On Wed, 17 Mar 1999, Greg Owen {gowen} wrote:
> > How does Qmail act as an outbound relay for a host who is not listed
> > in DNS?
>
> Ah, I think I just found my answer, on the qmail home page.
>
> "Dan Bernstein noted that qmail will skip dns queries for incoming mail with
> tcpserver -Hl your.host.name; and you can skip them for outgoing mail with
> control/smtproutes."
>
> I'll go check the tcpserver documentation, and if that doesn't clear it
> up I'll post any further questions.
Okay, I've gotten to the bottom of my problem, and here's what
I've done to fix the problem.
First of all, the DNS lookup that was failing was not on the
bastion host, but at the final recipient, which looked up the header From:
and couldn't find the host. But the only reason the host was on that line
and not the domain (which resolves just fine, thank you very much) was
that I sent my mail from 'root', which is on sendmail's "don't masquerade
this user" list. Sending from normal users works just fine, because their
"From:" header uses "[EMAIL PROTECTED]" rather than
"[EMAIL PROTECTED]", where "mailhost" is the internal mail server
not found under DNS.
Presumably the "RELAYCLIENT" setting of tcp wrappers was
satisfying qmail, and I just misread the logs the first time around.
Secondly, by using tcp wrappers control file (/etc/tcp.smtp.cdb),
I'm now setting TCPREMOTEHOST and TCPREMOTEIP to values that do not give
away information about our internal layout. This changes the "Received"
lines on the mail. So, mail actually comes from "mailhost.scansoft.com"
at 4.17.150.119, but the headers say it came from "mail.scansoft.com" at
"192.168.0.1" (an RFC address). The only thing these mail headers are
used for is debugging, and debugging the steps that include these hosts is
only usefully done by us, so presumably this won't mess things up.
Sendmail on the interior host also munges to use
"mail.scansoft.com" in the "Received" headers.
This means mail from non-masquerading users (root and daemon) may
never get delivered if final hosts try to match the name, but frankly,
mail to the outside world should be by accountable users only.
All this achieves my goal of sending mail from an internal host
not listed in DNS without having to reveal information about that internal
host.
Can anyone let me know if munging the Received headers in a
controlled way like this breaks anything? I wouldn't think so from my
knowledge of most mail systems, but you never know...
--
gowen -- Greg Owen -- [EMAIL PROTECTED] -- [EMAIL PROTECTED]
Please note my new [EMAIL PROTECTED] address which will
become my default address in March, and which works now.
