SENDMAIL config problem - ISP won't accept mail

SENDMAIL config problem - ISP won't accept mail

Post by Don Leve » Wed, 08 May 2002 12:27:02



Please forgive me if this has been asked before - I couldn't find
anything like it in the DejaGoogle archives.  Here's my situation:

I've just gotten a domain name registered, and I have most things set
up.  DNS is in order, I've got the website up (mostly family
pictures).  I'm running on a broadband cable connection, and I've got
several machines behind a small hardware router/firewall.  The big
problem is SENDMAIL.

I finally got to the point where I can receive incoming mail, but some
domains won't accept my outgoing mail.  The problem seems to be that
the client machine's IP address is being sent out as the origin, and
as that's a non-routable 192.168 address the receiving MTA refuses the
connection.  I had thought it might be a problem with the headers in
the sendmail.cf/mc file, but even after altering those to avoid the
originating IP the mail still gets refused (referring to the
originating IP).  I've tried the masquerade options, and as mentioned
reconfiguring the header.  

Does anyone have any suggestions on how I can get my mail out?
 -Don

 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by remove.thisb.. » Wed, 08 May 2002 14:36:11



Quote:> Please forgive me if this has been asked before - I couldn't find
> anything like it in the DejaGoogle archives.  Here's my situation:
> I've just gotten a domain name registered, and I have most things set
> up.  DNS is in order, I've got the website up (mostly family
> pictures).  I'm running on a broadband cable connection, and I've got
> several machines behind a small hardware router/firewall.  The big
> problem is SENDMAIL.
> I finally got to the point where I can receive incoming mail, but some
> domains won't accept my outgoing mail.  The problem seems to be that
> the client machine's IP address is being sent out as the origin, and
> as that's a non-routable 192.168 address the receiving MTA refuses the
> connection.  I had thought it might be a problem with the headers in
> the sendmail.cf/mc file, but even after altering those to avoid the
> originating IP the mail still gets refused (referring to the
> originating IP).  I've tried the masquerade options, and as mentioned
> reconfiguring the header.  

It doesn't sound like that's the problem.  You need to make sure that
your firewall/router is correctly running NAT so that all outgoing
connections from your mail server are run via NAT to your real, public
IP address on the outside.

-Bill

 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by Don Leve » Thu, 09 May 2002 07:23:52




>> Please forgive me if this has been asked before - I couldn't find
>> anything like it in the DejaGoogle archives.  Here's my situation:

>> I've just gotten a domain name registered, and I have most things set
>> up.  DNS is in order, I've got the website up (mostly family
>> pictures).  I'm running on a broadband cable connection, and I've got
>> several machines behind a small hardware router/firewall.  The big
>> problem is SENDMAIL.

>> I finally got to the point where I can receive incoming mail, but some
>> domains won't accept my outgoing mail.  The problem seems to be that
>> the client machine's IP address is being sent out as the origin, and
>> as that's a non-routable 192.168 address the receiving MTA refuses the
>> connection.  I had thought it might be a problem with the headers in
>> the sendmail.cf/mc file, but even after altering those to avoid the
>> originating IP the mail still gets refused (referring to the
>> originating IP).  I've tried the masquerade options, and as mentioned
>> reconfiguring the header.  

>It doesn't sound like that's the problem.  You need to make sure that
>your firewall/router is correctly running NAT so that all outgoing
>connections from your mail server are run via NAT to your real, public
>IP address on the outside.

>-Bill

I don't think that's it.  Here's why:
1) I am apparently set up to relay.  I know that's bad, and I'll try
to figure out how to stop it while still allowing the access I need...

2) While investigating #1, I took a look at relay-domains.  I added
the domain of one of the problem addresses, restarted sendmail, and
was able to get through with no problem.

This leads me to believe that it's a sendmail problem.  This means I
need to know how to:

a - Stop relaying for the entire world.
b - Be able to send/receive mail from my work PC as well as from home.
c - Be able to send mail elsewhere.
d - If possible, be able to hide the original address of my client PC
and substitute the routable address of my firewall.

Any thoughts, suggestions, pointers to reading material for people who
don't already know all this stuff will be greatly appreciated.

Thanks!
 -Don

 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by Dave Uhrin » Thu, 09 May 2002 07:32:46



> I don't think that's it.  Here's why:
> 1) I am apparently set up to relay.  I know that's bad, and I'll try
> to figure out how to stop it while still allowing the access I need...

> 2) While investigating #1, I took a look at relay-domains.  I added
> the domain of one of the problem addresses, restarted sendmail, and
> was able to get through with no problem.

> This leads me to believe that it's a sendmail problem.  This means I
> need to know how to:

> a - Stop relaying for the entire world.
> b - Be able to send/receive mail from my work PC as well as from home.
> c - Be able to send mail elsewhere.
> d - If possible, be able to hide the original address of my client PC
> and substitute the routable address of my firewall.

