Recipe 4.7 Limiting Masquerading

Previous page
Table of content
Next page

Problem

By default, every hostname that is accepted for local delivery (i.e., every hostname that is accepted as an alias for the local host) is masqueraded when masquerading is enabled. You have been asked to create a sendmail configuration that does not masquerade every local hostname alias. Instead you are to masquerade only those hostnames that are specifically identified for masquerading.

Solution

Build a file that contains the names of just those hosts that you wish to masquerade. In this example, we name the file /etc/mail/masquerade-domains .

Create a sendmail configuration containing the MASQUERADE_AS , EXPOSED_USER , and MASQUERADE_DOMAIN_FILE macros and the limited_masquerade feature. Here are sample commands: 

 dnl Masquerade the From address as wrotethebook.com MASQUERADE_AS(`wrotethebook.com') dnl Users whose mail is not masqueraded EXPOSED_USER(root) dnl Load the list of hostnames that will be masqueraded MASQUERADE_DOMAIN_FILE(`/etc/mail/masquerade-domains') dnl Only masquerade names listed in class $=M FEATURE(`limited_masquerade')

Rebuild and reinstall the sendmail.cf file, and then restart sendmail, as described in Recipe 1.8.

Discussion

By default, every host listed in class $=w is allowed to relay, and mail addressed to any host in class $=w is accepted for local delivery. In addition, when the MASQUERADE_AS macro is used, mail from any host listed in class $=w is masqueraded. This is usually just what you want. An exception, however, occurs when class $=w defines a larger set of hosts for relaying or local delivery than the set that should be masqueraded. For example, assume that you have a mail exchanger that handles mail for a few domains, and that your local-host-names file contains the following entries: 

 horseshoe.wrotethebook.com wrotethebook.com ora.com example.com stateu.edu

Two of these entries ( horseshoe.wrotethebook.com and wrotethebook.com ) are in the local domain. The others are not.

Normally, both the hostnames in class $=w and those in class $=M are masqueraded. While this system is the mail exchanger for ora.com , example.com, and stateu.edu , it should not masquerade those domains as wrotethebook.com . The limited_masquerade feature limits masquerading to just those hosts listed in class $=M . Relaying and local delivery continue to be influenced by class $=w , but class $=w is ignored for masquerading when the limited_masquerade feature is used. A few tests illustrate this.

The first test is a sendmail -bt test using the local-host-names file just shown and a masquerading configuration that does not use the limited_masquerade feature. 

 #  sendmail -bt -Crecipe4.2.cf  ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >  $=w  example.com chef ora.com localhost.localdomain localhost [192.168.0.8] [localhost.localdomain] stateu.edu [127.0.0.1] horseshoe.wrotethebook.com wrotethebook.com chef.wrotethebook.com >  /tryflags HS  >  /try esmtp amanda@stateu.edu  Trying header sender address amanda@stateu.edu for mailer esmtp canonify           input: amanda @ stateu . edu Canonify2          input: amanda < @ stateu . edu > Canonify2        returns: amanda < @ stateu . edu . > canonify         returns: amanda < @ stateu . edu . > 1                  input: amanda < @ stateu . edu . > 1                returns: amanda < @ stateu . edu . > HdrFromSMTP        input: amanda < @ stateu . edu . > PseudoToReal       input: amanda < @ stateu . edu . > PseudoToReal     returns: amanda < @ stateu . edu . > MasqSMTP           input: amanda < @ stateu . edu . > MasqSMTP         returns: amanda < @ stateu . edu . > MasqHdr            input: amanda < @ stateu . edu . > MasqHdr          returns: amanda < @ wrotethebook . com . > HdrFromSMTP      returns: amanda < @ wrotethebook . com . > final              input: amanda < @ wrotethebook . com . > final            returns: amanda @ wrotethebook . com Rcode = 0, addr = amanda@wrotethebook.com >  /quit

In this case, the header sender address amanda@stateu.edu is rewritten to amanda@wrotethebook.com . The people at stateu.edu do not want their addresses rewritten in this manner, even though they use the services of the mail exchanger. To fix this, add a MASQUERADE_DOMAIN_FILE macro to the configuration and create a masquerade-domains file containing the names of the hosts that should be masqueraded. The file might, for example, contain the following: 

 rodent.wrotethebook.com crab.wrotethebook.com jamis.wrotethebook.com giant.wrotethebook.com horseshoe.wrotethebook.com

The MASQUERADE_DOMAIN_FILE macro loads the file into class $=M . Adding the limited_masquerade feature to the configuration causes sendmail to ignore class $=w and use $=M for masquerading, as the following test shows: 

 #  sendmail -bt  ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >  $=w  example.com chef ora.com localhost.localdomain localhost [192.168.0.8] [localhost.localdomain] stateu.edu [127.0.0.1] horseshoe.wrotethebook.com wrotethebook.com chef.wrotethebook.com >  $=M  rodent.wrotethebook.com crab.wrotethebook.com jamis.wrotethebook.com giant.wrotethebook.com horseshoe.wrotethebook.com >  /tryflags HS  >  /try esmtp amanda@stateu.edu  Trying header sender address amanda@stateu.edu for mailer esmtp canonify           input: amanda @ stateu . edu Canonify2          input: amanda < @ stateu . edu > Canonify2        returns: amanda < @ stateu . edu . > canonify         returns: amanda < @ stateu . edu . > 1                  input: amanda < @ stateu . edu . > 1                returns: amanda < @ stateu . edu . > HdrFromSMTP        input: amanda < @ stateu . edu . > PseudoToReal       input: amanda < @ stateu . edu . > PseudoToReal     returns: amanda < @ stateu . edu . > MasqSMTP           input: amanda < @ stateu . edu . > MasqSMTP         returns: amanda < @ stateu . edu . > MasqHdr            input: amanda < @ stateu . edu . > MasqHdr          returns: amanda < @ stateu . edu . > HdrFromSMTP      returns: amanda < @ stateu . edu . > final              input: amanda < @ stateu . edu . > final            returns: amanda @ stateu . edu Rcode = 0, addr = amanda@stateu.edu  >  /quit

Now, mail from amanda@stateu.edu goes out with her full stateu.edu address despite the fact that stateu.edu still appears in class $=w . Only the hostnames in class $=M will be masqueraded.

The example used for these tests shows a single mail exchanger hosting multiple mail domains. This can also be done using virtual mail domains, which are covered in Chapter 5.

See Also

Recipe 2.1, Recipe 4.2, Recipe 4.4, and Recipe 4.6 provide supporting information for this recipe. Recipe 4.4 and Recipe 4.6 cover similar configurations that should be evaluated before implementing this recipe. The sendmail book covers MASQUERADE_AS in 4.4.2, EXPOSED_USER in 4.4.1, MASQUERADE_DOMAIN in 4.4.3, MASQUERADE_DOMAIN_FILE in 4.4.4, and the limited_masquerade feature in 4.8.18. The "Address Masquerading" section of Linux Sendmail Administration , by Craig Hunt (Sybex), is a tutorial on masquerading. The cf/README file covers masquerading in the section Masquerading and Relaying .


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
The CISSP and CAP Prep Guide: Platinum Edition
SQL Hacks
MySQL Clustering
Cisco CallManager Fundamentals (2nd Edition)
Twisted Network Programming Essentials
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy