• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 413
  • Last Modified:

Masquerading in Sendmail with PIX firewall

I have sendmail working on RHES behind NAT with a PIX firewall for some time.  I would now like to masquerade "myhostname.mydomain.com" as "mail.mydomain.com" so that my outgoing email headers show mail originating from mail.mydomain.com instead of the actual hostname.
I have checked the criteria at http://www.linuxselfhelp.com/quick/sendmail.html which are admittedly dated, but comprehensive, and so far
-my zone file shows
                                IN  NS  myhostname.mydomain.com
                                IN  MX mail.mydomain.com
localhost                     IN  A
myhostname              IN  A
mydomain.com.          IN  A
mail.mydomain.com.  IN  A
www                             IN   CNAME  myhostname.mydomain.com.
ns                                IN    CNAME  myhostname.mydomain.com.

- /etc/mail/sendmail.cf shows
sendmail.mc shows:
dnl MASQUERADE_AS(`mail.mydomain.com')dnl
dnl FEATURE(masquerade_envelope)dnl
dnl FEATURE(masquerade_entire_domain)dnl
dnl MASQUERADE_DOMAIN(mydomain.com)dnl

- /etc/sysconfig/network shows
#HOSTNAME=myhostname.mydomain.com  //default entry, disabled
HOSTNAME=mail.mydomain.com                   //new entry

- /etc/hosts shows      localhost.localdomain                localhost  myhostname.mydomain.com    myhostname loghost

 I have a second virtual domain on this server using the same IP for mail, but that's another question for another day.  This is a good start but I'm concerned about /etc/sysconfig/network.  I'm working remotely and I'm not comfortable running ifdown/ifup on eth0 to get it to respond to a different hostname because I don't know what that will do to my ssh connection.  Even though the ACLs and routes on the PIX are IP-based, the IPs are mapped to hostnames, and if eth0 now responds to "mail" instead of the hostname, I may have a problem.  So my question is: if this configuration is correct, will it work with the PIX?

  • 5
  • 5
3 Solutions
nociSoftware EngineerCommented:
IP routeing & filtering in firewalls never use any hostnames.

they are based on IP addresses and if used in a protocol port numbers.

So the rules in your pix will forward anything put at them according to the rules.
based on ip.

a packet that get destiny will go to your system regardless if the www.mydomain.com, ns.mydomain.com etc.
was used.

BTW, don modify localhost in your zone file to, it can cause quite some unexpected behaviour
if programs think they use localhost to back to and end up somewhere else.

Some daemons are localhost bound meant to use the lo interface and otherwise will reject a connection.

klukacAuthor Commented:
Thanks very much!
I remembered that I had another lan card on that machine, so before reading your message I changed the pix logging host to eth1 so that changes to eth0 wouldn't cut me off.  But now, no worry I guess.  

Anyway, I'm still trying to sort this out - I rebooted eth0 so mail.mydomain.com = how my server identifies itself on the Internet , per a mail header a friend just sent me.   So masquerading may work, however dnsreport.com still shows the same error (my mailserver name is invalid)...I'll wait a while to see if it changes.  

In the meantime, ssh -l myuser www.mydomain.com still works but it's terribly slow since the eth0 change/reboot,
and ssh -l myuser doesn't work at all from this client, although I'm able to log in to my backup server in this way.  
Let me know what to look for, thanks.

nociSoftware EngineerCommented:
Can you please show me some picture of your network...

<Internetaddr> -| PIX | - ---+---- [ BOX ] ----+
                                                         +---- 192.168.1.X  --------------+

Is your DNS server running on your BOX. Or somewhere on the internet?

can you do: ifconfig -a on your mailserver,
and also a netstat -rn.

From where did you do the ssh -l myuser www.mydomain.com
and from where the ssh -l myuser (assuming is you IP outside address)

You never identify yourself in the internet by name.....
As before the internet (Version 4, ipv4), uses  IP address of 4 bytes grouped together in networks
by netmask. This addres f.e. is the address of your machine regardless of the
domain name. Internet Domain names were put in use about 15 years AFTER the inception of
the internet protocol.

Through NAT an address outside of your PIX (assume get translated to
Your system listens for packets with that address!