> Any thoughts, suggestions, pointers to reading material for people who
> don't already know all this stuff will be greatly appreciated.

> Thanks!
>  -Don

Take a look here:

http://www.sendmail.org/other-sendmail-links.html

and this link under that one

http://www.sendmail.org/~ca/email/offline_mailing.html

Pay particular attention to the genericstable.

 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by ynotsso » Thu, 09 May 2002 07:33:31



[...]

Quote:> This leads me to believe that it's a sendmail problem.  This means I
> need to know how to:

> a - Stop relaying for the entire world.
> b - Be able to send/receive mail from my work PC as well as from home.
> c - Be able to send mail elsewhere.
> d - If possible, be able to hide the original address of my client PC
> and substitute the routable address of my firewall.

> Any thoughts, suggestions, pointers to reading material for people who
> don't already know all this stuff will be greatly appreciated.

Please post your sendmail.mc file so that appropriate advice may be given.

             tony

 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by Don Leve » Thu, 09 May 2002 11:57:28


On Tue, 7 May 2002 15:33:31 -0700, "ynotssor" <ynotssorAT hotmaildot



>[...]
>> This leads me to believe that it's a sendmail problem.  This means I
>> need to know how to:

>> a - Stop relaying for the entire world.
>> b - Be able to send/receive mail from my work PC as well as from home.
>> c - Be able to send mail elsewhere.
>> d - If possible, be able to hide the original address of my client PC
>> and substitute the routable address of my firewall.

>> Any thoughts, suggestions, pointers to reading material for people who
>> don't already know all this stuff will be greatly appreciated.

>Please post your sendmail.mc file so that appropriate advice may be given.

>             tony

I've posted it below.

I think I may have figured out the immediate problem:  the error I was
getting ended up being from MY server, not the foreign ISP's server.
Adding an entry in my hosts file for 192.168.1.1 allowed my mail to go
through.

I still don't know why things are picking up the internal address for
my firewall; I'd rather just place the external address if possible.
Is there an m4-compatible way of altering the headers (either within
the .mc file, or in a referenced external file) that will allow me to
do this?

Thanks again,
 -Don

sendmail.mc - I've made very few changes from the stock install from
RH 7.2:

divert(-1)
dnl This is the sendmail macro config file. If you make changes to
this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl        m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
define(`confDEF_USER_ID',``8:12'')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS',
`authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
dnl FEATURE(delay_checks)dnl
define(HIDDENDOMAIN, the-leveys.us)
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl This changes sendmail to only listen on the loopback device
127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl       a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to
protect
dnl yourself from spam. However, the laptop and users on computers
that do
dnl not have 24x7 DNS do need this.
FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
MASQUERADE_AS(the-leveys.us)
Cwlocalhost.localdomain
Cwthe-leveys.us

 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by remove.thisb.. » Thu, 09 May 2002 14:26:43



> On Tue, 7 May 2002 15:33:31 -0700, "ynotssor" <ynotssorAT hotmaildot



>>[...]
>>> This leads me to believe that it's a sendmail problem.  This means I
>>> need to know how to:

>>> a - Stop relaying for the entire world.
>>> b - Be able to send/receive mail from my work PC as well as from home.
>>> c - Be able to send mail elsewhere.
>>> d - If possible, be able to hide the original address of my client PC
>>> and substitute the routable address of my firewall.

>>> Any thoughts, suggestions, pointers to reading material for people who
>>> don't already know all this stuff will be greatly appreciated.

>>Please post your sendmail.mc file so that appropriate advice may be given.

>>             tony
> I've posted it below.
> I think I may have figured out the immediate problem:  the error I was
> getting ended up being from MY server, not the foreign ISP's server.
> Adding an entry in my hosts file for 192.168.1.1 allowed my mail to go
> through.
> I still don't know why things are picking up the internal address for
> my firewall; I'd rather just place the external address if possible.
> Is there an m4-compatible way of altering the headers (either within
> the .mc file, or in a referenced external file) that will allow me to
> do this?

Are you sending mail directly from your Linux box, or are you sending
it from another client machine attached to your network?  The actual
client machine will always show up in the headers, unless you do some
serious crunching on them.  

-Bill

 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by S » Thu, 09 May 2002 13:42:07



> Please forgive me if this has been asked before - I couldn't find
> anything like it in the DejaGoogle archives.  Here's my situation:

> I've just gotten a domain name registered, and I have most things set
> up.  DNS is in order, I've got the website up (mostly family
> pictures).  I'm running on a broadband cable connection, and I've got
> several machines behind a small hardware router/firewall.  The big
> problem is SENDMAIL.

