Deutsch English Français Italiano |
<utlkoe$4ve$1@tncsrv09.home.tnetconsulting.net> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!news-out.netnews.com!news.alt.net!us1.netnews.com!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.omega.home.tnetconsulting.net!not-for-mail From: Grant Taylor <gtaylor@tnetconsulting.net> Newsgroups: comp.mail.sendmail Subject: Re: sender rewrining advice Date: Fri, 22 Mar 2024 23:10:54 -0500 Organization: TNet Consulting Message-ID: <utlkoe$4ve$1@tncsrv09.home.tnetconsulting.net> References: <ut75od$3k36i$1@dont-email.me> <ut7is6$oeb$1@tncsrv09.home.tnetconsulting.net> <uta80m$c43c$1@dont-email.me> <utdfp4$fs6$1@tncsrv09.home.tnetconsulting.net> <utesd2$1hkni$1@dont-email.me> <utg4du$o00$1@tncsrv09.home.tnetconsulting.net> <uth88c$26nhr$1@dont-email.me> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Sat, 23 Mar 2024 04:10:54 -0000 (UTC) Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="omega.home.tnetconsulting.net:198.18.1.140"; logging-data="5102"; mail-complaints-to="newsmaster@tnetconsulting.net" User-Agent: Mozilla Thunderbird Content-Language: en-US In-Reply-To: <uth88c$26nhr$1@dont-email.me> Bytes: 6303 Lines: 135 On 3/21/24 07:12, none wrote: > internet internet > recv. email > | ^ > | | > | | > V | > +------------+ +------+-----+ > | A | | B | > | mailert +---1-->| auth | > | accessmap | | | > | ldapr | | | > +------+-----+ +------------+ > | > | > | > V > +------+-----+ > | C | > | | > | virtuser | > | | > +------------+ > > host a: incomming, mx > host b: outgoing, smtp with user auth > host c: user mailboxes, user@example.com (not test@example.com) > > Indeed. I am trying to use email addresses here and not domains. So NDR > are generated on host A / mx server. I take it that host A is not fully aware of the recipient addresses that are on host B. Thus why host A needs to bounce / DSN / NDR a message that it accepted responsibility for. If host A was fully aware of the recipient addresses that are on host B, then host A could have rejected the inbound message and not need to send a bounce / DSN / NDR. The bounce / DSN / NDR would be the responsibility of the system trying to send to host A. > I have there, access: > to:test@example.com RELAY Do you also have a corresponding REJECT? to:@example.com REJECT Without the REJECT I would expect Sendmail to accept the message as part of the relay-domains configuration. > This ldap entry currently makes emails being routed from the mx server A > to the outgoing server B That's what I thought. > correct Thank you for confirming. I'll have to go Read The Fine Manual again to see how LDAP routing comes into play for relayed / non-local domains. > Yes the above does this currently with ldap routing. But I don't know if > this is the best way to do it. My dusty understanding of LDAP routing is that it's intended for multiple servers to share the same domain name(s); e.g. @example.com, and know which server hosts specific mailboxes. Meaning that both host A and host C would be configured with @example.com in their local-host-names file. > host C, LOCAL is not in the spf records. I think external access is even > blocked. I had spammers by passing spam blocking on the mx / host a and > delivering directly to C SPF is about the connecting host. As such, GuerrillaMail.com will see host B as the connecting host and check it's IP against SPF records. Depending on your configuration, hosts A, B, and C may need to either have allow list entries or valid SPF information for each other. > ok I made note of this, I will enhance this later. :-) > I am not sure if my outgoing, host b, has access to the > local-host-names. It is still using the same clusterid as host c and can > probably access the local-host-names. Even if it doesn't have access to the local-host-names file on hosts A or C, you could probably copy the contents to a similar file and configure the methodology to use that file in lieu of the local-host-names file. > But I think in the near future I will create a separate clusterid for > the outgoing, host b. Okay. > (Used to have everything in one host) ACK > At some point in the future I would like to secure host b more, so > authenticated users can only send out email with their assigned address. I'm aware that such is done by some MTAs. I've wondered about doing that with Sendmail. But then I realized that users were authenticating, thus I would have a good idea (but no guarantee) who, or at least which account, was being used to abuse things. I've not needed to actually go down this path (yet). > So currently I am able to route from host a to host b the emails send to > test@example.com. > How should I go about to enable SRS for senders to test@example.com on > host b? You could SRS /everything/ leaving host B. It won't actually hurt anything. SRS your own envelopes is a little silly and maybe even questionable. From memory -- I'll look some time this weekend -- the SRS routine that I'm using uses the local-host-names file (class w) as part of the test to determine if envelope senders should be rewritten or not. I don't think that it /must/ /be/ the local-host-names file (class w). I naively assume that you could use any file name you wanted and declare a new class to be used for this test. It would be a minor change to the rules to look at that alternate named file / class. -- Grant. . . .