For humans who can hardly remember the numbers of 10's of systems but are very good at
handling names. We give a meaningfull name to an ip address by using a name to number translator
=> DNS.
Domain names also play a role in mail routing. (thats network Layer 7, ip is layer 2/3).
So AFTER a connection is built. (with (several packets starting the tcp link)
The SMTP protocol starts:

HELO mail.example.com
MAIL FROM: <someone@mail.example.com>
RCPT TO: <you@mydomain.com>


It's the RCPT TO: that holds the destination of the mail.
(That at least 3 packets after all started, and the it's the first
indication if the mail is meant for you , or needs to be relayed).

It's only in a HELO message where your mail server announces itself to another mailserver
(and many mail servers accept ANYTHING there as a hostname)

Why the need to change the eth0 interface?
BTW what did you change, the hostname?

The use of the localhost name in DNS might be a problem

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

nociSoftware EngineerCommented:
Is your DNS on the internet?
If so: the 192.168.x.x addresses are non routable.
You need to put your OUTSIDE ipaddress in that file.

The zone file as you have shown in your request is one that can work on your inside network
for local mail, but not for the outside.
The same hold true for: if you have outside addresses on in DNS on the internet,
you can't use the same DNS to serve your local addresses. NAT doesn't work for DNS.

SSH from the internet might fail because you PIX block the traffic?
klukacAuthor Commented:
My server is inside NAT, so adding an external IP to the zone file will not help - all connections to the Internet are through the PIX (static routes + ACLs).  I could remove the localhost entry from the zone file, which doesn't look like it belongs there.

You were right about the SSH connection, I had changed the route in the PIX to experiment with sendmail masquerading and forgot that NAT for ssh connections had also changed.

My theory is that connections slowed to a crawl because the PIX isn't designed to use its WAN address for routing http, sendmail etc connections to servers - each server should have its own external IP independent of the PIX WAN address, so that the PIX external interface can be dedicated to implementing the rules.  So I've changed the PIX configuration back to its default/earlier settings.   Connections are still slow, but the day here in Alaska is still young, so we'll see.

FYI here's my routing table:
>netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface        U         0 0          0 eth0        U         0 0          0 eth1            U         0 0          0 eth1                UG       0 0          0 eth0

nociSoftware EngineerCommented:
It doesnt really matter where your DNS server is. What is its function serv DNS to machines inside your network (you need local addresses)
or outside your network (you need public addresses).

If someone on the internet ask the question to your DNS and get it will address a system on that users OWN network as he also run a natted
network. Or if He is directly on the internet Hhis ISP won't route this address to you ==> for a DNS facing the internet you need to provide public addresses, for a DNS facing your local network you need private addresses.

The eth0 and eth1 are both connected to the same network I hope, with different adresses? Otherwise you might loose every other packet.
because traffic traveling to the outside can choose between eth0 or eth1 and might do so alternating... that can be the cause of slowness too.
maybe you should take the eth1 down to get better perfomance. IT all depends on some implementation detail but i've seen AIX system in trouble over this.

klukacAuthor Commented:
yep, eth0 and eth1 have ip's in the same subnet on my lan.  I'm not sure what eth1 is doing but I shut it down, again (it comes up on reboot by default, but it's nice to have it as backup once in a while).  

Once eth0 has been running for a while on its own, it acquires also, which I expect belongs to my ISP - it's not in the same Class A as my public IPs so it must be routed somewhere.

I maintain my public IPs with my DNS provider, Network Solutions.  My public IPs fail on reverse lookup because the PTR records (which are maintained by my ISP) don't match.  I could push to have that done, but I'm moving so I've requested that my next ISP provide this service.  

Initially I understood that DNS lookups for my domain should only concern Network Solutions (and not my LAN) so I did not open port 53 on my PIX.  However I was seeing a lot of rejections from UUNET and the domain manager for North America in the PIX logs, and I was occasionally losing DNS resolution on my LAN (although I still had icmp responses from routable IP addresses).  So I opened up the firewall to port 53 and haven't experienced any outages that I know of.

My network is still slow, so I'm hoping that shutting down eth1 will speed things up.  Back when that happens :)

The bad news is that it looks impossible with NAT to resolve the invalid hostname errors, which appear when analyzing the SMTP greeting in the email headers, and which big ISPs use for triage of bulk mail.  I can't imagine that companies looking for network security would purchase an expensive NAT firewall if the end result is to have mail from your server rejected as junk - it's like saying security is more important than actually exchanging mail.  


nociSoftware EngineerCommented: is the address the range of UPNP. (Universal Plug & Play).
Protocol designed by MS to allow (easy access to all sort of equipment: routers etc), because of the ease
to use requirements it lack quite something on the security aspect.

