Avatar of brucepennypacker
brucepennypacker
 asked on

Masquerading subdomains in sendmail

I have an environment where multiple servers are behind a firewall.  A few of these machines are completely inaccessable from outside the firewall, and hence they have names that are unresolvable on the internet.  I have them smarthosting through a machine that's publicly accessabe.  (These are centos linux machines by the way)  So, for example:

machine hidden.foo.com sits behind the firewall. machine www.foo.com is also behind the firewall but is publicly accessable.  There is forward/reverse DNS for www.foo.com but not for hidden.foo.com.  On hidden.foo.com I have modified /etc/mail/sendmail.mc to contain define(`SMART_HOST', `www.foo.com'), and I've rebuilt sendmail.cf and restarted sendmail.

When I try to send mail from hidden.foo.com it gets received by www.foo.com without any problems.  But then when www.foo.com tries to deliver the mail it usually gets rejected with a "Sender address rejected: Domain not found" error because the from address appears as user@hidden.foo.com.

So what's the right way to configure sendmail to ensure these e-mails get delivered?  Having hidden.foo.com deliver the messages as just "user@foo.com" would be fine as far as I'm concerned.

Email Servers

Avatar of undefined
Last Comment
BooMod

8/22/2022 - Mon
PsiCop

You should make sure that neither sendmail configuration canonicalizes E-Mail addresses. In sendmail.mc, put --> FEATURE(`nocanonify')dnl

See this PAQ for more helpful tips --> https://www.experts-exchange.com/Networking/Email_Groupware/Sendmail/Q_21322113.html
brucepennypacker

ASKER
Just tried adding FEATURE(`nocanonify')dnl to both sendmail.mc files, rebuilt sendmail.cf, and restarted sendmail on both servers.  It still shows the same error:

stat=Deferred: 450 <root@hidden.foo.com>: Sender address rejected: Domain not found
PsiCop

On www.foo.com, put an entry into /etc/mail/access

hidden.foo.com                                 RELAY

Alternatively:

Connect:hidden.foo.com                    RELAY

Rebuild the access map. You do not need to restart sendmail.

Note that this assumes that the access map functionality is properly enabled. By default, usually it is.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
brucepennypacker

ASKER
Access is enabled.  I have the following in www's sendmail.mc:

FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl

I've tried a number of combinations of:

hidden.foo.com                            RELAY
hidden                                         RELAY
1.2.3.4                                        RELAY
etc.

In every case the maillog shows the exact same address rejected message.
PsiCop

Did you try:

Connect:hidden.foo.com                 RELAY

Which is different from:

hidden.foo.com                            RELAY

That's why I suggested the first one.
brucepennypacker

ASKER
Sorry.  Yes, I tried those as well.  I had the hostname, FQDN, and IP address of hidden.foo.com alll listed in /etc/mail/access with RELAY, both by themselves and with the "Connect:" prefix.  I rebuilt access.db after adding all those but I still get the same error.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
PsiCop

To where is www.foo.com trying to deliver the E-Mail? Does THAT host accept relays from www.foo.com?
brucepennypacker

ASKER
It's accepting e-mail directly from www.foo.com, but that's because it can resolve www.foo.com via DNS.  It's rejecting the relays because it can't resolve the domain of the e-mail address user@hidden.foo.com.  That's why I'd like to have the mail appear to come from just user@foo.com.  I've tried both sending directly from hidden.foo.com as well as relaying through www.foo.com (hidden.foo.com has a NAT through the firewall so it can get to the outside).  Both result in the same error.
brucepennypacker

ASKER
FYI, here's the entire contents of my sendmail.mc file (removed all comments) from the machine hidden.foo.com.  This is pretty much just the standard sendmail.mc that comes with centos/redhat linux:

divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
define(`SMART_HOST',`www.foo.com')dnl
define(`confDEF_USER_ID',``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
LOCAL_DOMAIN(`foo.com')dnl
MASQUERADE_AS(foo.com)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(foo.com)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
PsiCop

Try getting rid of

FEATURE(always_add_domain)dnl
brucepennypacker

ASKER
No change...
brucepennypacker

ASKER
I just figured it out.  There's a different set of configuration files (submit.mc/submit.cf) that apparently manages local delivery instead of the default sendmail.mc/sendmail.cf.  Making the changes to that file worked like a charm.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
PsiCop

Ah. Glad its working. Don't forget to request a Refund of your points.
ASKER CERTIFIED SOLUTION
BooMod

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question