Date: Thu, 17 Apr 2003 19:48:47 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Kirk Strauser <kirk@strauser.com> Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail isn't using SMART_HOST. Now what? Message-ID: <20030417184846.GA44948@happy-idiot-talk.infracaninophi> In-Reply-To: <87brz5c9pv.fsf@pooh.honeypot.net> References: <87brz5c9pv.fsf@pooh.honeypot.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--u3/rZRmxL6MmkK24
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Apr 17, 2003 at 12:30:52PM -0500, Kirk Strauser wrote:
> I have a firewall machine that I don't want to communicate directly with =
the
> outside world, so I've been trying to get it to use another FreeBSD server
> on the LAN as it's smart host. The Sendmail config on the machine is
> default except for the SMART_HOST setting:
>=20
> diff -u freebsd.mc gopher.honeypot.net.mc
> --- freebsd.mc Sun Dec 29 11:16:44 2002
> +++ gopher.honeypot.net.mc Thu Apr 17 12:17:55 2003
> @@ -74,7 +74,7 @@
> dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `"550 Mail from " $&=
{client_addr} " rejected, see http://mail-abuse.org/cgi-bin/lookup?" $&{cli=
ent_addr}')
>=20
> dnl Dialup users should uncomment and define this appropriately
> -dnl define(`SMART_HOST', `your.isp.mail.server')
> +define(`SMART_HOST', `kanga.honeypot.net')
>=20
> dnl Uncomment the first line to change the location of the default
> dnl /etc/mail/local-host-names and comment out the second line.
>=20
> However, after a `make; make install; make restart', I can run tcpdump on
> the smart host and watch as the firewall does a DNS query for the domain =
of
> an outgoing email, and then nothing; the firewall is still sending email
> directly to the remote machine.
>=20
> On a related note, the firewall insists on delivering mail locally that it
> has no business handling. I have `root' set as an alias to
> `root@kanga.honeypot.net' (i.e., on the smart host). Whenever I type
>=20
> echo test | mail root@kanga.honeypot.net
>=20
> I get this in my /var/log/messages:
>=20
> Apr 17 12:26:25 gopher sm-mta[1812]: h3HHQOU1001811: SYSERR(root): MX=
list for honeypot.net. points back to gopher.honeypot.net
> Apr 17 12:26:25 gopher sm-mta[1812]: h3HHQPU1001812: Losing ./qfh3HHQ=
PU1001812: savemail panic
>=20
> I've read the Sendmail FAQ, but the destination machine *is* configured
> correctly. Every other machine I've tested can deliver to that email
> address except the machine in question. In fact, a tcpdump doesn't even
> show any packets from the firewall to the smart host.
>=20
> I'm at a loss. This really shouldn't be as difficult as I seem to be mak=
ing
> it. Any suggestions? Am I overlooking something obvious?
Hmmm... A few sendmail revisions back, I'd have recommended
FEATURE(`nullclient', ...)dnl
but since the split into sm_msp and sm_mta, I think that probably the
best way to go on a firewall is:
i) Disable the sendmail MTA function entirely. This means that
nothing will be listening on port 25, with is one less thing to
worry about security-wise. In /etc/rc.conf:
sendmail_enable=3D"NO"
sendmail_outbound_enable=3D"NO"
sendmail_submit_enable=3D"NO"
ii) Configure the sendmail MSP to immediately forward all e-mail to
your main mail host. You don't need a persistent daemon in this
case, as the MSP process is what you get by invoking
/usr/sbin/sendmail. However, if the message can't be delivered
immediately it will be placed into the clientmqueue, so you should
run a queue flushing sendmail instance:
sendmail_msp_queue_enable=3D"YES"
and modify the submit.mc file as follows:
% diff -u freebsd.submit.mc kanga.submit.mc
--- freebsd.submit.mc Wed Feb 19 22:16:31 2003
+++ kanga.submit.mc Thu Apr 17 19:38:15 2003
@@ -23,4 +23,4 @@
define(`confDONT_INIT_GROUPS', `True')dnl
dnl
dnl If you use IPv6 only, change [127.0.0.1] to [IPv6:::1]
-FEATURE(`msp', `[127.0.0.1]')dnl
+FEATURE(`msp', `[kanga.honeypot.net]', `MSA')dnl
This will connect to your mail server on the Mail Submission port
587 rather than the SMTP port 25.
You may find it useful to set the SENDMAIL_SUBMIT_MC variable in
/etc/make.conf to point to a different .mc file than the default.
=20
Nb. using [square brackets] around the hostname (or IP number)
causes sendmail not take MX records into account at all, which is
what you usually want in this sort of setup. Come to think of it,
it would probably help with your SMART_HOST setup as is.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--u3/rZRmxL6MmkK24
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+nvcOdtESqEQa7a0RAswCAJ4rYUbf9jD1xkDtin2wCoSqrIFo7QCeNfVM
TJ6EVhv/KAqcAmfID2KqiMQ=
=QGsR
-----END PGP SIGNATURE-----
--u3/rZRmxL6MmkK24--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030417184846.GA44948>