Recipe 4.6 Masquerading at the Relay Host

Problem

You have been asked to configure the mail relay host to masquerade the header sender address of mail that originates on specific hosts as that mail passes through the mail relay.

Solution

Create a file that lists all of the hostnames that you want sendmail to masquerade. The file can be named anything you wish. This example names the file /etc/mail/masquerade-domains .

Add the MASQUERADE_AS , EXPOSED_USER , and MASQUERADE_DOMAIN_FILE macros to the sendmail configuration on the mail relay host. The MASQUERADE_DOMAIN_FILE macro must specify the masquerade-domains file created in the first step. Here are examples of the commands added to the mail relay's configuration:

 dnl Masquerade the From address as wrotethebook.com MASQUERADE_AS(`wrotethebook.com') dnl Users whose mail is not masqueraded EXPOSED_USER(root) dnl Load the list of hostnames that will be masqueraded MASQUERADE_DOMAIN_FILE(`/etc/mail/masquerade-domains') 

Build the new sendmail.cf file, copy it to /etc/mail , and restart sendmail. Recipe 1.8 provides examples of these steps.

Discussion

The MASQUERADE_DOMAIN_FILE macro specifies a file that is loaded into sendmail.cf class $=M . sendmail masquerades hosts listed in class $=M , as well as those listed in class $=w . However, hosts listed in class $=M are not equivalent to those listed in class $=w . Placing a hostname in class $=M enables masquerading. But, unlike mail addressed to hosts listed in class $=w , mail addressed to hosts in class $=M is not accepted for local delivery. Class $=M makes it possible to extend the set of hosts for which masquerading is performed without adding to the list of local hostname aliases. A simple test shows the effect of the MASQUERADE_DOMAIN_FILE macro:

 #  sendmail -bt  ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >  $=M  horseshoe.wrotethebook.com rodent.wrotethebook.com jamis.wrotethebook.com >  /tryflags HS  >  /try esmtp david@jamis.wrotethebook.com  Trying header sender address david@jamis.wrotethebook.com for mailer esmtp canonify           input: david @ jamis . wrotethebook . com Canonify2          input: david < @ jamis . wrotethebook . com > Canonify2        returns: david < @ jamis . wrotethebook . com . > canonify         returns: david < @ jamis . wrotethebook . com . > 1                  input: david < @ jamis . wrotethebook . com . > 1                returns: david < @ jamis . wrotethebook . com . > HdrFromSMTP        input: david < @ jamis . wrotethebook . com . > PseudoToReal       input: david < @ jamis . wrotethebook . com . > PseudoToReal     returns: david < @ jamis . wrotethebook . com . > MasqSMTP           input: david < @ jamis . wrotethebook . com . > MasqSMTP         returns: david < @ jamis . wrotethebook . com . > MasqHdr            input: david < @ jamis . wrotethebook . com . > MasqHdr          returns: david < @ wrotethebook . com . > HdrFromSMTP      returns: david < @ wrotethebook . com . > final              input: david < @ wrotethebook . com . > final            returns: david @ wrotethebook . com Rcode = 0, addr = david@wrotethebook.com >  $=w  chef localhost.localdomain localhost [192.168.0.8] [localhost.localdomain] [127.0.0.1] chef.wrotethebook.com >  /quit  

The $=M command displays the contents of class $=M and shows that class $=M contains the data from the /etc/mail/masquerade-domains file we created. The email address david@jamis.wrotethebook.com is masqueraded as david@wrotethebook.com when it is processed as a header sender address for the esmtp mailer, even though jamis.wrotethebook.com is not included in class $=w because it is included in class $=M .

Alternatives

The sample masquerade-domains file contains only three entries. It is possible to replicate this configuration without creating the masquerade-domains file by placing three MASQUERADE_DOMAIN macros in the sendmail configuration file.

 dnl Host names that will be masqueraded MASQUERADE_DOMAIN(`rodent.wrotethebook.com') MASQUERADE_DOMAIN(`horseshoe.wrotethebook.com') MASQUERADE_DOMAIN(`jamis.wrotethebook.com') 

This alternative was rejected because it is not as flexible as creating a separate masquerade-domains file. This recipe masquerades individual hostnames. Individual hosts come and go. Hostnames change. Each change would necessitate a change to the m4 configuration with the associated rebuild, reinstall, and restart if the MASQUERADE_DOMAIN solution were used. Changes in the masquerade-domains file only require a restart.

If you're positive that you want to masquerade every host granted relay privileges, you might be tempted to use the relay-domains file as the MASQUERADE_DOMAIN_FILE :

 MASQUERADE_DOMAIN_FILE(`/etc/mail/relay-domains') 

This is generally a bad idea. A standard file should be used only for its standard purpose. The relay-domains file should be used only to grant relay privileges, and a separate file should be created to define masqueraded hostnames ”even if those files are identical. The reason is that you cannot guarantee that they will remain identical into the future. In the long run, creating a separate file dedicated to a single purpose causes fewer problems than misusing a standard file.

See Also

Recipe 3.8 and Recipe 4.2 provide supporting information for this recipe. Recipe 4.4 and Recipe 4.7 cover similar configurations that should be evaluated before implementing this recipe. The sendmail book covers MASQUERADE_AS in 4.4.2, EXPOSED_USER in 4.4.1, MASQUERADE_DOMAIN in 4.4.3, and MASQUERADE_DOMAIN_FILE in 4.4.4. The "Address Masquerading" section of Linux Sendmail Administration , by Craig Hunt (Sybex), is a tutorial on masquerading. The cf/README file covers masquerading in the section Masquerading and Relaying .