Re: virtual domain relaying question

Michael Grant <michael.grant@xxxxxxxxx> writes:

I have found 2 ways to configure virtual domain hosting with sendmail,
both produce slightly different results.

In the below example, 'example.not' is a domain name and 10.20.30.40
is an ip address.

10.20.30.40 is the address of where to forward example.not's mail (the
"back" end server). The relay host running sendmail is then set up as
an MX for example.not (the "front" end server). All of this
configuration happens on the front end relay server.

Method 1:
In your .mc file add:
VIRTUSER_DOMAIN(`example.not')
and in mailertable add:
example.not esmtp:[10.20.30.40]
Do NOT create an entry for example.not in local-host-names.

Method 2:
Do NOT add a VIRTUSER_DOMAIN directive in your .mc file.
In your local-host-names file add:
example.not
In your virtusertable add:
@example.not %1@[10.20.30.40]
You can also put things like this in your aliases file:
user user@[10.20.30.40]
You can also do things like this in virtusertable:
joe@xxxxxxxxxxx joe@[10.20.30.40]
sue@xxxxxxxxxxx sue@[10.20.30.40]
@example.not error:nouser User unknown

The differences between methods 1 and 2 are subtle yet important.

Method 1 relays everything. Anything that come in for
something@xxxxxxxxxxx goes out to 10.20.30.40 via the esmtp mailer.
You cannot strip off certain addresses and reject the rest. For
certain situations, this is intolerable. Too much spam gets through
to bogus addresses and cannot be rejected up front. If there were
some way that sendmail could attempt to simultaneously deliver the
message on the back side (doing all it's milter checks in real-time),
that could be very interesting.

Method 2 allows you to strip off certain address and reject others
(for example joe and sue are valid but reject everything else). Spam
to bogus addresses is rejected up front before it gets to
10.20.30.40. However, there's an administration nightmare if there
are a lot of users in the example.not domain that have to be managed
in your virtusertable and/or aliases file.

Method 2 also does not work in certain circumstances. In particular,
when your sendmail connects to 10.20.30.40, the envelope recipient
('RCPT To:' line in SMTP) will look like:
RCPT To:<joe@[10.20.30.40]>
If 10.20.30.40 is not doing any sort of virtual domains and joe's
address is valid at this ip address, then this works. However, if
10.20.30.40 is handling mail for multiple domains and the account
'joe' isn't necessarily unique, this just doesn't work and some hosts
even return an error.

My question:

Is there some way to fix method 2 so that sendmail always sends down
the full original domain name? I almost want to put something like
this in the virtusertable using the old % syntax:

joe@xxxxxxxxxxx joe%example.not@[10.20.30.40]

But of course this does not work. Is there a modern syntax to specify
something like this in the virtusertable or aliases file? In other
words, "use joe@xxxxxxxxxxx as the RCPT To:in the envelope but connect
to 10.20.30.40".

Michael Grant

You can do it in virtusertable (1) but I suggest using
ldap_routing *without* LDAP (2).

1) you can use one of the two virtusertable approaches below:
1a) based on undocumented _VIRTUSER_STOP_ONE_LEVEL_RECURSION_
*.mc file:
define(`_VIRTUSER_STOP_ONE_LEVEL_RECURSION_')
virtusertable file:
joe@xxxxxxxxxxx joe@xxxxxxxxxxx
sue@xxxxxxxxxxx %0
@example.not error:nouser User unknown
1b) based on "internal implementation detail" of virtusertable
virtusertable file:
joe@xxxxxxxxxxx !
sue@xxxxxxxxxxx !
@example.not
2) Have you considered using FEATURE(`ldap_routing') with hash/dbm maps
(used typically by virtusertable) instead of LDAP lookup?
e.g. FEATURE(`ldap_routing',`hash /etc/mail/mailhost',`null',`bounce')
[ null map return always "no match" ]

It will allow you to relay messages to "internal server" without
recipient address rewriting.

I personally suggest you using solution based on ldap_routing without
LDAP queries:
* It is more flexible than virtusertable
You may "*BOTH* rewrite and route" on per recipient address
It is common to serve multiple internal mail servers with
"quite different" capabilities"/"preferred configuration"
* It will make possible easy swith to LDAP => easy implementation of
"cluster of email gateways"

URL(s):
http://www.sendmail.org/m4/ldap_routing.html

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@xxxxxxxxxxxx : anfi@xxxxxxxx
Open-Sendmail: http://open-sendmail.sourceforge.net/
.

Relevant Pages

  • Re: Beaten to Death: Open Relay
    ... You can update sendmail manually. ... "The simplest approach is to list the domains you are willing to relay ... relaying, good or bad. ... people in my office send mail through the server is to include the IP ...
    (comp.mail.sendmail)
  • W2003 SMTP relay w/out local domain?
    ... I want to setup a Windows 2003 server to do pure SMTP relay for a site. ... What is occuring is that sometimes Outlook doesn't complete the LDAP ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • Re: Spam Control for Mail Relay
    ... all messages until there server becomes online again. ... why you need the relay in the first place. ... - off-line copy of destination servers' user databases on the relay ... on-line query of user database (eg. LDAP) ...
    (comp.mail.sendmail)
  • Exchange 2003 reporting Relaying Denied error for User Unknown
    ... We have an Exchange 2003 server that forwards outbound e-mail to a sendmail ... in the sendmail logs on the relay. ...
    (microsoft.public.exchange.connectivity)
  • Re: Sendmail Smart Relay Configuring
    ... Given you redefine the relay mailer to use port 587 outgoing then set ... Be aware that you need to put the smart host address into squared ... Now watch out which MECHs the server offers. ... Sendmail, Tested, and got the following output: ...
    (Fedora)