Link to home
Start Free TrialLog in
Avatar of brucepennypacker
brucepennypacker

asked on

Masquerading subdomains in sendmail

I have an environment where multiple servers are behind a firewall.  A few of these machines are completely inaccessable from outside the firewall, and hence they have names that are unresolvable on the internet.  I have them smarthosting through a machine that's publicly accessabe.  (These are centos linux machines by the way)  So, for example:

machine hidden.foo.com sits behind the firewall. machine www.foo.com is also behind the firewall but is publicly accessable.  There is forward/reverse DNS for www.foo.com but not for hidden.foo.com.  On hidden.foo.com I have modified /etc/mail/sendmail.mc to contain define(`SMART_HOST', `www.foo.com'), and I've rebuilt sendmail.cf and restarted sendmail.

When I try to send mail from hidden.foo.com it gets received by www.foo.com without any problems.  But then when www.foo.com tries to deliver the mail it usually gets rejected with a "Sender address rejected: Domain not found" error because the from address appears as user@hidden.foo.com.

So what's the right way to configure sendmail to ensure these e-mails get delivered?  Having hidden.foo.com deliver the messages as just "user@foo.com" would be fine as far as I'm concerned.

Avatar of PsiCop
PsiCop
Flag of United States of America image

You should make sure that neither sendmail configuration canonicalizes E-Mail addresses. In sendmail.mc, put --> FEATURE(`nocanonify')dnl

See this PAQ for more helpful tips --> https://www.experts-exchange.com/questions/21322113/Practical-Modern-Sendmail-Configuration-Info-Question.html
Avatar of brucepennypacker
brucepennypacker

ASKER

Just tried adding FEATURE(`nocanonify')dnl to both sendmail.mc files, rebuilt sendmail.cf, and restarted sendmail on both servers.  It still shows the same error:

stat=Deferred: 450 <root@hidden.foo.com>: Sender address rejected: Domain not found
On www.foo.com, put an entry into /etc/mail/access

hidden.foo.com                                 RELAY

Alternatively:

Connect:hidden.foo.com                    RELAY

Rebuild the access map. You do not need to restart sendmail.

Note that this assumes that the access map functionality is properly enabled. By default, usually it is.
Access is enabled.  I have the following in www's sendmail.mc:

FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl

I've tried a number of combinations of:

hidden.foo.com                            RELAY
hidden                                         RELAY
1.2.3.4                                        RELAY
etc.

In every case the maillog shows the exact same address rejected message.
Did you try:

Connect:hidden.foo.com                 RELAY

Which is different from:

hidden.foo.com                            RELAY

That's why I suggested the first one.
Sorry.  Yes, I tried those as well.  I had the hostname, FQDN, and IP address of hidden.foo.com alll listed in /etc/mail/access with RELAY, both by themselves and with the "Connect:" prefix.  I rebuilt access.db after adding all those but I still get the same error.
To where is www.foo.com trying to deliver the E-Mail? Does THAT host accept relays from www.foo.com?
It's accepting e-mail directly from www.foo.com, but that's because it can resolve www.foo.com via DNS.  It's rejecting the relays because it can't resolve the domain of the e-mail address user@hidden.foo.com.  That's why I'd like to have the mail appear to come from just user@foo.com.  I've tried both sending directly from hidden.foo.com as well as relaying through www.foo.com (hidden.foo.com has a NAT through the firewall so it can get to the outside).  Both result in the same error.
FYI, here's the entire contents of my sendmail.mc file (removed all comments) from the machine hidden.foo.com.  This is pretty much just the standard sendmail.mc that comes with centos/redhat linux:

divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
define(`SMART_HOST',`www.foo.com')dnl
define(`confDEF_USER_ID',``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
LOCAL_DOMAIN(`foo.com')dnl
MASQUERADE_AS(foo.com)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(foo.com)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

Try getting rid of

FEATURE(always_add_domain)dnl
No change...
I just figured it out.  There's a different set of configuration files (submit.mc/submit.cf) that apparently manages local delivery instead of the default sendmail.mc/sendmail.cf.  Making the changes to that file worked like a charm.
Ah. Glad its working. Don't forget to request a Refund of your points.
ASKER CERTIFIED SOLUTION
Avatar of BooMod
BooMod
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial