[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

How-To: Masquerade the Envelope with Sendmail

This comes up so often I thought it might be worthwhile to send it direct to the
list. I apologize for the length but it's a complex subject.

from: http://www.moongroup.com/how-to.phtml#envelope

Masquerade the Envelope with Sendmail

Why is this so important?  Let's compare an email message to a letter sent
through the postal service.  When you address the envelope you normally provide
several pieces of information so that the postal service can do their job
correctly.  You would write down the person's name and address that you want to
send it to and you would also write your name and mailing address so that if the
letter can't be delivered it can be safely returned to you.  So after you post
the letter what does the postal service do?  They pick it up and attempt to
deliver it based on the information you provided. Now... if you had a criminal
mind and intended to mail something malicious you wouldn't put your correct
return address on the envelope would you?  Probably not!  So if you put a false
return address and the message was ultimately undeliverable the postal service
wouldn't be able to return it to you would they?  In this example everything is
very anonymous and you really can send out garbage without being held
accountable.  Just a few short months ago electronic mail worked the same way.  
You could send out garbage with a false return address and it wouldn't be
returned to you.  Granted, this is not a very nice thing to do but it happened
all of the time.  So... what happened is that the people who develop code for
Mail Transfer Agents (MTA's -or- the post office in our scenario) started to
change things up a little bit.  These improved MTA's now check to insure that
the senders envelope address is valid before they will relay, or deliver, a
message.  This is a good thing but it has caused problems for many people,
particularly those who use an MTA rather than a piece of client software to send
their mail... translation... the dial-up user with a Linux box is likely to get
a bunch of bounced mail unless he or she configures their MTA to masquerade the

It's not enough to set the from and reply-to addresses in a piece of email
client software because much like a regular letter all this does is tell the
person who receives the message who it's from (maybe!). The newer versions of
sendmail (particularly 8.9.x) are more concerned with which mail server it was
sent from than they are with which user sent the message so they read the
message envelope.  They're not looking for the person that sent it by checking
the senders From: or Reply-To: email address, they're checking to see if the
"post office" or mail server it came from is valid!  Which is equivalent to
checking the street name, number and zip code of origin on a letter. Once this
information is excerpted from the message it's verified via reverse DNS to see
if the sending post office exists in DNS (IOW would the sending MTA receive a
bounce if the intended recipient didn't exist) and if that post office (the
sending MTA) doesn't exist in DNS the receiving MTA will reject the message
with prejudice! So... we fix this by telling our MTA to masquerade the

Okay... so here's how we do it.  We're assuming a complete install of sendmail
(this works with versions from 8.8.7 through 8.9.3). 

as root: 

"cd /usr/lib/sendmail-cf/cf/" 

*Note:  if you don't have this directory and it doesn't show up in an alternate
path after you've searched for it then our assumptions about a full install are
incorrect and you have to get everything installed prior to proceding! This
would mean the sendmail-cf rpm as well as the sendmail rpm. I also recommend you
install sendmail-doc.

"cp myconfig.mc /usr/lib/sendmail-cf/cf/myconfig.mc.bakup" 
"vi myconfig.mc" 

and insert the following text: 

# /usr/lib/sendmail-cf/cf/redhat.mc plus the masquerade options 
define(`SMART_HOST', `your.isps.mta')dnl #added 
MASQUERADE_AS(yourdomain.dom)dnl #added - use your domain name here! 
FEATURE(allmasquerade)dnl  #added 
FEATURE(masquerade_envelope)dnl #added 
HACK(check_mail3,`hash -a JUNK /etc/mail/deny')dnl 

If you're using Red Hat all of this is in the original redhat.mc with a couple
of lines added for folks in your situation.... 

The next issue in this process is that we have to have a legitimate (must have a
DNS record) relay host to make this work so be sure and use your ISP's MTA as a
"smart" relay host. This would be inserted in place of "your.isps.mta" in the
line which begins:


so if your ISP's SMTP host was called "mail.yourisp.net" then your line would
like this: 

define(`SMART_HOST', `mail.yourisp.net') 

Now that we've created our myconfig.mc file we've got to create a new
sendmail.cf... but how do we do that? 

mv /etc/sendmail.cf /etc/sendmail.cf.bakup 

(we're still in the same directory with our new .mc file) 

m4 ../m4/cf.m4 myconfig.mc > nuconfig.cf 

Note: if there are any error messages here stop and let us know immediately. 

cp nuconfig.cf /etc/sendmail.cf 

Now we cd to /etc and edit the new sendmail.cf to ensure that our ISP's MTA is
still selected as our relay host. The line we're looking for is:

# "Smart" relay host (may be null) 
DSmail.yourisp.net  (where mail.yourisp.net would be the FQDN of your ISP's MTA

Next we want to issue the command "/etc/rc.d/init.d/sendmail restart" 

double check the sendmail.cw and make sure your own domain is listed (i.e.
yourdomain.dom) and we're done! 

Additional reading on this topic: Configuring sendmail for offline use by Simone
Govoni <http://www.moongroup.com/sendmail-offline.html>

Chuck Mead, CTO, MoonGroup Consulting, Inc. <http://moongroup.com> 
Mail problems? Send "s-u-b-s-c-r-i-b-e mailhelp" (no quotes and no
hyphens) in the body of a message to mailhelp-request moongroup com 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]