[Gllug] OK sendmail haters...

Mike Brodbelt mike at coruscant.demon.co.uk
Tue Sep 5 23:24:07 UTC 2006 

Tom Robinson wrote:


OK, *please* , especially if we're discussing mail, turn off the HTML.
It actually hurts the eyes.

> From my limited experience domain rewrites are governed by MASQUERADE_AS
> and MASQUERADE_DOMAIN. The masquerade_envelope FEATURE is also necessary
> if you want the envelope, in addition to the headers, to be masqueraded.

Masquerade domain (while something I usually set) isn't actually
strictly necessary in all cases. Stuff in class w should be masqueraded
by default. The class M is normally populated if you want to masquerade
additional domains. You can also set the masquerade_entire_domain
feature so all hosts that are under domains in class M get masqueraded.

There's almost never going to be an occasion for most people where they
don't want envelope masquerading. Setting only MASQUERADE_AS doesn't
actually do any masquerading, it just tells sendmail what it should
masquerade as if it's going to (you can see exactly what it sets in
proto.m4).

<snip>

> The effect of this is that although mail to user at otherhost.domain
> <mailto:user at otherhost.domain>
> will not be delivered locally, any mail including any
> user at otherhost.domain <mailto:user at otherhost.domain>
> will, when relayed, be rewritten to have the MASQUERADE_AS address.
> This can be a space-separated list of names.

Yes, but this won't affect mail routing. So the mail will still get
delivered to the MX host for otherhost.otherdomain, it'll just have its
header and/or envelope rewritten on the way there. This is likely to
result in a bounce, unless you knew exactly what you were doing when you
set it up that way. You shouldn't be putting domains that aren't yours
in class M - it'll just lead to tears down the road :-). You'd want to
use this if you pushed all outbound mail from several internal domains
(say department names) out onto the internet, and you didn't want those
internal domains exposed.

> and
> ---
> masquerade_envelope

This just makes the envelope rewriting ruleset call the masquerading stuff.

If you want to check whether it's going to work the way you want it to,
just run it in test mode. For example, the internal name for my mailhost
is bifrost.altair.nexus. Sending mail out with this domain obviously
won't work too well if I ever want replies, so I masquerade it. If I
send mail to an internet address, this will (unless I've done something
odd) select the ESMTP mailer. The envelope address will be rewritten
through ruleset 3, then 1, then EnvFromSMTP (this is set in the mailer
definition), then 4. I can easily test this sequence:-

$ /usr/sbin/sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> 3,1,EnvFromSMTP,4 <mike at bifrost.altair.nexus>
canonify           input: < mike @ bifrost . altair . nexus >
Canonify2          input: mike < @ bifrost . altair . nexus >
Canonify2        returns: mike < @ bifrost . altair . nexus . >
canonify         returns: mike < @ bifrost . altair . nexus . >
1                  input: mike < @ bifrost . altair . nexus . >
1                returns: mike < @ bifrost . altair . nexus . >
EnvFromSMTP        input: mike < @ bifrost . altair . nexus . >
PseudoToReal       input: mike < @ bifrost . altair . nexus . >
PseudoToReal     returns: mike < @ bifrost . altair . nexus . >
MasqSMTP           input: mike < @ bifrost . altair . nexus . >
MasqSMTP         returns: mike < @ bifrost . altair . nexus . >
MasqEnv            input: mike < @ bifrost . altair . nexus . >
MasqHdr            input: mike < @ bifrost . altair . nexus . >
MasqHdr          returns: mike < @ coruscant . demon . co . uk . >
MasqEnv          returns: mike < @ coruscant . demon . co . uk . >
EnvFromSMTP      returns: mike < @ coruscant . demon . co . uk . >
final              input: mike < @ coruscant . demon . co . uk . >
final            returns: mike @ coruscant . demon . co . uk
>

Reasonably recent versions of sendmail tag the rulesets with symbolic
names, so it should be easy to see what's going on. To check header
rewriting, substitute HdrFromSMTP in place of EnvFromSMTP above. To see
the contents of the class M (which will be whatever MASQUERADE_DOMAIN is
set to), just type "$=M" at the prompt while in test mode. To see the
definition of the M macro (which will be what you're going to masquerade
as), type "$M".

Masquerading is very simple to actually set up properly as long as
you're not trying to do something truly odd (and the power of sendmail
is that you can, if you want to, do some wonderfully weird things). It's
also a two minute job to test a configuration will work as you expect it
to. In the past I've migrated a mail system from one host to another one
 user at a time, by forcing direct delivery to the old mail host by IP
address for all users in a specific class. Masquerading allowed that to
be totally transparent to all involved, and people could be moved one by
one, and simply taken out of the class at it happened. When the last one
moved, the old box was simply shut down...

HTH,

Mike

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list