> I finally got to the point where I can receive incoming mail, but some
> domains won't accept my outgoing mail.  The problem seems to be that
> the client machine's IP address is being sent out as the origin, and
> as that's a non-routable 192.168 address the receiving MTA refuses the
> connection.  I had thought it might be a problem with the headers in
> the sendmail.cf/mc file, but even after altering those to avoid the
> originating IP the mail still gets refused (referring to the
> originating IP).  I've tried the masquerade options, and as mentioned
> reconfiguring the header.  

> Does anyone have any suggestions on how I can get my mail out?

you set the DM flag right? ie, does your sendmail masq your emails as
coming from teh domain you registred?

i guess you must have a static IP on the cable, so why does'nt it work
for the gateway server that runs sendmail? as an aside, look in
http://www.hserus.net for some info on sendmail setup, as well as the

and the last piece of unsolicited advice is to use postfix, much
easier to configure, easier to maintain and less patching necessary,
sendmail comes out with a release very frequently.

 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by Don Leve » Thu, 09 May 2002 20:32:49



Quote:>you set the DM flag right? ie, does your sendmail masq your emails as
>coming from teh domain you registred?

It does - though the rDNS comes back with my cable-assigned hostname.

>i guess you must have a static IP on the cable, so why does'nt it work
>for the gateway server that runs sendmail? as an aside, look in
>http://www.hserus.net for some info on sendmail setup, as well as the


Well, semi-static, at any event.  It only re-assigns if I've got the
machines (modem/router) off at midnight.  Thanks for the pointers.

Quote:>and the last piece of unsolicited advice is to use postfix, much
>easier to configure, easier to maintain and less patching necessary,
>sendmail comes out with a release very frequently.

I'll take a look, but I'm running sendmail right now for two main
reasons: I'd like to know the history before I move on to current
events, and we're running sendmail at work.  I'd like to be able to
take over some of the admin tasks for that.
 -Don
 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by Don Leve » Thu, 09 May 2002 20:34:04




>> On Tue, 7 May 2002 15:33:31 -0700, "ynotssor" <ynotssorAT hotmaildot

>> I still don't know why things are picking up the internal address for
>> my firewall; I'd rather just place the external address if possible.
>> Is there an m4-compatible way of altering the headers (either within
>> the .mc file, or in a referenced external file) that will allow me to
>> do this?

>Are you sending mail directly from your Linux box, or are you sending
>it from another client machine attached to your network?  The actual
>client machine will always show up in the headers, unless you do some
>serious crunching on them.  

>-Bill

Yep - I've got (at the moment) 4 machines behind the cable modem.  The
mail server is one, my client machine is another.
 -Don
 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by nob.. » Fri, 10 May 2002 02:29:36


the mail header will always show the ip of the box the mail originates on, even
if the box gives the mail to your sendmail via POP. there's nothing wrong with
that and it won't interfere with delivery of the original or any replies, it
sounds like you'd like the mails to appear to have come from the nat box?  I
for one don't know how to do this, but you might want to post to the sendmail
ng.

On Wed, 08 May 2002 07:32:49 -0400, Don Levey



>>you set the DM flag right? ie, does your sendmail masq your emails as
>>coming from teh domain you registred?

>It does - though the rDNS comes back with my cable-assigned hostname.

as it should, since you don't own the reverse zone, you've no way of
editing it.

>>i guess you must have a static IP on the cable, so why does'nt it work
>>for the gateway server that runs sendmail? as an aside, look in
>>http://www.hserus.net for some info on sendmail setup, as well as the

>Well, semi-static, at any event.  It only re-assigns if I've got the
>machines (modem/router) off at midnight.  Thanks for the pointers.

>>and the last piece of unsolicited advice is to use postfix, much
>>easier to configure, easier to maintain and less patching necessary,
>>sendmail comes out with a release very frequently.

>I'll take a look, but I'm running sendmail right now for two main
>reasons: I'd like to know the history before I move on to current
>events, and we're running sendmail at work.  I'd like to be able to
>take over some of the admin tasks for that.
> -Don

--
Steve S.


remove NOSPAM before replying

 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by Don Leve » Fri, 10 May 2002 13:29:27




>the mail header will always show the ip of the box the mail originates on, even
>if the box gives the mail to your sendmail via POP. there's nothing wrong with
>that and it won't interfere with delivery of the original or any replies, it
>sounds like you'd like the mails to appear to have come from the nat box?  I
>for one don't know how to do this, but you might want to post to the sendmail
>ng.

