More on Masquerading
Harry Putnam
reader at newsguy.com
Sun Aug 15 13:34:10 UTC 2004
Alexander Dalloz <alexander.dalloz at uni-bielefeld.de> writes:
[...]
> Is newsguy.com your domain? I ask because of the central and important
> comment on masquerading from the cf/README:
No, as is explained further along, my `domain' is a home made one:
local.net0
> "The masquerade name is not normally canonified, so it is important that
> it be your One True Name, that is, fully qualified and not a CNAME.
> However, if you use a CNAME, the receiving side may canonify it for you,
> so don't think you can cheat CNAME mapping this way."
> (http://www.sendmail.org/m4/masquerading_relaying.html)
This confuses me to no end:
First the README shows: `MASQUERADE_AS(`host.domain')'
(It shows `host' where first part of domain name should be).
As I understand it the naming convention is:
host.domain.designator = reader.local.net0
Using my FQDN that
would be `reader.net0' rather than `reader.local.com'
So I've assumed it really wants `network.domain'.
If one uses ones `One True Name', in this
case `1ocal.net0' (I guess it means the last part of my fqdn?) then it
is not masquerading as something else. But the paragraph just
proceeding the one you quoted says in part:
You can have your host masquerade as another using
MASQUERADE_AS(`host.domain')
This causes mail being sent to be labeled as coming from the
indicated host.domain, rather than $j.
But `$j' is my fqdn (reader.local.net0). Clearly the intent is to
parade as something you are not. So inserting `local.net0' there
would not accomplish that goal it seems.
>> My assumption was that the `Smart_host' at the other end of my
>> sendmails outgoing activity required a resolvable host as source IP to
>> avoid bouncing. I thought by setting some genericstable vars I could
>> make it appear to be a resolvable host name.
> It makes not much sense to offer a smart host which requires a
> resolvable FQDN. How should people at home with DSL, modem or ISDN
> connection mail throught their ISP's smart host? It is the task of the
> ISP's smart host to jump into this gap and offer such linked users the
> ability to use their own MTA without the risk that many if not most of
> the recipient MTAs reject mail coming from them, just because they have
> no resolvable FQDN.
What you say does make sense, and shows a major flaw in my picture of
what is happening and how it all works.
> Whether the contacting host announces himself with a resolvable FQDN at
> HELO/EHLO depends from settings of the real hostname, the domain name
> (if set in sendmail.mc) and from masquerading settings (if are defined).
> Genericstable does only rewrite the sender envelope address.
Ok, that is more I didn't understand (about genericstable).
>> It is not an internet FQDN, just my own made up domain for my local
>> lan. Therefore will never be resovable by dns lookups.
>
> Important is that your bogus (internal) FQDN is internally resolvable.
> Using a
>
>> My attempt at using generics tables consisted of adding:
>> (see sendmail2.mc below for the full settings)
>>
>> FEATURE(`genericstable')dnl
>> FEATURE(`generics_entire_domain')dnl
>>
>> And to /etc/mail/genericstable:
>> reader reader at newsguy.com
>
> --> GENERICS_DOMAIN(`local.net0')dnl
>
> belongs to the set, else the genericstable feature would not know for
> which domains to look for rewriting.
OK, I can see how that might help and have even tried it as I recall.
You may notice it appears in the posted sendmail1.mc. IE the one that
causes bounces.
>> Building the hash and restarting sendmail.
>
> Maybe my misunderstanding at this point and just to clear out: if you
> only change map files (the text files from which hashes/.db files are
> generated) you do not need to restart Sendmail. That is one sense of
> using these hash files.
If you reread that you'll see I'm describing a chain of events:
1) edit *.mc and generate sendmail.cf
2) build genericstable
3) restart sendmail
It was point 1 that required the restart.
[...]
>> >From /var/log/messages
[...]
> Please check what following prints out:
> echo "$=M" | /usr/lib/sendmail -bt -d0
Version 8.13.1
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS
USERDB USE_LDAP_INIT
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = reader
(canonical domain name) $j = reader.local.net0
(subdomain name) $m = local.net0
(node name) $k = reader.local.net0
========================================================
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> echo "$=G" | /usr/lib/sendmail -bt
# echo "$=G" | /usr/lib/sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> local.net0
> The hosts file looks perfect.
OK, I got something right...
>> =====
>> sendmail1.mc
>
> [ ... ]
>
>> FEATURE(`genericstable')dnl
>> FEATURE(`generics_entire_domain')dnl
>> GENERICS_DOMAIN(`local.net0')dnl
>
> [ ... ]
>
>> ===
>> sendmail2.mc
>
> [ ... ]
>
>> FEATURE(`genericstable')dnl
>> GENERICS_DOMAIN(`local.net0')dnl
>
> [ ... ]
>
>> LOCAL_DOMAIN(`localhost.localdomain')dnl
>> MASQUERADE_AS(`newsguy.com')dnl
>> FEATURE(masquerade_envelope)dnl
>
> [ ... ]
>
> There is missing:
>
> MASQUERADE_DOMAIN(`localhost')dnl
> MASQUERADE_DOMAIN(`localhost.localdomain')dnl
> MASQUERADE_DOMAIN(`reader.local.net0')dnl
>
> Both commands from above for class{M} and class{G} have to show proper
> settings.
Maybe, but sendmail2.mc which contains only
MASQUERADE_AS(`newsguy.com')dnl
FEATURE(masquerade_envelope)dnl
(concerning masquerading)
Is the one that works. The other (sendmail1.mc) does not.
So that leaves some questions. But first let me input some further
information.
I've now noticed that I can put just about anything in that field
MASQUERADE_AS(`whizbang.net')dnl is currently in sendmail.cf and
it works ok. I'll send this message that way and there will be no
bounce.
So I'm re-evaluating what that actually does. Its not doing what I
thought at all but is still doing something. So removing all generics
language I'll run a test with the following *.mc. Note it contains
two masquerade entries:
MASQUERADE_AS(`whizbang.net')# [HP 08/12/04 13:38 Not used since]dnl
FEATURE(masquerade_envelope)# [HP 08/12/04 13:38 Not used since]dnl
If I remove either one of them my mail bounces immediately.
Sorry to include another full *.mc but it seems the only way to avoid
any misunderstanding or confusion about what is or is not present in
it. So with all generics stuff removed with this *mc in place my mail
goes thru, can you tell me what the masquerade stuff is doing that
allows my mail to go thru, as you see it is set to `whizbang.net':
divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
define(`SMART_HOST',`smtp.newsguy.com')
define(`confDEF_USER_ID',``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`virtusertable')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`accept_unresolvable_domains')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MASQUERADE_AS(`whizbang.net')# [HP 08/12/04 13:38 Not used since]dnl
FEATURE(masquerade_envelope)# [HP 08/12/04 13:38 Not used since]dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
More information about the fedora-list
mailing list