Sendmail.cf
To use Repfilter you must define it as an input filter in your sendmail configuration file. Also Repfilter needs access to three configuration macros ({f}, {auth_authen}, {auth_author}). So if you are generating it from a .mc file then you must add the following lines to your .mc:
INPUT_MAIL_FILTER(`repfilter', `S=local:/path/to/repfilter.sock, F=R')
define(`confMILTER_MACROS_ENVFROM', `f, {auth_authen}, {auth_author}')
or the following lines directly in the sendmail.cf file:
Xrepfilter, S=local:/path/to/repfilter.sock, F=R
Milter.macros.envfrom=f, {auth_authen}, {auth_author}
where
/path/to/repfilter.sock
is the path of the socket that repfilter will rendevouz with the MTA. Note that if you also have other milters running, more macros may be needed in the ENVFORM definition.
Repfilter.cf
Repfilter uses a plain text configuration file. Everything that is configurable is controled through different configuration variables. Each line in the configuration file can either be a comment (beginning with the hash '#' symbol) or it can be a configuration variable. Each non-comment, non-empty line begins with a variable name immediately followed by the colon symbol ':'. Spaces before the variable name and after the colon are ignored. The rest of the line may contain values of different types, depending on the type of variable. Below is an explanation of each variable:
- milter_socket: string
- Path to the unix socket that repfilter will use to communicate with the sendmail daemon
- milter_timeout: integer
- Sets the number of seconds libmilter will wait for a connection from the MTA (sendmail) before timing out a socket. The default value is 7210 seconds
- servers: string
- Comma delimited list of LDAP servers that Repfilter should try to query for sender information.
- bind_dn: string
- LDAP bind DN (distinguished name) that Repfilter will use to bind to the LDAP servers.
- bind_pw: string
- LDAP password that Repfilter will use to authenticate to the LDAP servers.
- ldap_version: {2,3}
- Version of the LDAP protocol that should be used by the underlying LDAP library. Defaults to "3"
- search_base: string
- Search base for Repfilters LDAP queries.
- filter: string
- Search filter for Repfilters LDAP queries. Any occurence of the token "%u" will be substituted with the userid that is authenticated or authorized by sendmail. Defaults to "(uid=%u)".
- ldap_timeout: integer
- The amount of seconds that a connection to the LDAP server will take to timeout. Defaults to 5 seconds.
- size_limit: integer
- The maximum number of entries that the LDAP servers should return to a query. Defaults to 1.
- time_limit: integer
- The maximum number of seconds to spend on a LDAP query. Defaults to 5.
- ldap_deref: {search|find|always|never}
- Specify how LDAP aliases are handled. The option is passed straight to the underlying LDAP library as the LDAP_OPT_DEREF option.
- search means aliases are dereferenced during the search but not when locating the base object of the search.
- find means aliases are dereferenced when locating the base object but not during the search.
- always means aliases are always dereferenced.
- never means aliases are never dereferenced.
Defaults to "never".
- ldap_restart: {0|1}
- Specify if Repfilter should reconnect to a LDAP server with whom communication has been interrupted. Defaults to "1".
- ldap_scope: {one|base|tree}
- Specify the scope of the LDAP query.
- one means only one level below the base.
- base means only on the base entry.
- tree means all entries below the base entry.
Defaults to "tree".
- ldap_port: integer
- Specify the port that the LDAP server should be contacted. Defaults to 389.
- from_address_policy: {accept|delete|reject}
- Specify what Repfilter will do when it encounters an invalid address in the From header. A value of "accept" means the address will be accepted. A value of "delete" means it will be removed from the header. A value of "reject" means that the message will be rejected. Defaults to "reject".
- replyto_policy: {accept|delete|reject}
- Specify what Repfilter will do when it encounters an invalid address in the Reply-to header. Semantics are the same for the from_address_policy option. Defaults to "accept".
- common_name_policy: {accept|correct|delete|reject}
- Specify what Repfilter will do when it encounters an invalid name in the From header. A value of "accept" means the name will be accepted. A value of "correct" means that a default name (the value of the attr_common_name LDAP attribute) will be substituted. A value of "delete" means that the name and the address will be deleted. A value of "reject" means that the message will be rejected. Defaults to "correct".
- attr_common_name: string
- The name of the LDAP attribute that contains the common form of the full name of the sender. Defaults to "cn".
- attr_mail: string
- The name of the LDAP attribute that contains the default email address of the sender. Defaults to "mail".
- attr_alt_mail: string
- The name of the LDAP attribute that contains a list of alternate email addresses of the sender. Defaults to "mailAlternateAddress".
- attr_authed_mail: string
- The name of the LDAP attribute that contains a list of name/address pairs explicitly authorized to be used by the sender. They should be of the form usually accepted in email headers (i.e. "name "). Defaults to "mailAuthorizedAddress".
- attr_replyto: string
- The name of the LDAP attribute that contains a list of addresses that the user is explicitly authorized to use in the Reply-to header. Defaults to "mailAuthorizedReplyTo".
- attr_cn_default: string
- A country code that indicates which languages version of the common name will be used as the default name. Defaults to 'en' for english. Currently this only works for english, so this is a pretty useless option until I get around to adding support for other languages.
- addsender: {yes|no}
- Toggles whether repfilter will add a Sender header to each message it processes. Defaults to "yes".
- strip_whitespace_header: {yes|no}
- Toggles whether repfilter will strip extra spaces from the From header. Defaults to "yes".
- strip_whitespace_directory: {yes|no}
- Toggles whether repfilter will strip extra spaces from the attr_common_name LDAP attribute. Defaults to "no".