Solved

Sourcing sendmail from multiple IPs, based on sender domain (oubound only)

Posted on 2004-08-17
12
620 Views
Last Modified: 2013-12-17
In the sendmail environment I support, we have numerous companies/entities sending outbound email through a single set of mail relays, running Red Hat Advanced Server 3.0 and Sendmail 8.12.10.

I am looking for a way to use multiple IPs for outbound email, binding specific IPs to specific sending domains (i.e. all mail from domain1.com would source from 10.0.0.1, mail from domain2.com from 10.0.0.2, etc).  The reasoning for such is to protect domains from being blacklisted due to misconduct from another domain (because both domains source from the same IP).

Is there a way to do this with Sendmail?
0
Comment
Question by:jprice88
  • 5
  • 4
  • 2
12 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 125 total points
ID: 11825049
There are two problems you'd have to solve to do this. First of all Sendmail neither knows nor cares what domain an outbound message came from. So you'd have to implement some sort if filter to separate the outbound stream into multiple streams, one for each domain. The second problem is that sendmail has no control over what the source IP of a connection is. It's the kernel's job to route the connection via what it believes to be the best route. So ona machine with multiple interfaces, all of which use the same upstream router the kernel will pick the first interface as the source since it is the "best route".

While it might be possible to hack up something that would do this, such a system on a single server would likely be a real kludge and would certainly be a maintenance nightmare. The simple solution would be to set up multiple, small, servers that the clients use only for outbound mail. Obviously, this presumes that one has multiple "outside" IP's, one for each domain.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11830393
Well, I think you can force sendmail to bind to a specific IP address. So you could have multiple logical NICs in the system, each with its own IP address, and run multiple instances of sendmail, each forced to bind to a different IP address. And each one configured to use its own unique directory structure for queue submission and the like, and different log file. I'd hate to see the sendmail.mc for this sort of thing.

Like jlevie says, this would be a kludge/maintenance nightmare. Using multiple small servers is better, or use a honker system that has logical partitioning capability and can run multiple virtual machines (e.g. a Sun E10000, or some similarly hefty box using VMWare Enterprise).
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11832347
> Well, I think you can force sendmail to bind to a specific IP address

It looks to me like that only controls what IP(s) sendmail listens on. Outbound traffic routing is under the kernels control, in my experience.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 34

Expert Comment

by:PsiCop
ID: 11832451
Well, if sendmail instance A is bound to IP 10.10.10.1 and instance B is bound to 10.10.10.2 and they use different queue directories, it seems to me that if you put something in B's queue, it'll use the IP address its bound to for transmission. I don't see how an instance not bound to an IP address could use that IP address. But I confess I'm going on theory, not practical experience.

In any case, I fully agree with you that it would be a maintenance and troubleshooting nightmare. Better the many small boxes route.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11832609
Well, yes that's true. And while that could be used to separate the mail into domain specific queues I don't see it how it would help with the final goal of having outbound email be from the IP Sendmail is listening on. It's been my experience that the kernel will pick the first interface that has a route to the destination (the default route in this case) and use that interface.
0
 
LVL 5

Expert Comment

by:cgrey
ID: 11866650
"Well, if sendmail instance A is bound to IP 10.10.10.1 and instance B is bound to 10.10.10.2 and they use different queue directories, it seems to me that if you put something in B's queue, it'll use the IP address its bound to for transmission."

This isn't necessarily correct.  Unless you use very funky routing tables with multiple default gateways, sendmail will make it's outbound queue connection via the last/most recent default gw entry in the routing table.  You can do this by creating multiple default gateways and even binding them to virtual interfaces (eth0:x etc) but a LOT of things don't like that, and in fact some services will fail to operate correctly or come up properly at startup.

There is another way to do this but it's a major pain in the butt.  Create a bunch of virtual interfaces that are addressed as /32 netmask.  Then you can create a default route for each and bind sendmail to that IP.  Unfortunately this is an administrative (and logical networking) nightmare.  A similar effect can be achieved by using the universal tap driver and creating /32 subnets on each tap interface tap1 10.1.1.1/32, tap2 10.1.1.2/32 and add routes for each.  This is fairly easy to script out, but as your network and mail traffic grow, the networking CPU overhead for your system grows rapidly.

0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11866661
The issue is not the gateway - its which IP address sendmail uses outbound. Does it use the one the MTA is bound to, or does it use any available IP address. The gateway beyond that is irrelevant.
0
 
LVL 5

Expert Comment

by:cgrey
ID: 11866719
No, it isn't irrelevant. The default gateway address - or the gateway address for the network in question - in the local routing table will define WHICH address the sendmail queue runner or child fork will send from.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11867427
That's what I said in the first comment. From within sendmail there's no control over what the source IP is. That's completely determined by what the kernel thinks the best route to the destination is.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11874285
Ah - I see what you're saying. Sorry, I had completely misunderstood the both of you.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12103492
I'd say jlevie deserves the points.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nearly six years ago I was hired by a company to be their senior server engineer. One of my first projects was to implement Exchange Server 2007 on a Windows Server 2008 Single Copy Cluster for high availability. That was the easy part; read on to l…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question