Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
batv-filter(8)		    System Manager's Manual		batv-filter(8)

       batv-filter - BATV (Bounce Address Tag Validation) filter for sendmail

       batv-filter -p socketspec -k key	[-a allowlist] [-A] [-b] [-c conffile]
       [-d domainlist] [-D debuglevel] [-f] [-i	ilist] [-l] [-m	mtaname[,...]]
       [-M macro[=value][,...]]	[-n] [-P pidfile] [-q] [-r] [-s] [-S] [-t ttl]
       [-u user] [-v version] [-V] [-x]

       batv-filter implements the experimental Bounce Address  Tag  Validation
       specification  as  a means to filter mail which claims to come from the
       local domain which in fact does not.

       For details regarding the proposal, consult the draft text.

       -a allowlist
	      Identifies a file	of envelope addresses which should be  immedi-
	      ately  allowed  (not processed) by the filter.  Matching is done
	      on both sender (MAIL FROM) and recipient	(RCPT  TO)  addresses.
	      The  hash	 character  ("#")  denotes comments in the usual shell
	      script style; data after a hash character	on any given  line  is
	      ignored.	 Blank	lines  are  also ignored.  The entries in this
	      file may include wildcard	("*") characters.

       -A     Automatically re-start on	failures.  Use with  caution;  if  the
	      filter  fails  instantly after it	starts,	this can cause a tight
	      fork(2) loop.

       -b     By default, arriving messages  addressed	to  users  in  domains
	      listed by	the -d option must be signed if	they are bounces (i.e.
	      empty envelope sender) but not otherwise;	 bounces  to  unsigned
	      addresses	 will  be rejected.  This option applies the verifica-
	      tion to all envelope senders, not	just the empty sender.

       -c conffile
	      Names a configuration file to be read after command  line	 argu-
	      ments are	processed.  Values on the command line generally over-
	      ride those found	in  the	 configuration	file.	See  batv-fil-

       -d domainlist
	      Specifies	 a  comma-separated  list  of  domain names whose mail
	      should be	signed and verified by this filter.  Specify all  pos-
	      sible subdomains by prefixing a dot (".")	to the appropriate en-
	      tries.  If no domains are	specified, mail	 for  all  domains  is
	      signed.	See  also  the	-i option below.  This may also	be the
	      path to a	file containing	entries	in the domain  list,  one  per
	      line.  Blank lines and those beginning with a hash ("#") charac-
	      ter will be ignored.

       -D debuglevel
	      Requests milter debugging	at the specified debug level.

       -f     Suppresses the call to fork(), so	that the filter	 runs  in  the

       -h     Causes  batv-filter  to  add a header indicating the presence of
	      this filter in the path of the message from injection to	deliv-
	      ery.   The  product's name, version, and the job ID are included
	      in the header's contents.

       -i ilist
	      Specifies	a file which contains a	 list  of  hostnames,  IP  ad-
	      dresses or CIDR-style IP specifications (e.g. "").
	      Mail coming from these sources should be signed rather than  be-
	      ing  verified.  See also the -d option above.  If	unspecified, a
	      single-entry list	referring to "" is assumed.

       -k key Specifies	the file in which to find the  key  to	be  used  when
	      signing  outgoing	mail and verifying arriving mail.  The key can
	      be any arbitrary text string and should  appear  one  the	 first
	      line of this file.

       -l     Log via calls to syslog(3) any interesting activity.

       -m mtaname[,...]
	      A	 comma-separated  list of MTA names (a la the sendmail(8) Dae-
	      monPortOptions Name parameter) whose mail	should	be  signed  by
	      this filter.  If not set,	the MTA	name is	not used when deciding
	      whether or not a message should be signed.

       -M macro[=value][,...]
	      Defines a	set of MTA-provided macros which should	be checked  to
	      see  if  the  sender  has	been determined	to be a	local user and
	      therefore	whether	or not the message should  be  signed.	 If  a
	      value  is	specified, the value of	the macro must match the value
	      specified	(matching is case-insensitive),	 otherwise  the	 macro
	      must  be	defined	but may	contain	any value.  Multiple tests may
	      be specified, separated by commas.  The set is empty by default,
	      meaning  macros are not used when	deciding whether or not	a mes-
	      sage should be signed.

	      The general format of the	string is test1[,test2[,...]]  where a
	      "test"  is  of the form macro[=value1[|value2[|...]]]; if	one or
	      more value is defined then the macro must	be set to one  of  the
	      listed  values,  otherwise the macro must	be set but can contain
	      any value.

       -n     Don't reject things which	fail validation.

       -p socketspec
	      Specifies	the socket that	should be established by the filter to
	      receive  connections  from  sendmail(8) in order to provide ser-
	      vice.  socketspec	is in one of two forms:	local:path which  cre-
	      ates   a	 UNIX	domain	 socket	 at  the  specified  path,  or
	      inet:port[@host] which creates a TCP  socket  on	the  specified
	      port.   If  the  host is not given as either a hostname or an IP
	      address, the socket will be listening on all  interfaces.	  This
	      option is	mandatory.

       -P pidfile
	      Writes  the process ID of	the filter, once started, to the file-
	      name given.

       -q     Quarantine messages whose	signatures fail	to  verify,  or	 which
	      should have had a	signed envelope	but did	not.

       -r     Do not reject mail that fails to validate.  Also,	add an Authen-
	      tication-Results header to mail coming  through  the  filter  so
	      that  downstream	filters	or MUAs	can decide what	action to take
	      based on what this filter	observed.

       -s     Causes mail from clients authenticated to	the MTA	to be  ignored
	      (passed)	by the filter.	The default is to process even authen-
	      ticated messages.

       -S     Requests that the	MTA provide meaningful SMTP reply  codes  when
	      rejecting	messages rather	than their un-descriptive defaults.

       -t ttl Specifies	that signatures	expire after ttl days.	The default is

       -u userid
	      Attempts to be come the specified	userid before starting	opera-

       -v version
	      Sets  the	key version to version.	 The default is	zero.  Must be
	      an integer from 0	to 9.  Only signatures	matching  the  current
	      version are considered valid, even if the	signature would	other-
	      wise validate.

       -V     Print the	version	number and exit	without	doing anything else.

       -x     Activates	an experimental	Sendmail variant of BATV.  See the LO-
	      CAL MODIFICATIONS	section	below for details.

       A  message will be verified unless it conforms to the signing criteria,
       which are: (1) the domain on the	envelope sender	address	must be	listed
       by the -d command line switch, and (2) the client connecting to the MTA
       must (a)	have authenticated, or (b) be listed in	the file referenced by
       the -i command line switch.

       Adding  -x to the command line will cause the filter to sign and	verify
       using a Sendmail, Inc. variant of BATV.	This  method  uses  the	 basic
       idea  of	 BATV  but appends the tag rather than prepending it, and uses
       the "+" character instead of the	"=" character to separate the BATV tag
       from  the  actual address.  This	is more	compatible with	configurations
       and filters that	accomodate the existing	MTA-supported address  tagging
       system which has	been around since at least the mid 1990s.

       This man	page covers version 0.5.0 of batv-filter.

       Copyright  (c)  2007-2009 Sendmail, Inc.	and its	suppliers.  All	rights

       batv-filter.conf(5), sendmail(8)

       Sendmail	Operations Guide

       RFC2821 - Simple	Mail Transfer Protocol

       RFC5451 - Message Header	Field for  Indicating  Message	Authentication

				Sendmail, Inc.			batv-filter(8)


Want to link to this manual page? Use this URL:

home | help