Solved

Sourcing sendmail from multiple IPs, based on sender domain (oubound only)

Posted on 2004-08-17
12
607 Views
Last Modified: 2013-12-17
In the sendmail environment I support, we have numerous companies/entities sending outbound email through a single set of mail relays, running Red Hat Advanced Server 3.0 and Sendmail 8.12.10.

I am looking for a way to use multiple IPs for outbound email, binding specific IPs to specific sending domains (i.e. all mail from domain1.com would source from 10.0.0.1, mail from domain2.com from 10.0.0.2, etc).  The reasoning for such is to protect domains from being blacklisted due to misconduct from another domain (because both domains source from the same IP).

Is there a way to do this with Sendmail?
0
Comment
Question by:jprice88
  • 5
  • 4
  • 2
12 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 125 total points
ID: 11825049
There are two problems you'd have to solve to do this. First of all Sendmail neither knows nor cares what domain an outbound message came from. So you'd have to implement some sort if filter to separate the outbound stream into multiple streams, one for each domain. The second problem is that sendmail has no control over what the source IP of a connection is. It's the kernel's job to route the connection via what it believes to be the best route. So ona machine with multiple interfaces, all of which use the same upstream router the kernel will pick the first interface as the source since it is the "best route".

While it might be possible to hack up something that would do this, such a system on a single server would likely be a real kludge and would certainly be a maintenance nightmare. The simple solution would be to set up multiple, small, servers that the clients use only for outbound mail. Obviously, this presumes that one has multiple "outside" IP's, one for each domain.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11830393
Well, I think you can force sendmail to bind to a specific IP address. So you could have multiple logical NICs in the system, each with its own IP address, and run multiple instances of sendmail, each forced to bind to a different IP address. And each one configured to use its own unique directory structure for queue submission and the like, and different log file. I'd hate to see the sendmail.mc for this sort of thing.

Like jlevie says, this would be a kludge/maintenance nightmare. Using multiple small servers is better, or use a honker system that has logical partitioning capability and can run multiple virtual machines (e.g. a Sun E10000, or some similarly hefty box using VMWare Enterprise).
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11832347
> Well, I think you can force sendmail to bind to a specific IP address

It looks to me like that only controls what IP(s) sendmail listens on. Outbound traffic routing is under the kernels control, in my experience.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11832451
Well, if sendmail instance A is bound to IP 10.10.10.1 and instance B is bound to 10.10.10.2 and they use different queue directories, it seems to me that if you put something in B's queue, it'll use the IP address its bound to for transmission. I don't see how an instance not bound to an IP address could use that IP address. But I confess I'm going on theory, not practical experience.

In any case, I fully agree with you that it would be a maintenance and troubleshooting nightmare. Better the many small boxes route.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11832609
Well, yes that's true. And while that could be used to separate the mail into domain specific queues I don't see it how it would help with the final goal of having outbound email be from the IP Sendmail is listening on. It's been my experience that the kernel will pick the first interface that has a route to the destination (the default route in this case) and use that interface.
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 5

Expert Comment

by:cgrey
ID: 11866650
"Well, if sendmail instance A is bound to IP 10.10.10.1 and instance B is bound to 10.10.10.2 and they use different queue directories, it seems to me that if you put something in B's queue, it'll use the IP address its bound to for transmission."

This isn't necessarily correct.  Unless you use very funky routing tables with multiple default gateways, sendmail will make it's outbound queue connection via the last/most recent default gw entry in the routing table.  You can do this by creating multiple default gateways and even binding them to virtual interfaces (eth0:x etc) but a LOT of things don't like that, and in fact some services will fail to operate correctly or come up properly at startup.

There is another way to do this but it's a major pain in the butt.  Create a bunch of virtual interfaces that are addressed as /32 netmask.  Then you can create a default route for each and bind sendmail to that IP.  Unfortunately this is an administrative (and logical networking) nightmare.  A similar effect can be achieved by using the universal tap driver and creating /32 subnets on each tap interface tap1 10.1.1.1/32, tap2 10.1.1.2/32 and add routes for each.  This is fairly easy to script out, but as your network and mail traffic grow, the networking CPU overhead for your system grows rapidly.

0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11866661
The issue is not the gateway - its which IP address sendmail uses outbound. Does it use the one the MTA is bound to, or does it use any available IP address. The gateway beyond that is irrelevant.
0
 
LVL 5

Expert Comment

by:cgrey
ID: 11866719
No, it isn't irrelevant. The default gateway address - or the gateway address for the network in question - in the local routing table will define WHICH address the sendmail queue runner or child fork will send from.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11867427
That's what I said in the first comment. From within sendmail there's no control over what the source IP is. That's completely determined by what the kernel thinks the best route to the destination is.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11874285
Ah - I see what you're saying. Sorry, I had completely misunderstood the both of you.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12103492
I'd say jlevie deserves the points.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Automapping, a wonderful feature with Exchange 2010 (SP2 onwards I believe), allows additional/Shared mailboxes that a user has access to be automatically mapped on Outlook client, simplifying the process by adding them while Outlook launches. Ho…
Easy CSR creation in Exchange 2007,2010 and 2013
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now