Yep, that's what I'm looking for.  I'm a bit paranoid - I don't want
to give any clues to the outside world about my internal network
structure unless I have to.  I'll see what I can find - thanks!
 -Don
 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by Gertjan Vinkesteij » Fri, 10 May 2002 13:47:51


Dear Don,

I am not paranoya but manic-depressed, and nobody gets my internal
subnet structure either. My son David gives his strong believing mother
2 wheatplants on mothers day... ;-) yes he is nuts

-- Gertjan




>>the mail header will always show the ip of the box the mail originates on, even
>>if the box gives the mail to your sendmail via POP. there's nothing wrong with
>>that and it won't interfere with delivery of the original or any replies, it
>>sounds like you'd like the mails to appear to have come from the nat box?  I
>>for one don't know how to do this, but you might want to post to the sendmail
>>ng.

> Yep, that's what I'm looking for.  I'm a bit paranoid - I don't want
> to give any clues to the outside world about my internal network
> structure unless I have to.  I'll see what I can find - thanks!
>  -Don

--
-------------------------------------------------------------
Please use PGP in sending mail to me, send your public first
mine is an ring-8 rsa key, good for gringo's also, no offense
 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by nob.. » Sat, 11 May 2002 09:35:37


On Thu, 09 May 2002 00:29:27 -0400, Don Levey


>On Wed, 08 May 2002 17:29:36 -0000,

>>the mail header will always show the ip of the box the mail originates on, even
>>if the box gives the mail to your sendmail via POP. there's nothing wrong with
>>that and it won't interfere with delivery of the original or any replies, it
>>sounds like you'd like the mails to appear to have come from the nat box?  I
>>for one don't know how to do this, but you might want to post to the sendmail
>>ng.

>Yep, that's what I'm looking for.  I'm a bit paranoid - I don't want
>to give any clues to the outside world about my internal network
>structure unless I have to.  I'll see what I can find - thanks!
> -Don

I'm not sure what you are nervous about, but I'm sure what you want is
possible, I just don't know if it's a feature of Sendmail, but as there
are so many features to Sendmail, it will take some digging to find out.
You can also try the sendmail.org site, they have an FAQ, maybe it's there.

--
Steve S.


remove NOSPAM before replying

 
 
 

SENDMAIL config problem - ISP won't accept mail

Post by ynotsso » Sat, 11 May 2002 10:18:12




[...]
Quote:>>the mail header will always show the ip of the box the mail
>> originates on, even if the box gives the mail to your sendmail
>> via POP. there's nothing wrong with that and it won't interfere
>> with delivery of the original or any replies, it sounds like you'd
>> like the mails to appear to have come from the nat box?  I
>> for one don't know how to do this, but you might want to post
>> to the sendmail ng.

> Yep, that's what I'm looking for.  I'm a bit paranoid - I don't want
> to give any clues to the outside world about my internal network
> structure unless I have to.

[...]

This is called "security through obscurity" and it doesn't work. If the
security of your installation depends on people not having any clues to your
internal IP addressing scheme, then your installation is inherently insecure
and thus vulnerable to arbitrary attacks. It's a Fool's Paradise.

That said, you can configure the format of the "Received:" header that is
added to each email that passes through the sendmail server. To quote from
the cf/README file, "It is unwise to try to change this." but entirely
possible if you understand the consequences of what you are doing:

------------------------------------
confRECEIVED_HEADER

Received:    [$?sfrom $s $.$?_($?s$|from $.$_)
                    $.$?{auth_type}(authenticated)
                    $.by $j ($v/$Z)$?r with $r$. id $i$?u
                    for $u; $|; $.$b]
------------------------------------

You can either lookup the meaning of each macro in doc/op/op.{me,ps} or
compare against another Received: header from an email that has passed
through the server.

As far as security goes, you will gain absolutely nothing by it, although
you may thoroughly enjoy the act of fooling yourself.

                    tony

 
 
 

1. sendmail won't accept mail due to tcpwrappers?

I'm having problems on a RedHat linux 7.1 system getting sendmail
to accept mail from outside hosts. I can send mail from the command
line on the mail server, but when I try from another machine it is
rejected.

I see this in /var/log/maillog:

Sep 27 11:17:07 bloom1 sendmail[16076]: f8RFH7V16076: tcpwrappers
(femail15.sdc1.sfba.home.com, 24.0.95.142) rejection
Sep 27 11:17:07 bloom1 sendmail[16076]: NOQUEUE:
femail15.sdc1.sfba.home.com [24.0.95.142] did not issue
MAIL/EXPN/VRFY/ETRN during connection to Daemon0

What do I need to do to get this to work?

--
Michael Maloney
Ilex Engineering, Inc.

Tel: 410.465.6948

2. ksh and .logout files

3. How to config sendmail only accept mail send from 192.* IP.

4. bff files

5. SMTP Tangled up in DNS and won't accept mail!

6. Please help me with modelines!!!

7. /bin/mail won't accept stdin from file

8. Solaris 10, fmd won't start at boot

9. sendmail mail server does not accept sending mail from remote clients

10. Postfix won't accept outside mail

11. sendmail won't send mail in it's queue

12. transition from isp 'A' to isp 'B' routing problem