On Thu, 2005-10-27 at 20:26 -0600, Philip Prindeville wrote:

I'm running FC3 (updated) on a handful of machines.

I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).

I also have several mail clients on my 192.168.1.x network.

The issues are the following:

• the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.

• the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.

• I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.

I used to know all of this stuff once upon a time...

Am I missing anything?

---- I've never used 'LOCAL_RELAY' so I can't help you there. I typically run my own DNS servers inside the LAN so that the name resolution is completely under my control - where mail.mydomain_name.com would resolve to an internal mail server which handles end delivery (or smart host delivery).

If you don't want to run your own DNS, it's just simpler to use smart host pointing directly to the ip address of your mail server directly instead of a name which loops the connection outside of the trusted LAN.

Craig

Craig White wrote:

On Thu, 2005-10-27 at 20:26 -0600, Philip Prindeville wrote:

...

I'm running FC3 (updated) on a handful of machines.

I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).

I also have several mail clients on my 192.168.1.x network.

The issues are the following:

• the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.

• the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.

• I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.

I used to know all of this stuff once upon a time...

Am I missing anything?

---

I've never used 'LOCAL_RELAY' so I can't help you there. I typically run my own DNS servers inside the LAN so that the name resolution is completely under my control - where mail.mydomain_name.com would resolve to an internal mail server which handles end delivery (or smart host delivery).

If you don't want to run your own DNS, it's just simpler to use smart host pointing directly to the ip address of your mail server directly instead of a name which loops the connection outside of the trusted LAN.

Gah! I thought about that, but I was hoping there was a less heinous fix.

-Philip

Craig

Philip Prindeville wrote:

Craig White wrote:

...

On Thu, 2005-10-27 at 20:26 -0600, Philip Prindeville wrote:

...

I'm running FC3 (updated) on a handful of machines.

I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).

I also have several mail clients on my 192.168.1.x network.

The issues are the following:

• the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.

• the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.

• I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.

I used to know all of this stuff once upon a time...

Am I missing anything?

---

I've never used 'LOCAL_RELAY' so I can't help you there. I typically run my own DNS servers inside the LAN so that the name resolution is completely under my control - where mail.mydomain_name.com would resolve to an internal mail server which handles end delivery (or smart host delivery).

If you don't want to run your own DNS, it's just simpler to use smart host pointing directly to the ip address of your mail server directly instead of a name which loops the connection outside of the trusted LAN.

Gah! I thought about that, but I was hoping there was a less heinous fix.

-Philip

...

Craig

Actually, if you run bind you can implement views on your DNS boxen, which allow you to serve up different zone (A,MX,etc.) records to different networks/hosts. It's a breeze to configure and essentially eliminates the issue you're (and about a million other net admins) are running into.

Check out:

http://sysadmin.oreilly.com/news/views_0501.html

for more info.

David-Paul Niner

On Thu, 2005-10-27 at 21:26, Philip Prindeville wrote:

I'm running FC3 (updated) on a handful of machines.

I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).

I also have several mail clients on my 192.168.1.x network.

The issues are the following:

• the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.

Mailers always use MX records (since that's what they are for) unless you specify otherwise by putting the name or IP address in [] brackets. You should probably configure the MTA clients to send to your server via smtp instead of a local sendmail, as well as configuring the non-server sendmail's to use MAIL_HUB with the server's address so all of your local mail ends up on one server. Your mail server should use SMART_HOST with your ISP's relay host.

• the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.

Set MASQUERATE_AS to your public domain name, and FEATURE((masquerade_envelope) in sendmail.mc

• I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.

SMART_HOST should be fine.

I used to know all of this stuff once upon a time...

Am I missing anything?

Add your public DNS name to the local-host-names file if your server doesn't use that name itself so it will accept inbound mail.

Don't mess with sendmail.cf, edit sendmail.mc, run make and restart sendmail.

Alexander Dalloz wrote:

Am Fr, den 28.10.2005 schrieb Philip Prindeville um 4:26:

...

I'm running FC3 (updated) on a handful of machines.

I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).

I also have several mail clients on my 192.168.1.x network.

The issues are the following:

• the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.

• the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.

• I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.

I used to know all of this stuff once upon a time...

...

-Philip

Reading this I have the strong feeling it was you I was talking to in #sendmail on freenode this evening (night) :)

Wasn't me.

I would vote for running a local DNS (bind) service, in conjunction with DHCP and dynamic zone updates. That would be ideal. And for unqualified sender addresses use the masquerading features of Sendmail.

