This filter performs a SenderScore lookup and allows OpenSMTPD to either block or slow down asession based on the reputation of the source IP address.
The filter currently supports:
- blocking hosts with reputation below a certain value
- adding an
X-SenderScore header with the score of the source IP address - adding an
X-Spam header to hosts with reputation below a certain value - applying a time penalty proportional to the IP reputation
- allowlisting IP addresses or subnets
The filter is written in Golang and doesn't have any dependencies beyond the standard library.
It requires OpenSMTPD 6.6.0 or higher.
Install from your operating system's preferred package manager if available.On OpenBSD:
$ doas pkg_add filter-senderscorequirks-3.167 signed on 2019-08-11T14:18:58Zfilter-senderscore-v0.1.0: ok
Alternatively, clone the repository, build and install the filter:
$ cd filter-senderscore/$ go build$ doas install -m 0555 filter-senderscore /usr/local/bin/filter-senderscore
On Linux, use sudo(8) instead of doas(1).
The filter itself requires no configuration.
It must be declared in smtpd.conf and attached to a listener:
filter "senderscore" proc-exec "/usr/local/bin/filter-senderscore -blockBelow 50 -junkBelow 80 -slowFactor 1000"listen on all filter "senderscore"
-blockBelow will display an error banner for sessions with reputation score below value then disconnect.
-blockPhase will determine at which phase-blockBelow will be triggered, defaults toconnect, valid choices areconnect,helo,ehlo,starttls,auth,mail-from,rcpt-to andquit. Note thatquit will result in a message at the end of a session and may only be used to warn sender that reputation is degrading as it will not prevent transactions from succeeding.
-junkBelow will prepend the 'X-Spam: yes' header to messages.
-slowFactor will delay all answers to a reputation-related percentage of its value in milliseconds. The formula isdelay * (100 - score) / 100 wheredelay is the argument to the-slowFactor parameter andscore is the reputation score. By default, connections are never delayed.
-scoreHeader will add an X-SenderScore header with reputation value if known.
-allowlist <file> can be used to specify a file containing a list of IP addresses and subnets in CIDR notation to allowlist, one per line. IP addresses matching any entry in that list automatically receive a score of 100.
