What is spfmilter?

spfmilter is a Sender Policy Framework (SPF) mail filter module for Sendmail on FreeBSD. spfmilter makes Sendmail reject mail, that has been sent from a mail server, that is not allowed by the policy for the domain. spfmilter s the other half of the framework.

Example of an CEO scam email, that is being contructed with false sender header fields in an Alpine mail client. DKIM authentication and SPF authorization prevents this kind of domain abuse. This can be implemented with an SPF TXT record for BIND DNS and OpenDKIM milter for Sendmail with a DKIM TXT record for BIND DNS on FreeBSD
Example of an CEO scam email, that is being contructed with false sender header fields in an Alpine mail client. Sender Policy Framework (SPF) prevents this kind of domain abuse.

Install spfmilter for Sendmail on FreeBSD

Search for spfmilter in the package repository.

# pkg search spf
spfmilter-2.001_2 SPF milter for sendmail

Install the spfmilter.

# pkg install spfmilter
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
libspf2: 1.2.11_2
spfmilter: 2.001_2
144 KiB to be downloaded.

Configure spfmilter.

# nano /etc/mail/

Configure FreeBSD to run spfmilter as a service

Configure spfmilter as a service in FreeBSD. This is documented on the official website of spfmilter.

# service -l | grep spf
spfmilter
# nano /etc/rc.conf
spfmilter_enable="YES"
spfmilter_socket="unix:/var/run/spfmilter.sock"
# service spfmilter start
Starting spfmilter.
# grep spfmilter /var/log/maillog
Nov 17 13:37:55 foo spfmilter[34074]: spfmilter 2.001 with libspf2-1.2.11 starting

Configure Sendmail to use spfmilter

Configure Sendmail to use spfmilter. This is documented on the official website of spfmilter.

# cd /etc/mail
# cp `hostname`.mc `date -I`-`hostname`.mc
# nano `hostname`.mc
INPUT_MAIL_FILTER(`spfmilter',`S=unix:/var/run/spfmilter.sock')
# make
/usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/ /usr/share/sendmail/cf/m4/cf.m4 foo.micski.dk.mc > foo.micski.dk.cf
# make install
install -m 444 foo.micski.dk.cf /etc/mail/sendmail.cf
install -m 444 foo.micski.dk.submit.cf /etc/mail/submit.cf
# service sendmail restart
Stopping sendmail.
Starting sendmail.
# tail /var/log/maillog | grep sm-m
Nov 17 13:37:08 foobar sm-mta[37327]: starting daemon (8.18.1): SMTP+queueing@00:30:00
Nov 17 13:37:08 foobar sm-msp-queue[37341]: starting daemon (8.18.1): queueing@00:30:00

Test spfmilter

If regular email works after the installation, it is time to test the spfmilter.

In this example, I will try to forge an email to appear being from Microsoft, that has an SPF. It gets rejected by the spfmilter.

$ telnet foo.micski.dk 587
220 foo.micski.dk ESMTP Sendmail 8.18.1/8.18.1; Sun, 17 Nov 2024 13:37:51 +0100 (CET)
HELO microsoft.com
250 foo.micski.dk Hello [13.37.13.37], pleased to meet you
MAIL From:<>
550 5.7.1 <>... fail

The rejection by spfmilter can be confirmed by the mail log.

# tail /var/log/maillog
Nov 17 13:37:56 foo sm-mta[38143]: 4AGNbZ2E038143: milter=spfmilter, action=helo, continue
Nov 17 13:38:28 foo sm-mta[38143]: 4AGNbZ2E038143: Milter: sender:
Nov 17 13:38:28 foo spfmilter[34074]: rejecting mail from [13.37.13.37] - fail
Nov 17 13:38:28 foo sm-mta[38143]: 4AGNbZ2E038143: milter=spfmilter, action=mail, reject=550 5.7.1 fail
Nov 17 13:38:28 foo sm-mta[38143]: 4AGNbZ2E038143: Milter: from=, reject=550 5.7.1 fail

In generel, future rejects can be listed from the mail log.

# grep spfmilter /var/log/maillog | grep rejecting

References

Attribution and sharing.

Feel free to link to this guide, if you find it useful. Contributions and feedback is always appreciated.