Envelope Milter

I wrote this simple milter as a way of learning more about the sendmail Milter interface. It draws on the sample filter from the sendmail distribution and on SpamAssassin Milter.

The purpose of Envelope Milter is to redirect identified spam to a "spam catcher" mail account. This requires that something upstream of Envelope Milter has applied a header to the email indicating whether or not it is considered to be spam. I use Envelope Milter as the second of two Milters. The first is SpamAssassin Milter. SpamAssassin Milter provides a straightforward interface between sendmail and spamd from SpamAssassin.

Envelope milter supports the following command line options:

Run in the background. Default is to run in the forground.
Debug mode. Log a little extra debuging information.
-m header
Name of header to match. Match is case insensitive. Default is "X-Spam-Status".
-n name
Name of Milter to pass to sendmail. Each milter should have a unique name. Default is "SpamRedirectFilter".
-p port
Name of Milter port. Default is "unix:env-milter.sock" in the current directory.
-r recipient
Valid email address of recipient if match header is found. Default is "root@localhost".
-s string
Right hand side of header to match. Match is case insensitive. Default is "Yes".
-t timeout
Time to wait for connection from sendmail. Default is configured via sendmail (typically 1800 seconds).
-x header
Header to add for each removed recipient. Default is "X-Env-Recipient". If set to an empty string, no header will be added.

One could run SpamAssassin at its default trigger level of 5.0 and set Envelope Milter to trigger at a higher level (say 20.0) by using SpamAssassin's "X-Spam-Level" header with the -m and -s options of Envelope Milter. As each "*" in the header value represents an increment of one in the spam score, it is possible to set a site wide upper spam limit. Any spam over this score is then directed to a central account for checking and subsequent disposal. The courageously condfident might choose a recipient that resolves to /dev/null.

Users still have the option to filter their mail by means of the "X-Spam-*" headers inserted by SpamAssassin without being subjected to the worst of the spam (Orwellian, or what?).


If you are intending to use this software for anything at all, please note that it comes with NO WARRANTY. If it breaks, you alone are responsible for picking up all of the pieces. I have compiled and run Envelope Milter on RedHat versions 9, 7.3 and 6.2. It should run on other versions of Linux, it might run on *BSD etc, I doubt it will run on Win32.

Re-writing envelope addresses can easily cause mail loops and lost mail. It is not polite (nor, possibly, legal) to redirect another recipient's email without permission.

Milters should not be run as root if at all possible. The chosen non root user should still be protected as if it were root. If an attacker creates a socket replacing that of your milter, the attacker will have complete control of your mail system.

You should probably be running sendmail 8.12.3 or later, you need to have the sendmail milter libraries and headers installed to compile Envelope Milter and you need to be familiar with configuring sendmail using m4. Please do not ask me to explain how to do such things.


Envelope Milter is available as source. There is also an RPM Spec file, a RedHat startup script and an SRPM.

Also in this section


Please submit comments and questions about this site to

If you enjoyed this site, small donations towards running costs are always gratefully received (well, I can hope...). Joking aside, thank you for chosing to visit my website.