I'm running FC3 (updated) on a handful of machines.
I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).
I also have several mail clients on my 192.168.1.x network.
The issues are the following:
* the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.
* the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.
* I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.
I used to know all of this stuff once upon a time...
Am I missing anything?
Thanks,
-Philip
On Thu, 2005-10-27 at 20:26 -0600, Philip Prindeville wrote:
I'm running FC3 (updated) on a handful of machines.
I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).
I also have several mail clients on my 192.168.1.x network.
The issues are the following:
the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.
the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.
I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.
I used to know all of this stuff once upon a time...
Am I missing anything?
---- I've never used 'LOCAL_RELAY' so I can't help you there. I typically run my own DNS servers inside the LAN so that the name resolution is completely under my control - where mail.mydomain_name.com would resolve to an internal mail server which handles end delivery (or smart host delivery).
If you don't want to run your own DNS, it's just simpler to use smart host pointing directly to the ip address of your mail server directly instead of a name which loops the connection outside of the trusted LAN.
Craig
Craig White wrote:
On Thu, 2005-10-27 at 20:26 -0600, Philip Prindeville wrote:
I'm running FC3 (updated) on a handful of machines.
I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).
I also have several mail clients on my 192.168.1.x network.
The issues are the following:
the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.
the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.
I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.
I used to know all of this stuff once upon a time...
Am I missing anything?
I've never used 'LOCAL_RELAY' so I can't help you there. I typically run my own DNS servers inside the LAN so that the name resolution is completely under my control - where mail.mydomain_name.com would resolve to an internal mail server which handles end delivery (or smart host delivery).
If you don't want to run your own DNS, it's just simpler to use smart host pointing directly to the ip address of your mail server directly instead of a name which loops the connection outside of the trusted LAN.
Gah! I thought about that, but I was hoping there was a less heinous fix.
-Philip
Craig
Craig White wrote:
On Thu, 2005-10-27 at 20:26 -0600, Philip Prindeville wrote:
I'm running FC3 (updated) on a handful of machines.
I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).
I also have several mail clients on my 192.168.1.x network.
The issues are the following:
the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.
the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.
I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.
I used to know all of this stuff once upon a time...
Am I missing anything?
I've never used 'LOCAL_RELAY' so I can't help you there. I typically run my own DNS servers inside the LAN so that the name resolution is completely under my control - where mail.mydomain_name.com would resolve to an internal mail server which handles end delivery (or smart host delivery).
If you don't want to run your own DNS, it's just simpler to use smart host pointing directly to the ip address of your mail server directly instead of a name which loops the connection outside of the trusted LAN.
Gah! I thought about that, but I was hoping there was a less heinous fix.
-Philip
Craig
On Thu, 2005-10-27 at 21:21 -0600, Philip Prindeville wrote:
Craig White wrote:
On Thu, 2005-10-27 at 20:26 -0600, Philip Prindeville wrote:
I'm running FC3 (updated) on a handful of machines.
I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).
I also have several mail clients on my 192.168.1.x network.
The issues are the following:
the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.
the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.
I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.
I used to know all of this stuff once upon a time...
Am I missing anything?
I've never used 'LOCAL_RELAY' so I can't help you there. I typically run my own DNS servers inside the LAN so that the name resolution is completely under my control - where mail.mydomain_name.com would resolve to an internal mail server which handles end delivery (or smart host delivery).
If you don't want to run your own DNS, it's just simpler to use smart host pointing directly to the ip address of your mail server directly instead of a name which loops the connection outside of the trusted LAN.
Gah! I thought about that, but I was hoping there was a less heinous fix.
---- heinous ?
edit sendmail.mc change the one line make -C /etc/mail
you're done.
heinous ? http://dictionary.reference.com/search?q=heinous
Craig
Philip Prindeville wrote:
Craig White wrote:
On Thu, 2005-10-27 at 20:26 -0600, Philip Prindeville wrote:
I'm running FC3 (updated) on a handful of machines.