On the other hand you may go this route: do not run local Sendmail daemons, but use the submission process to directly feed outgoing mail from inner clients to the central mail hub. Have a look at /etc/mail/submit.mc. Comment out (remove the leading "dnl") for

define(`confDIRECT_SUBMISSION_MODIFIERS',`C')

and even add a line

FEATURE(`nocanonify', `canonify_hosts')

I'll try it. BTW: What does:

define(`confBIND_OPTS',`-DNSRCH -DEFNAMES')dnl

do? The README isn't very clear on that...

and finally change the IP in

FEATURE(`msp', `[127.0.0.1]')dnl

to the one of the central mail hub.

If I do this, can I change "QUEUE=" in /etc/sysconfig/sendmail?

-Philip

Please see http://www.sendmail.org/m4/msp.html or better the current cf/README coming with your Sendmail on Fedora. Many discussion about this topic to be found through

http://groups.google.com/groups?hl=en&lr=&c2coff=1&sa=X&oi=g...

Hope it helps.

Alexander

Craig White wrote:

On Fri, 2005-10-28 at 06:18 +0200, Alexander Dalloz wrote:

...

Am Fr, den 28.10.2005 schrieb Philip Prindeville um 4:26:

...

I'm running FC3 (updated) on a handful of machines.

I have a single IP address, with a NATing router set to that address. I have a domain, and an MX which points through the router at my mail server (or rather, the router is configured to port-forward 25, 143, etc to the mail server).

I also have several mail clients on my 192.168.1.x network.

The issues are the following:

• the clients have a smart host (DS) defined as the mail relay, but they canonical its name and then look it up in the DNS, trying to contact it on the external IP address (and not its internal 192.168.1.x address in the /etc/hosts file). My /etc/nsswitch.conf file is unmodified.

• the clients then try to relay the email with a sender's envelope address as user@host.my-domain, which the relay rejects because "host.my-domain" doesn't resolve in the DNS.

• I should probably have define(`LOCAL_RELAY', `:$S') to handle forwarding everything to the mail server.

I used to know all of this stuff once upon a time...

-Philip

Reading this I have the strong feeling it was you I was talking to in #sendmail on freenode this evening (night) :)

I would vote for running a local DNS (bind) service, in conjunction with DHCP and dynamic zone updates. That would be ideal. And for unqualified sender addresses use the masquerading features of Sendmail.

On the other hand you may go this route: do not run local Sendmail daemons, but use the submission process to directly feed outgoing mail from inner clients to the central mail hub. Have a look at /etc/mail/submit.mc. Comment out (remove the leading "dnl") for

define(`confDIRECT_SUBMISSION_MODIFIERS',`C')

and even add a line

FEATURE(`nocanonify', `canonify_hosts')

and finally change the IP in

FEATURE(`msp', `[127.0.0.1]')dnl

to the one of the central mail hub.

Please see http://www.sendmail.org/m4/msp.html or better the current cf/README coming with your Sendmail on Fedora. Many discussion about this topic to be found through

http://groups.google.com/groups?hl=en&lr=&c2coff=1&sa=X&oi=g...

Hope it helps.

---

the alternative to running local dns is to use /etc/hosts to define a locally available name that doesn't resolve properly via dns isn't it? It would strike me as simpler to add the name to /etc/hosts but I still prefer just using the ip address in sendmail.mc

Craig

That's what I thought too, but it turns out you can't have "name" in the /etc/hosts file... Or rather, you need both "name" and "name." in there, since sendmail likes to put a "rooting" dot on the end of domain names.

-Philip

Unrelated question to my previous posting... I'm seeing:

Dec 14 04:02:08 mail sendmail[28092]: NOQUEUE: connect from localhost.localdomain [127.0.0.1] Dec 14 04:02:08 mail sendmail[28092]: AUTH: available mech=DIGEST-MD5 ANONYMOUS CRAM-MD5, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Dec 14 04:02:08 mail sendmail[28092]: jBEB28d9028092: Milter: no active filter Dec 14 04:02:08 mail sendmail[28092]: STARTTLS=server, relay=localhost.localdomain [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256 Dec 14 04:02:08 mail sendmail[28092]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok Dec 14 04:02:08 mail sendmail[28092]: AUTH: available mech=LOGIN DIGEST-MD5 PLAIN ANONYMOUS CRAM-MD5, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN Dec 14 04:02:09 mail sendmail[28092]: ruleset=trust_auth, arg1=root@mail.redfish-solutions.com, relay=localhost.localdomain [127.0.0.1], reject=550 5.7.1 root@mail.redfish-solutions.com... not authenticated Dec 14 04:02:09 mail sendmail[28092]: jBEB28dA028092: from=root@mail.redfish-solutions.com, size=8713, class=0, nrcpts=1, msgid=200512141102.jBEB28bF028088@mail.redfish-solutions.com, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]

and wondering, is there a:

LOCAL_RULESETS SLocal_trust_auth ...

simple fix for skipping authentication on connections from 127.0.0.1?

Thanks,

-Philip