Solved

Sourcing sendmail from multiple IPs, based on sender domain (oubound only)

Posted on 2004-08-17
12
617 Views
Last Modified: 2013-12-17
In the sendmail environment I support, we have numerous companies/entities sending outbound email through a single set of mail relays, running Red Hat Advanced Server 3.0 and Sendmail 8.12.10.

I am looking for a way to use multiple IPs for outbound email, binding specific IPs to specific sending domains (i.e. all mail from domain1.com would source from 10.0.0.1, mail from domain2.com from 10.0.0.2, etc).  The reasoning for such is to protect domains from being blacklisted due to misconduct from another domain (because both domains source from the same IP).

Is there a way to do this with Sendmail?
0
Comment
Question by:jprice88
  • 5
  • 4
  • 2
12 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 125 total points
ID: 11825049
There are two problems you'd have to solve to do this. First of all Sendmail neither knows nor cares what domain an outbound message came from. So you'd have to implement some sort if filter to separate the outbound stream into multiple streams, one for each domain. The second problem is that sendmail has no control over what the source IP of a connection is. It's the kernel's job to route the connection via what it believes to be the best route. So ona machine with multiple interfaces, all of which use the same upstream router the kernel will pick the first interface as the source since it is the "best route".

While it might be possible to hack up something that would do this, such a system on a single server would likely be a real kludge and would certainly be a maintenance nightmare. The simple solution would be to set up multiple, small, servers that the clients use only for outbound mail. Obviously, this presumes that one has multiple "outside" IP's, one for each domain.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11830393
Well, I think you can force sendmail to bind to a specific IP address. So you could have multiple logical NICs in the system, each with its own IP address, and run multiple instances of sendmail, each forced to bind to a different IP address. And each one configured to use its own unique directory structure for queue submission and the like, and different log file. I'd hate to see the sendmail.mc for this sort of thing.

Like jlevie says, this would be a kludge/maintenance nightmare. Using multiple small servers is better, or use a honker system that has logical partitioning capability and can run multiple virtual machines (e.g. a Sun E10000, or some similarly hefty box using VMWare Enterprise).
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11832347
> Well, I think you can force sendmail to bind to a specific IP address

It looks to me like that only controls what IP(s) sendmail listens on. Outbound traffic routing is under the kernels control, in my experience.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11832451
Well, if sendmail instance A is bound to IP 10.10.10.1 and instance B is bound to 10.10.10.2 and they use different queue directories, it seems to me that if you put something in B's queue, it'll use the IP address its bound to for transmission. I don't see how an instance not bound to an IP address could use that IP address. But I confess I'm going on theory, not practical experience.

In any case, I fully agree with you that it would be a maintenance and troubleshooting nightmare. Better the many small boxes route.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11832609
Well, yes that's true. And while that could be used to separate the mail into domain specific queues I don't see it how it would help with the final goal of having outbound email be from the IP Sendmail is listening on. It's been my experience that the kernel will pick the first interface that has a route to the destination (the default route in this case) and use that interface.
0
Are your end users making ugly email signatures?

Have you left it up to your end users to create their own email signatures? Are they forgetting to add the company logo or using garish font colors? Take control and ensure all users have the same email signature.

 
LVL 5

Expert Comment

by:cgrey
ID: 11866650
"Well, if sendmail instance A is bound to IP 10.10.10.1 and instance B is bound to 10.10.10.2 and they use different queue directories, it seems to me that if you put something in B's queue, it'll use the IP address its bound to for transmission."

This isn't necessarily correct.  Unless you use very funky routing tables with multiple default gateways, sendmail will make it's outbound queue connection via the last/most recent default gw entry in the routing table.  You can do this by creating multiple default gateways and even binding them to virtual interfaces (eth0:x etc) but a LOT of things don't like that, and in fact some services will fail to operate correctly or come up properly at startup.

There is another way to do this but it's a major pain in the butt.  Create a bunch of virtual interfaces that are addressed as /32 netmask.  Then you can create a default route for each and bind sendmail to that IP.  Unfortunately this is an administrative (and logical networking) nightmare.  A similar effect can be achieved by using the universal tap driver and creating /32 subnets on each tap interface tap1 10.1.1.1/32, tap2 10.1.1.2/32 and add routes for each.  This is fairly easy to script out, but as your network and mail traffic grow, the networking CPU overhead for your system grows rapidly.

0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11866661
The issue is not the gateway - its which IP address sendmail uses outbound. Does it use the one the MTA is bound to, or does it use any available IP address. The gateway beyond that is irrelevant.
0
 
LVL 5

Expert Comment

by:cgrey
ID: 11866719
No, it isn't irrelevant. The default gateway address - or the gateway address for the network in question - in the local routing table will define WHICH address the sendmail queue runner or child fork will send from.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11867427
That's what I said in the first comment. From within sendmail there's no control over what the source IP is. That's completely determined by what the kernel thinks the best route to the destination is.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11874285
Ah - I see what you're saying. Sorry, I had completely misunderstood the both of you.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12103492
I'd say jlevie deserves the points.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This short article will present "How to import ICS Calendar onto Office 365 Calendar". I was searching for free (or not free) tools to convert ICS to CSV without success. The only tools I found & working well were online tools...this was too hard to…
New-MailboxSearch Powershell Command and step by step approach to Search and Extract Emails form Exchange 2013 Journaling server.
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now