Solved

Masquerading in Sendmail with PIX firewall

Posted on 2006-07-19
10
385 Views
Last Modified: 2010-04-20
I have sendmail working on RHES behind NAT with a PIX firewall for some time.  I would now like to masquerade "myhostname.mydomain.com" as "mail.mydomain.com" so that my outgoing email headers show mail originating from mail.mydomain.com instead of the actual hostname.
I have checked the criteria at http://www.linuxselfhelp.com/quick/sendmail.html which are admittedly dated, but comprehensive, and so far
-my zone file shows
                                IN  NS  myhostname.mydomain.com
                                IN  MX mail.mydomain.com
...
localhost                     IN  A  192.168.1.3
myhostname              IN  A   192.168.1.3
mydomain.com.          IN  A  192.168.1.3
mail.mydomain.com.  IN  A  192.168.1.3
...
www                             IN   CNAME  myhostname.mydomain.com.
ns                                IN    CNAME  myhostname.mydomain.com.

- /etc/mail/sendmail.cf shows
sendmail.mc shows:
dnl MASQUERADE_AS(`mail.mydomain.com')dnl
dnl FEATURE(masquerade_envelope)dnl
dnl FEATURE(masquerade_entire_domain)dnl
dnl MASQUERADE_DOMAIN(mydomain.com)dnl

- /etc/sysconfig/network shows
#HOSTNAME=myhostname.mydomain.com  //default entry, disabled
HOSTNAME=mail.mydomain.com                   //new entry

- /etc/hosts shows
127.0.0.1      localhost.localdomain                localhost
192.168.1.3  myhostname.mydomain.com    myhostname loghost

 I have a second virtual domain on this server using the same IP for mail, but that's another question for another day.  This is a good start but I'm concerned about /etc/sysconfig/network.  I'm working remotely and I'm not comfortable running ifdown/ifup on eth0 to get it to respond to a different hostname because I don't know what that will do to my ssh connection.  Even though the ACLs and routes on the PIX are IP-based, the IPs are mapped to hostnames, and if eth0 now responds to "mail" instead of the hostname, I may have a problem.  So my question is: if this configuration is correct, will it work with the PIX?


0
Comment
Question by:klukac
  • 5
  • 5
10 Comments
 
LVL 39

Assisted Solution

by:noci
noci earned 500 total points
ID: 17142722
IP routeing & filtering in firewalls never use any hostnames.

they are based on IP addresses and if used in a protocol port numbers.

So the rules in your pix will forward anything put at them according to the rules.
based on ip.

a packet that get destiny 192.168.1.3 will go to your system regardless if the www.mydomain.com, ns.mydomain.com etc.
was used.

BTW, don modify localhost in your zone file to 192.168.1.3, it can cause quite some unexpected behaviour
if programs think they use localhost to back to 127.0.0.1 and end up somewhere else.

Some daemons are localhost bound meant to use the lo interface and otherwise will reject a connection.


0
 

Author Comment

by:klukac
ID: 17143055
Thanks very much!
I remembered that I had another lan card on that machine, so before reading your message I changed the pix logging host to eth1 so that changes to eth0 wouldn't cut me off.  But now, no worry I guess.  

Anyway, I'm still trying to sort this out - I rebooted eth0 so mail.mydomain.com = how my server identifies itself on the Internet , per a mail header a friend just sent me.   So masquerading may work, however dnsreport.com still shows the same error (my mailserver name is invalid)...I'll wait a while to see if it changes.  

In the meantime, ssh -l myuser www.mydomain.com still works but it's terribly slow since the eth0 change/reboot,
and ssh -l myuser 1.2.3.4 doesn't work at all from this client, although I'm able to log in to my backup server in this way.  
Let me know what to look for, thanks.

0
 
LVL 39

Assisted Solution

by:noci
noci earned 500 total points
ID: 17144174
Can you please show me some picture of your network...

<Internetaddr> -| PIX | - 192.168.1.1 ---+---- 192.168.1.3 [ BOX ] ----+
                                                         +---- 192.168.1.X  --------------+

Is your DNS server running on your BOX. Or somewhere on the internet?

can you do: ifconfig -a on your mailserver,
and also a netstat -rn.

From where did you do the ssh -l myuser www.mydomain.com
and from where the ssh -l myuser 1.2.3.4 (assuming 1.2.3.4 is you IP outside address)

You never identify yourself in the internet by name.....
As before the internet (Version 4, ipv4), uses  IP address of 4 bytes grouped together in networks
by netmask. This addres f.e. 192.168.1.3 is the address of your machine regardless of the
domain name. Internet Domain names were put in use about 15 years AFTER the inception of
the internet protocol.

