Re: sendmail, masquerading and HELO

To: Carlos Carvalho <carlos@fisica.ufpr.br>
Cc: debian-security@lists.debian.org
Subject: Re: sendmail, masquerading and HELO
From: Richard A Nelson <cowboy@debian.org>
Date: Tue, 21 May 2002 11:26:48 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.44.0205211116410.3142-100000@back40.badlands.org>
In-reply-to: <[🔎] 15594.15759.841008.787505@hoggar.fisica.ufpr.br>

On Tue, 21 May 2002, Carlos Carvalho wrote:

> I'm having a problem with sendmail and masquerading. We use NAT so
> that the only address visible outside is the external one. All access
> is done through the firewall.

Ditto...

> The problem is that sendmail puts in the headers the internal host
> name, as you can see from this message itself and here is another
> example:
>
> Received: from fisica.ufpr.br ([200.17.209.129] helo=hoggar.fisica.ufpr.br)
>                                                 **************************
>         by foo.bar.ufpr.br with esmtp (Exim 3.35 #1 (Debian))
>         id 17A8E9-0001mj-00
>         for <carlos@bar.ufpr.br>; Tue, 21 May 2002 08:54:53 -0300
> Received: (from carlos@localhost)
>         by hoggar.fisica.ufpr.br (8.11.2/8.11.2/Debian 8.11.2-1)
>         ************************

You do know why the Received lines are there right?

> I've used this in sendmail.mc:
>
> FEATURE(masquerade_envelope)dnl
> FEATURE(allmasquerade)dnl
> FEATURE(masquerade_entire_domain)dnl
>
> MASQUERADE_AS(fisica.ufpr.br)dnl
> MASQUERADE_DOMAIN(fisica.ufpr.br)

None of those do anything with Received: lines; they for envelope and
headers only.

> What's annoying is that some sites are using the helo= field to check
> the IP address via dns. Since in this case it's an internal addres
> it'll obviously not work, and these sites are refusing to receive
> email from us.

Such sites are broken - apply cluex4 repeatedly until they understand
that they are to verify *ONLY* the sending MTA...  And they *HAVE* its
IP, they check forward/reverse resolution on it, and only it.

> Is there a way to make sendmail put the domain name in the helo field
> and all the received headers?

If you have administrative control over *all* boxen, yes - you can
define your own Received: header format...  I don't know if I had
the file in 8.11.2, but in 8.12.3, check
/usr/share/sendmail/cf/hack/virthost_by_ip.m4 for an example.

-- 
Rick Nelson
<hop_> i had something that i think was chicken that was coated with a red
       paste that seemed to be composed of lye based on how much of my
       tounge it burned away.	   =20
<hop_> our friend who is Indian said this is why most Indians are thin
       and i quote "It doesn't take very much of this food to get you
       satisfied enoguh to stop eating."


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: sendmail, masquerading and HELO
  - From: Carlos Carvalho <carlos@fisica.ufpr.br>

References:
- sendmail, masquerading and HELO
  - From: Carlos Carvalho <carlos@fisica.ufpr.br>

Prev by Date: unsubscribe
Next by Date: unsubscribe
Previous by thread: sendmail, masquerading and HELO
Next by thread: Re: sendmail, masquerading and HELO
Index(es):
- Date
- Thread