This patch provides the functionality for sendmail to suppress error e-mail messages (Delivery Status Notification (DSN) messages) based on results of Sender Policy Framwork (SPF).
In our environment, we reduced about 13 percents of outgoing error messages using this patch. (The ratio of suppressed error messages to all e-mail error events.)
The original idea of this patch is proposed by Kazu Yamamoto in A
Proposal for Deployment of SPF
. The essence of the idea (using this
patch) don't sent error messages when original mail's sender domain is
cannot be verified. For details, please read his proposal.
When a e-mail message comes from network, this implementation gets
an SPF status from Authentication-Results header field.
When the status is Fail or SoftFail, it
marks the e-mail of which DSN message is not needed. Thefore even if
the message's delivery status is a failure, a DSN message will
not be sent to the original sender of the e-mail message. As a result,
the forged sender won't receive bogus error messages. Of course, a DSN message
destined to not-forged-sender is delivered as usual (e.g. when sender domain doesn't have SPF
record or an SPF result is Pass).
As the implementation marks the results as e-mail headers, you can deploy this implementation in conjunction with other MX servers. Of course, you can run both sid-milter and this implementation in the same host.
The same as Sendmail
Apply this implementation's patch to sendmail source code.
$ cd /tmp $ tar -xzf sendmail.8.13.8.tar.gz $ cd sendmail-8.13.8 $ patch -p1 < sm-dsn-supr-0.1.0-8.13.8.patch
Make devtools/Site/site.config.m4, add following build directive.
APPENDDEF(`confENVDEF', `-D_FFR_DSN_SUPR_WITH_SPF')
Compile source files using Build command.
$ ./Build
If you have no trouble with compiling, then install as root user.
$ su # ./Build install
You must specify the host name of the host which runs sid-milter.
So please add following settings to sendmail.cf.
And then include the host name in the file "/etc/mail/spf_recv_hosts
O SPFRecieverHostMap=spf_recv_hosts_map Kspf_recv_hosts_map hash -T<TMPF> /etc/mail/spf_recv_hosts
/etc/mail/spf_recv_hosts file has two columns.
The left is the host name which will appear in Authentication-Results header,
and you can specify anything in the other column.
(Example) mxhost.example.com enabled
After making /etc/mail/spf_recv_hosts file, you must convert to db file
using makemap command.
$ makemap hash /etc/mail/spf_recv_hosts < /etc/mail/spf_recv_hosts
After restarting sendmail, check the status by sending an e-mail to the host, from a host which SPF checks will fail.
If the checking works properly, the following message should appear in syslog. (This outputs either the message deliverly is success, or not.)
Jun 1 14:37:30 mxhost sendmail[14747]: k4V5aZwf014744: clear DSN flags for suppressing (spf=softfail)
If the implementation cannot locate host name in database map, then it outputs the following message.
Jun 1 15:49:36 ripple sendmail[17197]: k4V6nSYK017194: SPF receiver host is not found (maybe map is not defined), ignore this header
OK, installation finished!
You can tabulate error messages using contrib/est_dsn.pl.
(example) $ ./est_dsn.pl /var/log/maillog Total incoming messages: 5307 Total delivered messages: 4901 Estimated DSN messages: 3418 Actual DSN messages: 2906 Suppressed DSN messages: 512
Generally "Estimated DSN messages" is "Actual DSN messages" plus "Suppressed DSN messages". But using DSN feature (NOTIFY parameter with NEVER directive) in an SMTP Session causes suppression of DSN message, sometimes the total is not same. (Using Sendmail >=8.13.7 with disabling DSN in access_db, you can completely disable DSN feature in SMTP session, so this case don't bother you.)
I want your configuration example, comments and suggession.
Please mail to sagawa+dsn_patch@sfc.wide.
(To avoid spam messages, parts of the addresses are omitted.
Please append ad.jp to get the right addresses.)