Repfilter imposes restrictions on the following data in the senders message:
- Envelope address
- Email address in the From header
- Real name in the From header
- Email address in the Reply-to header
- Email address in the Sender header
For each of the above data repfilter will decide if it is permissible or not, and accept or reject the message. Repfilter may optionally correct an invalid header so as to make the message acceptable, again according to policy.
For one of the above data to be considered valid, Repfilter checks for membership in predefined sets. Currently the following sets are defined:
- permitted addresses
- permitted real names
- authorized pairs of addresses and real names
- reply-to addresses
The contents of these sets are retrieved from the LDAP directory.
As we said the main goal is to place restrictions on the presentation of the senders identity. It is natural therefore that the From header is the main focus of the filters attention.
For each address appearing in the From header the filter will
- check if the full address specification is found in the authorized set of addresses. If so the address is considered permissible and remains in the header.
- check if the address is found in the permitted set of
addresses. If not then, depending on policy, the address is either deleted
or the message is rejected.
- check if the real name is found in the permitted set of names. If not then, depending on policy, the name is corrected, the address is deleted or the message is rejected.
- if the address name was corrected then the full address is considered permissible and remains in the header.
After all these steps are iterated for each address without fault, the From header will be rewritten with all the addresses that remain.
For a diagramatic explanation of the logic see Figure 1.
Each message coming through sendmail has an envelope address. This is made accessible to repfilter via the {f} configuration macro. Repfilter will check that this address belongs either to the authorized addresses or to the permitted addresses. If the check is succesfull the envelope remains as is. Otherwise the message is rejected. This behaviour is not configurable.
If a Reply-to header occurs in the message headers Repfilter checks that the address it contains belongs to the set of reply-to addresses. If that is not the case then policy will dictate whether Repfilter will delete the header or reject the message.
Repfilter will modify the message headers so that there is always a Sender header that contains a default email address of the sender. This behaviour is configurable by the addsender configuration variable.