Reject mail with no valid recipients
A lot of spam I see does not use valid recipients. Either many
are buggy, or spammers are trying to guess addresses.
The point is that a significant percentage (if not even the majority) of spams
don't carry valid recipients. Checking the validity of a recipient is much
cheaper than content-based analysis, as done with
However, filtering is often done on an intermediate relay, which doesn't
have a complete list of all valid recipients. Maintaining a copy of the
list on the relay would be cumbersome.
This is the sole purpose of milter-checkrcpt. It checks the validity of
recipients by asking another mail server, like your internal
mail server, which already has the complete list of valid users.
Invalid recipients are permanently removed from mails. Mails with no valid
recipients are refused.
See milter-regex for a general introduction
about milter plugins.
milter-checkrcpt runs on OpenBSD and is
MILTER-CHECKRCPT(8) OpenBSD System Manager's Manual MILTER-CHECKRCPT(8)
milter-checkrcpt - sendmail milter plugin for recipient checking against
milter-checkrcpt [-d] [-h helo] [-m mailfrom] [-p pipe] [-r recipient]
[-s server] [-u user]
The milter-checkrcpt plugin can be used with the milter API of
sendmail(8) to filter mails with invalid recipients. The validity of a
recipient address is determined by querying another mail server over
The options are as follows:
-d Don't detach from controlling terminal and produce verbose
debug output on stdout.
-h helo Use the specified string in the SMTP HELO line sent to the
server, instead of the default, the local host name.
-m mailfrom Use the specified string in the SMTP MAIL FROM line sent to
the server, instead of the default, milter-checkrcpt@helo.
-p pipe Use the specified pipe to interface sendmail(8). Default
-r recipient Test the specified recipient and terminate immediately.
-s server Use the specified server IP address. This option is manda-
-u user Run as the specified user instead of the default, _milter-
checkrcpt. When milter-checkrcpt is started as root, it
calls setuid(2) to drop privileges. The non-privileged us-
er should have read access to the configuration file and
read-write access to the pipe.
Recipients are checked by contacting the specified server and performing
the following SMTP dialogue:
250 HELO ACCEPTED
MAIL FROM: <mailfrom@helo>
250 SENDER OK
RCPT TO: <recipient>
250 RECIPIENT OK
If the server responds with positive completion reply codes (200-299) to
all commands sent, or with a temporary failure code (400-499) to any com-
mand sent, the recipient is considered valid. If any command results in
a different reply code, the recipient is considered invalid. If the con-
nection to the server cannot be established at all, the recipient is con-
sidered valid. Note that this dialogue does not actually send any mail
to the server. A single mail can have one or multiple recipients. The
plugin checks each recipient, removing any invalid recipients from the
mail. If no valid recipients are found, the plugin instructs sendmail(8)
to reject the mail with SMTP reply code 554 ("Transaction failed"), ex-
tended reply code 5.7.1 ("Permanent failure"), and reply text "No valid
recipients". Otherwise, the plugin accepts the mail.
The plugin needs to be registered in the sendmail(8) configuration, by
adding the following lines to the .mc file
rebuilding /etc/mail/sendmail.cf from the .mc file using m4(1), and
milter-checkrcpt sends log messages to syslogd(8) using facility daemon
and, with increasing verbosity, level err, notice, info and debug. The
following syslog.conf(5) section can be used to log messages to a dedi-
mailstats(1), syslog.conf(5), sendmail(8), syslogd(8)
Simple Mail Transfer Protocol, RFC 2821.
The first version of milter-checkrcpt was written in 2007.
Daniel Hartmeier <email@example.com>
OpenBSD 4.4 May 20, 2009 2
0.3: Mar 7, 2012
Do not refuse mail when the backend server reports temporary failure (4xx)
(suggested by Shinta Sato).
0.2: Jul 12, 2011
Don't generate space after MAIL FROM:/RCPT TO: (from Claus Assmann).
0.1: May 20, 2009
First public version.
- sendmail and milter
- RFC 821 Simple Mail Transfer Protocol (SMTP)
- RFC 1893 Enhanced Mail System Status Codes
- Other milter plugins (multiple plugins can be chained)
- milter-regex filtering using regular expression (and links to other milter plugins)