| Deutsch English Français Italiano |
|
<utlkoe$4ve$1@tncsrv09.home.tnetconsulting.net> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!news-out.netnews.com!news.alt.net!us1.netnews.com!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.omega.home.tnetconsulting.net!not-for-mail
From: Grant Taylor <gtaylor@tnetconsulting.net>
Newsgroups: comp.mail.sendmail
Subject: Re: sender rewrining advice
Date: Fri, 22 Mar 2024 23:10:54 -0500
Organization: TNet Consulting
Message-ID: <utlkoe$4ve$1@tncsrv09.home.tnetconsulting.net>
References: <ut75od$3k36i$1@dont-email.me>
<ut7is6$oeb$1@tncsrv09.home.tnetconsulting.net> <uta80m$c43c$1@dont-email.me>
<utdfp4$fs6$1@tncsrv09.home.tnetconsulting.net>
<utesd2$1hkni$1@dont-email.me>
<utg4du$o00$1@tncsrv09.home.tnetconsulting.net>
<uth88c$26nhr$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 23 Mar 2024 04:10:54 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="omega.home.tnetconsulting.net:198.18.1.140";
logging-data="5102"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Content-Language: en-US
In-Reply-To: <uth88c$26nhr$1@dont-email.me>
Bytes: 6303
Lines: 135
On 3/21/24 07:12, none wrote:
> internet internet
> recv. email
> | ^
> | |
> | |
> V |
> +------------+ +------+-----+
> | A | | B |
> | mailert +---1-->| auth |
> | accessmap | | |
> | ldapr | | |
> +------+-----+ +------------+
> |
> |
> |
> V
> +------+-----+
> | C |
> | |
> | virtuser |
> | |
> +------------+
>
> host a: incomming, mx
> host b: outgoing, smtp with user auth
> host c: user mailboxes, user@example.com (not test@example.com)
>
> Indeed. I am trying to use email addresses here and not domains. So NDR
> are generated on host A / mx server.
I take it that host A is not fully aware of the recipient addresses that
are on host B. Thus why host A needs to bounce / DSN / NDR a message
that it accepted responsibility for.
If host A was fully aware of the recipient addresses that are on host B,
then host A could have rejected the inbound message and not need to send
a bounce / DSN / NDR. The bounce / DSN / NDR would be the
responsibility of the system trying to send to host A.
> I have there, access:
> to:test@example.com RELAY
Do you also have a corresponding REJECT?
to:@example.com REJECT
Without the REJECT I would expect Sendmail to accept the message as part
of the relay-domains configuration.
> This ldap entry currently makes emails being routed from the mx server A
> to the outgoing server B
That's what I thought.
> correct
Thank you for confirming.
I'll have to go Read The Fine Manual again to see how LDAP routing comes
into play for relayed / non-local domains.
> Yes the above does this currently with ldap routing. But I don't know if
> this is the best way to do it.
My dusty understanding of LDAP routing is that it's intended for
multiple servers to share the same domain name(s); e.g. @example.com,
and know which server hosts specific mailboxes. Meaning that both host
A and host C would be configured with @example.com in their
local-host-names file.
> host C, LOCAL is not in the spf records. I think external access is even
> blocked. I had spammers by passing spam blocking on the mx / host a and
> delivering directly to C
SPF is about the connecting host.
As such, GuerrillaMail.com will see host B as the connecting host and
check it's IP against SPF records.
Depending on your configuration, hosts A, B, and C may need to either
have allow list entries or valid SPF information for each other.
> ok I made note of this, I will enhance this later.
:-)
> I am not sure if my outgoing, host b, has access to the
> local-host-names. It is still using the same clusterid as host c and can
> probably access the local-host-names.
Even if it doesn't have access to the local-host-names file on hosts A
or C, you could probably copy the contents to a similar file and
configure the methodology to use that file in lieu of the
local-host-names file.
> But I think in the near future I will create a separate clusterid for
> the outgoing, host b.
Okay.
> (Used to have everything in one host)
ACK
> At some point in the future I would like to secure host b more, so
> authenticated users can only send out email with their assigned address.
I'm aware that such is done by some MTAs. I've wondered about doing
that with Sendmail. But then I realized that users were authenticating,
thus I would have a good idea (but no guarantee) who, or at least which
account, was being used to abuse things. I've not needed to actually go
down this path (yet).
> So currently I am able to route from host a to host b the emails send to
> test@example.com.
> How should I go about to enable SRS for senders to test@example.com on
> host b?
You could SRS /everything/ leaving host B. It won't actually hurt anything.
SRS your own envelopes is a little silly and maybe even questionable.
From memory -- I'll look some time this weekend -- the SRS routine that
I'm using uses the local-host-names file (class w) as part of the test
to determine if envelope senders should be rewritten or not.
I don't think that it /must/ /be/ the local-host-names file (class w).
I naively assume that you could use any file name you wanted and declare
a new class to be used for this test. It would be a minor change to the
rules to look at that alternate named file / class.
--
Grant. . . .