You have a few options:
- permit nobody to set -f (best)
- use something like Net::SMTP to relay your first hop instead of using
sendmail directly; then you have control over every header
- create a setuid script (or wrapper) set to a user who can issue the
-f, but I presume this will be some "super" user, so that makes this
the least favorite of the choices presented here
-- Randal L. Schwartz, Perl hacker