Through NAT an address outside of your PIX (assume 1.2.3.4) get translated to 192.168.1.3.
Your system listens for packets with that address!

For humans who can hardly remember the numbers of 10's of systems but are very good at
handling names. We give a meaningfull name to an ip address by using a name to number translator
=> DNS.
Domain names also play a role in mail routing. (thats network Layer 7, ip is layer 2/3).
So AFTER a connection is built. (with 192.168.1.3) (several packets starting the tcp link)
The SMTP protocol starts:

HELO mail.example.com
MAIL FROM: <someone@mail.example.com>
RCPT TO: <you@mydomain.com>
DATA
Headers
Headers

Content
Content
.
QUIT

It's the RCPT TO: that holds the destination of the mail.
(That at least 3 packets after all started, and the it's the first
indication if the mail is meant for you , or needs to be relayed).

It's only in a HELO message where your mail server announces itself to another mailserver
(and many mail servers accept ANYTHING there as a hostname)

Why the need to change the eth0 interface?
BTW what did you change, the hostname?

The use of the localhost name in DNS might be a problem

0
 
LVL 39

Expert Comment

by:noci
ID: 17144226
Is your DNS on the internet?
If so: the 192.168.x.x addresses are non routable.
You need to put your OUTSIDE ipaddress in that file.

The zone file as you have shown in your request is one that can work on your inside network
for local mail, but not for the outside.
The same hold true for: if you have outside addresses on in DNS on the internet,
you can't use the same DNS to serve your local addresses. NAT doesn't work for DNS.

SSH from the internet might fail because you PIX block the traffic?
0
 

Author Comment

by:klukac
ID: 17149034
My server is inside NAT, so adding an external IP to the zone file will not help - all connections to the Internet are through the PIX (static routes + ACLs).  I could remove the localhost entry from the zone file, which doesn't look like it belongs there.

You were right about the SSH connection, I had changed the route in the PIX to experiment with sendmail masquerading and forgot that NAT for ssh connections had also changed.

My theory is that connections slowed to a crawl because the PIX isn't designed to use its WAN address for routing http, sendmail etc connections to servers - each server should have its own external IP independent of the PIX WAN address, so that the PIX external interface can be dedicated to implementing the rules.  So I've changed the PIX configuration back to its default/earlier settings.   Connections are still slow, but the day here in Alaska is still young, so we'll see.

FYI here's my routing table:
>netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0        U         0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0        U         0 0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0            U         0 0          0 eth1
0.0.0.0         192.168.1.1         0.0.0.0                UG       0 0          0 eth0



0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 39

Expert Comment

by:noci
ID: 17150058
It doesnt really matter where your DNS server is. What is its function serv DNS to machines inside your network (you need local addresses)
or outside your network (you need public addresses).

If someone on the internet ask the question to your DNS and get 192.168.1.3 it will address a system on that users OWN network as he also run a natted
network. Or if He is directly on the internet Hhis ISP won't route this address to you ==> for a DNS facing the internet you need to provide public addresses, for a DNS facing your local network you need private addresses.

The eth0 and eth1 are both connected to the same network I hope, with different adresses? Otherwise you might loose every other packet.
because traffic traveling to the outside can choose between eth0 or eth1 and might do so alternating... that can be the cause of slowness too.
maybe you should take the eth1 down to get better perfomance. IT all depends on some implementation detail but i've seen AIX system in trouble over this.


0
 

Author Comment

by:klukac
ID: 17150587
yep, eth0 and eth1 have ip's in the same subnet on my lan.  I'm not sure what eth1 is doing but I shut it down, again (it comes up on reboot by default, but it's nice to have it as backup once in a while).  

Once eth0 has been running for a while on its own, it acquires 169.254.0.0 also, which I expect belongs to my ISP - it's not in the same Class A as my public IPs so it must be routed somewhere.

I maintain my public IPs with my DNS provider, Network Solutions.  My public IPs fail on reverse lookup because the PTR records (which are maintained by my ISP) don't match.  I could push to have that done, but I'm moving so I've requested that my next ISP provide this service.  

Initially I understood that DNS lookups for my domain should only concern Network Solutions (and not my LAN) so I did not open port 53 on my PIX.  However I was seeing a lot of rejections from UUNET and the domain manager for North America in the PIX logs, and I was occasionally losing DNS resolution on my LAN (although I still had icmp responses from routable IP addresses).  So I opened up the firewall to port 53 and haven't experienced any outages that I know of.

My network is still slow, so I'm hoping that shutting down eth1 will speed things up.  Back when that happens :)

The bad news is that it looks impossible with NAT to resolve the invalid hostname errors, which appear when analyzing the SMTP greeting in the email headers, and which big ISPs use for triage of bulk mail.  I can't imagine that companies looking for network security would purchase an expensive NAT firewall if the end result is to have mail from your server rejected as junk - it's like saying security is more important than actually exchanging mail.  