I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).
I also have several mail clients on my 192.168.1.x network.
The issues are the following:
the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.
the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.
I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.
I used to know all of this stuff once upon a time...
Am I missing anything?
I've never used 'LOCAL_RELAY' so I can't help you there. I typically run my own DNS servers inside the LAN so that the name resolution is completely under my control - where mail.mydomain_name.com would resolve to an internal mail server which handles end delivery (or smart host delivery).
If you don't want to run your own DNS, it's just simpler to use smart host pointing directly to the ip address of your mail server directly instead of a name which loops the connection outside of the trusted LAN.
Gah! I thought about that, but I was hoping there was a less heinous fix.
-Philip
Craig
Actually, if you run bind you can implement views on your DNS boxen, which allow you to serve up different zone (A,MX,etc.) records to different networks/hosts. It's a breeze to configure and essentially eliminates the issue you're (and about a million other net admins) are running into.
Check out:
http://sysadmin.oreilly.com/news/views_0501.html
for more info.
David-Paul Niner
Am Fr, den 28.10.2005 schrieb Philip Prindeville um 4:26:
I'm running FC3 (updated) on a handful of machines.
I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).
I also have several mail clients on my 192.168.1.x network.
The issues are the following:
the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.
the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.
I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.
I used to know all of this stuff once upon a time...
-Philip
Reading this I have the strong feeling it was you I was talking to in #sendmail on freenode this evening (night) :)
I would vote for running a local DNS (bind) service, in conjunction with DHCP and dynamic zone updates. That would be ideal. And for unqualified sender addresses use the masquerading features of Sendmail.
On the other hand you may go this route: do not run local Sendmail daemons, but use the submission process to directly feed outgoing mail from inner clients to the central mail hub. Have a look at /etc/mail/submit.mc. Comment out (remove the leading "dnl") for
define(`confDIRECT_SUBMISSION_MODIFIERS',`C')
and even add a line
FEATURE(`nocanonify', `canonify_hosts')
and finally change the IP in
FEATURE(`msp', `[127.0.0.1]')dnl
to the one of the central mail hub.
Please see http://www.sendmail.org/m4/msp.html or better the current cf/README coming with your Sendmail on Fedora. Many discussion about this topic to be found through
http://groups.google.com/groups?hl=en&lr=&c2coff=1&sa=X&oi=g...
Hope it helps.
Alexander
On Thu, 2005-10-27 at 21:26, Philip Prindeville wrote:
I'm running FC3 (updated) on a handful of machines.
I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).
I also have several mail clients on my 192.168.1.x network.
The issues are the following:
- the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.
Mailers always use MX records (since that's what they are for) unless you specify otherwise by putting the name or IP address in [] brackets. You should probably configure the MTA clients to send to your server via smtp instead of a local sendmail, as well as configuring the non-server sendmail's to use MAIL_HUB with the server's address so all of your local mail ends up on one server. Your mail server should use SMART_HOST with your ISP's relay host.
- the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.
Set MASQUERATE_AS to your public domain name, and FEATURE((masquerade_envelope) in sendmail.mc
- I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.
SMART_HOST should be fine.
I used to know all of this stuff once upon a time...
Am I missing anything?
Add your public DNS name to the local-host-names file if your server doesn't use that name itself so it will accept inbound mail.
Don't mess with sendmail.cf, edit sendmail.mc, run make and restart sendmail.
On Thu, 2005-10-27 at 23:18, Alexander Dalloz wrote:
I would vote for running a local DNS (bind) service, in conjunction with DHCP and dynamic zone updates. That would be ideal. And for unqualified sender addresses use the masquerading features of Sendmail.
I think there are some NAT routers that will actually accept the outside address when sent to the inside interface which avoids the need for any special consideration since the inside hosts can then send to the right place with the address supplied by public DNS. I don't know which versions do it, though.
