail/
Configure FreeBSD to run spfmilter as a service
Configure spfmilter as a service in FreeBSD. This is documented on the official website of spfmilter.
# service -l | grep spf
spfmilter
# nano /etc/rc.conf
spfmilter_enable="YES"
spfmilter_socket="unix:/var/run/spfmilter.sock"
# service spfmilter start
Starting spfmilter.
# grep spfmilter /var/log/maillog
Nov 17 13:37:55 foo spfmilter[34074]: spfmilter 2.001 with libspf2-1.2.11 starting
Configure Sendmail to use spfmilter
Configure Sendmail to use spfmilter. This is documented on the official website of spfmilter.
# cd /etc/mail
# cp `hostname`.mc `date -I`-`hostname`.mc
# nano `hostname`.mc
INPUT_MAIL_FILTER(`spfmilter',`S=unix:/var/run/spfmilter.sock')
# make
/usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/ /usr/share/sendmail/cf/m4/cf.m4 foo.micski.dk.mc > foo.micski.dk.cf
# make install
install -m 444 foo.micski.dk.cf /etc/mail/sendmail.cf
install -m 444 foo.micski.dk.submit.cf /etc/mail/submit.cf
# service sendmail restart
Stopping sendmail.
Starting sendmail.
# tail /var/log/maillog | grep sm-m
Nov 17 13:37:08 foobar sm-mta[37327]: starting daemon (8.18.1): SMTP+queueing@00:30:00
Nov 17 13:37:08 foobar sm-msp-queue[37341]: starting daemon (8.18.1): queueing@00:30:00
Test spfmilter
If regular email works after the installation, it is time to test the spfmilter.
In this example, I will try to forge an email to appear being from Microsoft, that has an SPF. It gets rejected by the spfmilter.
$ telnet foo.micski.dk 587
220 foo.micski.dk ESMTP Sendmail 8.18.1/8.18.1; Sun, 17 Nov 2024 13:37:51 +0100 (CET)
HELO microsoft.com
250 foo.micski.dk Hello [13.37.13.37], pleased to meet you
MAIL From:<>
550 5.7.1 <>... fail
The rejection by spfmilter can be confirmed by the mail log.
# tail /var/log/maillog
Nov 17 13:37:56 foo sm-mta[38143]: 4AGNbZ2E038143: milter=spfmilter, action=helo, continue
Nov 17 13:38:28 foo sm-mta[38143]: 4AGNbZ2E038143: Milter: sender:
Nov 17 13:38:28 foo spfmilter[34074]: rejecting mail from [13.37.13.37] - fail
Nov 17 13:38:28 foo sm-mta[38143]: 4AGNbZ2E038143: milter=spfmilter, action=mail, reject=550 5.7.1 fail
Nov 17 13:38:28 foo sm-mta[38143]: 4AGNbZ2E038143: Milter: from=, reject=550 5.7.1 fail
In generel, future rejects can be listed from the mail log.
# grep spfmilter /var/log/maillog | grep rejecting
References
- spfmilter
- spfmilter on Freshports
- How to configure SPF policy record in BIND DNS
- How to install OpenDKIM for Sendmail on FreeBSD
Attribution and sharing.
Feel free to link to this guide, if you find it useful. Contributions and feedback is always appreciated.