 

0
 
LVL 39

Accepted Solution

by:
noci earned 500 total points
ID: 17151989
169.254.0.0/16 is the address the range of UPNP. (Universal Plug & Play).
Protocol designed by MS to allow (easy access to all sort of equipment: routers etc), because of the ease
to use requirements it lack quite something on the security aspect.

As stated before: NAT cannot help with hostnames.
The whole of internet can work without it, it even does.
TCPIP is about ipaddresses.

Hostnames are about humans because ew can't remember all 4 billion of them and what is on what ip address,
that where DNS kicks in.

We tell I want a page from google.com throught http (my client software, a browser) start with a DNS query
to my configured (in resolv.conf) DNS server1, that doesn't known either, but server1 asks the .com server2 where to look,
to find the .com server server1 asks the DNS . server where the .com server is, then server one asks the .com2 server where the
google.com DNS is. ans tells server1 finaly server1 asks the google.com DNS server what the address is.
Then thour browser connects to the google server, port 80 and asks for the page.....
All DNS servers keep their answers for about a day, or two days at most.

For mail it's slightly different,
the mailer looks all RCPT TO addresses (domain part only) up (asks DNS if there are MX records for a domain) if not it will ask for the address of a domain.
The MX records cal suply a list of alternatives, in prioitized order.
Connects to the supplied address (or first alternative), and passes it all relevant RCPT TO: addresses, MAIL FROM: etc + DATA block with message.

So you need to tell your mailer to change the MAIL FROM: address as well as the headers in the DATA block.
Your PIX can only handle the IP side of it i.e.
Your mailer is on 192.168.1.3 and for the internet it needs to be a public address (f.e.194.109.6.104) That what your PIX must do.

If My mailer get 192.168.1.3 as an answer it will try to send mail meant to go to you to my printer on MY lan instead.
as 192.168.0.0/16 is in PRIVATE space. In use on thousands of places on the internet.

BTW, it used to be possible to send mail to someone@[1.2.3.4] where the mail would be sent to the machine 1.2.3.4 without looking up domains
but that changed when spamming started on a large scale. (some system do still accept it).
Mail predates DNS for about 15 years at least.




0
 

Author Comment

by:klukac
ID: 17162122
Thanks very much, your latest helps an awful lot!  I obviously didn't realize that the names assigned to IPs in the pix have nothing to do with how DNS resolves.   I guess  I should have figured this out earlier, but there we are :(  

Also, thanks for the info about 169.254.0.0/16, I wasn't sure if my network had been compromised or what.  I ran netstat -rn several times after returning to the basic PIX settings and shutting down eth1 - that ip did not show up in the routing table again, so I figured that was just an error that popped up when I tried making the wrong changes to the PIX.

I was hoping that your comments would help me see a better way to configure the PIX to fix my sendmail problem, but that's a no-go.  Given that the PIX outside interface is not supposed to be used to route protocols to inside servers (static routes are built with separate routable IPs, one assigned to each server), there is no way around the fact that the source IP of SMTP messages will never match the host name if it's coming through a PIX firewall.   Therefore mail going through a PIX will be filtered as junk.  

As a compromise measure, I did try listing two IPs with my DNS provider (since I have two A records, mail.mydomain.com and my_host_name, assigned to the same IP on my LAN) but that was a bad idea.  All I can do with that is telnet to the mail server on port 25 from outside my LAN.  I can't reach my mail server with my pop3 mail client as before, and I can't reach my website for IMAP mail either.  So telling my DNS provider that my mail server is on .14 and the other services (www, https, pop3 etc) are on .12, when in fact all of these services are hosted on the same server, doesn't work.

Of course I check the PIX rules as I make DNS changes with my provider to avoid compounding the problem.   To keep things as simple as possible, I haven't changed anything on my other server, which operates as backup...ssh login to that server is a lot faster, which I think is related to the fact that I've made no changes to its DNS or routing.

Needless to say, my ISPs are silent on the question of how to configure the PIX to avoid getting your mail filtered as junk, so I'll have to find someone who can tell me how this works.  I'm signing up for some CISCO courses in the fall, but hope to find something out before then.

0
 

Author Comment

by:klukac
ID: 17180875
ok, for the record I switched from port nat to host nat, because port nat doesn't provide a mechanism for specifying the routable ip on outgoing connections.  My outgoing smtp is now mapped to the correct ip.  I've asked my ISP to change the PTR record to the actual hostname of the server so that the smtp greeting information matches the PTR record.  It'll be a great day when that dnsreport.com error goes away, and I can feel that day coming :)  
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now