--- bin/smtp-vilter/smtp-vilter.8.orig	Sun Nov 12 12:39:17 2006
+++ bin/smtp-vilter/smtp-vilter.8	Sat Apr  3 21:43:06 2010
@@ -68,6 +68,9 @@
 .Bk -words
 .Op Fl a Ar spam-subject-prefix
 .Ek
+.Bk -words
+.Op Fl H Ar header-options
+.Ek
 .\" .Bk -words
 .\" .Op Fl D Ar binddn
 .\" .Ek
@@ -122,6 +125,9 @@ Start in verbose mode.
 .Nm
 will run in foreground and some diagnostic messages are displayed on the
 console.  Watch the system log for additional messages.
+.It Fl vv
+Enable a few additional messages relating to SASL authentication,
+and display data sent to and from backend sockets.
 .It Fl m
 Mark all messages with
 .Dq X-SMTP-Vilter
@@ -174,6 +180,9 @@ to set a maximum number of open file descriptors.
 .It Fl a Ar spam-subject-prefix
 Specify a prefix that will be put in from of the Subject-line if a
 message is considered spam.
+.It Fl H Ar header-options
+Control various features of the internally generated header used to
+forward messages to a spam detection backend (see "Header Options" below).
 .\" .It Fl D Ar binddn
 .\" Specify the  distinguished name to use when binding to the LDAP server.
 .\" .It Fl h Ar ldaphost
@@ -194,12 +203,50 @@ socket file is in /var/run):
 INPUT_MAIL_FILTER(`smtp-vilter', `S=unix:/var/run/smtp-vilter.sock, F=T, T=S:10s;R:120s')
 define(`confINPUT_MAIL_FILTERS', `smtp-vilter')
 .Ed
-
 Configure your timeouts to sane values.  If you use Spamassassin make
 them long enough.  Remember you have to set timeouts not only in the
 smtp-vilter and backend config files, but in your sendmail .mc config
 file a s well as shown in the example above which configures a sending
 timeout of 10 seconds and a receiving timeout of 120 seconds.
+.Sh Using Postfix
+.Nm
+can be used with recent versions of Postfix that include milter support.
+Postfix needs access to smtp-vilter.sock by making it a member of
+the owning group and setting umask 002 before running smtp-vilter
+.Pp
+Postfix does not automatically set the _ macro, this must be added
+to main.cf manually:
+.Bd -literal
+milter_connect_macros = j {daemon_name} v _
+.Ed
+.Sh Header Options
+As
+.Nm
+receives messages directly via the milter interface, it doesn't have access to
+headers that are added downstream by the MTA.  So in order pass a message to a
+spam detection backend
+.Nm
+must generate and add its own artificial header.
+Note that this header is entirely internal and is NOT visible to the MTA or
+the end recipent.
+.Pp
+The
+.Aq header-options
+parameter provides control over various features of this header.
+.Pp
+At present there is only one option, which is to indicate the sender's SASL
+authentication status as reported by the MTA:
+.Bl -tag -width "header-options=xxx"
+.It Pa header-options=0
+ignore SASL authentication status (default)
+.It Pa header-options=1
+if the sender successfully signed in then insert a tag of the form
+"(Authenticated sender: user@domain)" in the received header.
+.El
+.Pp
+The latter behaviour emulates Postfix's "smtpd_sasl_authenticated_header"
+option. It enables a (suitably configured) spam detection backend to apply
+different rules for trusted senders.
 .Sh FILES
 .Bl -tag -width "/etc/smtp-vilter/smtp-vilter.conf" -COMPACT
 .It Pa /etc/smtp-vilter/smtp-vilter.conf
@@ -265,15 +312,6 @@ based scanning.  If both
 .Nm
 and the scan engine are chrooted to different directories, they must
 communicate using TCP/IP sockets.
-.Sh USING POSTFIX
-.Nm
-can be used with recent versions of Postfix that include milter support.
-Postfix needs access to smtp-vilter.sock by making it a member of
-the owning group and setting umask 002 before running smtp-vilter
-.Pp
-Postfix does not automatically set the _ macro, this must be added
-to main.cf manuall:
-milter_connect_macros = j {daemon_name} v _
 .\" .Sh BUGS
 .\" .Ss LDAP functionality
 .\" LDAP functionality is only available when