Alexander Dalloz wrote:
Am Fr, den 28.10.2005 schrieb Philip Prindeville um 4:26:
I'm running FC3 (updated) on a handful of machines.
I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).
I also have several mail clients on my 192.168.1.x network.
The issues are the following:
the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.
the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.
I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.
I used to know all of this stuff once upon a time...
-Philip
Reading this I have the strong feeling it was you I was talking to in #sendmail on freenode this evening (night) :)
Wasn't me.
I would vote for running a local DNS (bind) service, in conjunction with DHCP and dynamic zone updates. That would be ideal. And for unqualified sender addresses use the masquerading features of Sendmail.
On the other hand you may go this route: do not run local Sendmail daemons, but use the submission process to directly feed outgoing mail from inner clients to the central mail hub. Have a look at /etc/mail/submit.mc. Comment out (remove the leading "dnl") for
define(`confDIRECT_SUBMISSION_MODIFIERS',`C')
and even add a line
FEATURE(`nocanonify', `canonify_hosts')
I'll try it. BTW: What does:
define(`confBIND_OPTS',`-DNSRCH -DEFNAMES')dnl
do? The README isn't very clear on that...
and finally change the IP in
FEATURE(`msp', `[127.0.0.1]')dnl
to the one of the central mail hub.
If I do this, can I change "QUEUE=" in /etc/sysconfig/sendmail?
-Philip
Please see http://www.sendmail.org/m4/msp.html or better the current cf/README coming with your Sendmail on Fedora. Many discussion about this topic to be found through
http://groups.google.com/groups?hl=en&lr=&c2coff=1&sa=X&oi=g...
Hope it helps.
Alexander
On Fri, 2005-10-28 at 06:18 +0200, Alexander Dalloz wrote:
Am Fr, den 28.10.2005 schrieb Philip Prindeville um 4:26:
I'm running FC3 (updated) on a handful of machines.
I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).
I also have several mail clients on my 192.168.1.x network.
The issues are the following:
the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.
the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.
I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.
I used to know all of this stuff once upon a time...
-Philip
Reading this I have the strong feeling it was you I was talking to in #sendmail on freenode this evening (night) :)
I would vote for running a local DNS (bind) service, in conjunction with DHCP and dynamic zone updates. That would be ideal. And for unqualified sender addresses use the masquerading features of Sendmail.
On the other hand you may go this route: do not run local Sendmail daemons, but use the submission process to directly feed outgoing mail from inner clients to the central mail hub. Have a look at /etc/mail/submit.mc. Comment out (remove the leading "dnl") for
define(`confDIRECT_SUBMISSION_MODIFIERS',`C')
and even add a line
FEATURE(`nocanonify', `canonify_hosts')
and finally change the IP in
FEATURE(`msp', `[127.0.0.1]')dnl
to the one of the central mail hub.
Please see http://www.sendmail.org/m4/msp.html or better the current cf/README coming with your Sendmail on Fedora. Many discussion about this topic to be found through
http://groups.google.com/groups?hl=en&lr=&c2coff=1&sa=X&oi=g...
Hope it helps.
---- the alternative to running local dns is to use /etc/hosts to define a locally available name that doesn't resolve properly via dns isn't it? It would strike me as simpler to add the name to /etc/hosts but I still prefer just using the ip address in sendmail.mc
Craig
Craig White wrote:
On Fri, 2005-10-28 at 06:18 +0200, Alexander Dalloz wrote:
Am Fr, den 28.10.2005 schrieb Philip Prindeville um 4:26:
I'm running FC3 (updated) on a handful of machines.
I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).
I also have several mail clients on my 192.168.1.x network.
The issues are the following:
the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.
the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.
I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.
I used to know all of this stuff once upon a time...
-Philip
Reading this I have the strong feeling it was you I was talking to in #sendmail on freenode this evening (night) :)
I would vote for running a local DNS (bind) service, in conjunction with DHCP and dynamic zone updates. That would be ideal. And for unqualified sender addresses use the masquerading features of Sendmail.