As stated before: NAT cannot help with hostnames.
The whole of internet can work without it, it even does.
TCPIP is about ipaddresses.

Hostnames are about humans because ew can't remember all 4 billion of them and what is on what ip address,
that where DNS kicks in.

We tell I want a page from google.com throught http (my client software, a browser) start with a DNS query
to my configured (in resolv.conf) DNS server1, that doesn't known either, but server1 asks the .com server2 where to look,
to find the .com server server1 asks the DNS . server where the .com server is, then server one asks the .com2 server where the
google.com DNS is. ans tells server1 finaly server1 asks the google.com DNS server what the address is.
Then thour browser connects to the google server, port 80 and asks for the page.....
All DNS servers keep their answers for about a day, or two days at most.

For mail it's slightly different,
the mailer looks all RCPT TO addresses (domain part only) up (asks DNS if there are MX records for a domain) if not it will ask for the address of a domain.
The MX records cal suply a list of alternatives, in prioitized order.
Connects to the supplied address (or first alternative), and passes it all relevant RCPT TO: addresses, MAIL FROM: etc + DATA block with message.

So you need to tell your mailer to change the MAIL FROM: address as well as the headers in the DATA block.
Your PIX can only handle the IP side of it i.e.
Your mailer is on and for the internet it needs to be a public address (f.e. That what your PIX must do.

If My mailer get as an answer it will try to send mail meant to go to you to my printer on MY lan instead.
as is in PRIVATE space. In use on thousands of places on the internet.

BTW, it used to be possible to send mail to someone@[] where the mail would be sent to the machine without looking up domains
but that changed when spamming started on a large scale. (some system do still accept it).
Mail predates DNS for about 15 years at least.

klukacAuthor Commented:
Thanks very much, your latest helps an awful lot!  I obviously didn't realize that the names assigned to IPs in the pix have nothing to do with how DNS resolves.   I guess  I should have figured this out earlier, but there we are :(  

Also, thanks for the info about, I wasn't sure if my network had been compromised or what.  I ran netstat -rn several times after returning to the basic PIX settings and shutting down eth1 - that ip did not show up in the routing table again, so I figured that was just an error that popped up when I tried making the wrong changes to the PIX.

I was hoping that your comments would help me see a better way to configure the PIX to fix my sendmail problem, but that's a no-go.  Given that the PIX outside interface is not supposed to be used to route protocols to inside servers (static routes are built with separate routable IPs, one assigned to each server), there is no way around the fact that the source IP of SMTP messages will never match the host name if it's coming through a PIX firewall.   Therefore mail going through a PIX will be filtered as junk.  

As a compromise measure, I did try listing two IPs with my DNS provider (since I have two A records, mail.mydomain.com and my_host_name, assigned to the same IP on my LAN) but that was a bad idea.  All I can do with that is telnet to the mail server on port 25 from outside my LAN.  I can't reach my mail server with my pop3 mail client as before, and I can't reach my website for IMAP mail either.  So telling my DNS provider that my mail server is on .14 and the other services (www, https, pop3 etc) are on .12, when in fact all of these services are hosted on the same server, doesn't work.

Of course I check the PIX rules as I make DNS changes with my provider to avoid compounding the problem.   To keep things as simple as possible, I haven't changed anything on my other server, which operates as backup...ssh login to that server is a lot faster, which I think is related to the fact that I've made no changes to its DNS or routing.

Needless to say, my ISPs are silent on the question of how to configure the PIX to avoid getting your mail filtered as junk, so I'll have to find someone who can tell me how this works.  I'm signing up for some CISCO courses in the fall, but hope to find something out before then.

klukacAuthor Commented:
ok, for the record I switched from port nat to host nat, because port nat doesn't provide a mechanism for specifying the routable ip on outgoing connections.  My outgoing smtp is now mapped to the correct ip.  I've asked my ISP to change the PTR record to the actual hostname of the server so that the smtp greeting information matches the PTR record.  It'll be a great day when that dnsreport.com error goes away, and I can feel that day coming :)  
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now