On the other hand you may go this route: do not run local Sendmail daemons, but use the submission process to directly feed outgoing mail from inner clients to the central mail hub. Have a look at /etc/mail/submit.mc. Comment out (remove the leading "dnl") for
define(`confDIRECT_SUBMISSION_MODIFIERS',`C')
and even add a line
FEATURE(`nocanonify', `canonify_hosts')
and finally change the IP in
FEATURE(`msp', `[127.0.0.1]')dnl
to the one of the central mail hub.
Please see http://www.sendmail.org/m4/msp.html or better the current cf/README coming with your Sendmail on Fedora. Many discussion about this topic to be found through
http://groups.google.com/groups?hl=en&lr=&c2coff=1&sa=X&oi=g...
Hope it helps.
the alternative to running local dns is to use /etc/hosts to define a locally available name that doesn't resolve properly via dns isn't it? It would strike me as simpler to add the name to /etc/hosts but I still prefer just using the ip address in sendmail.mc
Craig
That's what I thought too, but it turns out you can't have "name" in the /etc/hosts file... Or rather, you need both "name" and "name." in there, since sendmail likes to put a "rooting" dot on the end of domain names.
-Philip
Am Fr, den 28.10.2005 schrieb Philip Prindeville um 7:01:
Reading this I have the strong feeling it was you I was talking to in #sendmail on freenode this evening (night) :)
Wasn't me.
Ok, funny coincidence though.
I'll try it. BTW: What does:
define(`confBIND_OPTS',`-DNSRCH -DEFNAMES')dnl
do? The README isn't very clear on that...
Found that one from google search where I think it is most verbose and helpful:
http://groups.google.com/group/comp.mail.sendmail/browse_thread/thread/25ece...
If I do this, can I change "QUEUE=" in /etc/sysconfig/sendmail?
Yes, you can change that variable, while the one for the submission queue runner would be "MQUEUE". The Sendmail init script sets MQUEUE to be QUEUE if MQUEUE isn't specified in /etc/sysconfig/sendmail.
-Philip
Alexander
Unrelated question to my previous posting... I'm seeing:
Dec 14 04:02:08 mail sendmail[28092]: NOQUEUE: connect from localhost.localdomain [127.0.0.1] Dec 14 04:02:08 mail sendmail[28092]: AUTH: available mech=DIGEST-MD5 ANONYMOUS CRAM-MD5, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Dec 14 04:02:08 mail sendmail[28092]: jBEB28d9028092: Milter: no active filter Dec 14 04:02:08 mail sendmail[28092]: STARTTLS=server, relay=localhost.localdomain [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256 Dec 14 04:02:08 mail sendmail[28092]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok Dec 14 04:02:08 mail sendmail[28092]: AUTH: available mech=LOGIN DIGEST-MD5 PLAIN ANONYMOUS CRAM-MD5, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Dec 14 04:02:09 mail sendmail[28092]: ruleset=trust_auth, arg1=root@mail.redfish-solutions.com, relay=localhost.localdomain [127.0.0.1], reject=550 5.7.1 root@mail.redfish-solutions.com... not authenticated Dec 14 04:02:09 mail sendmail[28092]: jBEB28dA028092: from=root@mail.redfish-solutions.com, size=8713, class=0, nrcpts=1, msgid=200512141102.jBEB28bF028088@mail.redfish-solutions.com, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]
and wondering, is there a:
LOCAL_RULESETS SLocal_trust_auth ...
simple fix for skipping authentication on connections from 127.0.0.1?
Thanks,
-Philip
On Wed, 2005-12-14 at 18:35 -0700, Philip Prindeville wrote:
simple fix for skipping authentication on connections from 127.0.0.1?
Are you sure that you want to? On the off-chance that someone manages to make your system send out spams, you don't want to make it even easier for them.