Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Jan 2008 10:22:06 -0800
From:      Chuck Swiger <cswiger@mac.com>
To:        Jerahmy Pocott <quakenet1@optusnet.com.au>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: Sendmail: "exposed" root, why?
Message-ID:  <4991B253-DB77-4855-813B-025831CD319A@mac.com>
In-Reply-To: <8EE4A2AA-E15D-4C07-AFBC-061A4595DA82@optusnet.com.au>
References:  <8EE4A2AA-E15D-4C07-AFBC-061A4595DA82@optusnet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Jan 8, 2008, at 5:50 AM, Jerahmy Pocott wrote:
> From the sendmail documentation:
>
> "There are always users that need to be "exposed" -- that is,
> their  internal site name should be displayed instead of the
> masquerade name. Root is an example (which has been
> "exposed" by default prior to 8.10)."
>
> Is there actually any reason why root needs to be "exposed"?

The original reasoning was that if you had a network of machines in a  
domain, email generated from cron jobs producing output and things  
like the daily status report that is sent out would be readily  
distinguishable.  If you masquerade to hide all of the machine names,  
it becomes mildly difficult to identify which machine is sending such  
email.

> Root is set to an external address in aliases and it really
> needs to be masqueraded in order to for it to get delivered,
> but would that cause problems with anything?

The mail needs to be considered for local delivery for the alias or  
a .forward to send it to an external address.

Whether the From: header has been masqueraded or not is somewhat of an  
orthagonal issue, but you might find the comments in /usr/share/ 
sendmail/cf/README about allmasquerade and masquerade_entire_domain  
informative.

> How do you stop sendmail from doing this, I don't see any
> directive to NOT expose root, only options to expose other
> addresses as well..  Perhaps there is a better way to send
> system mailed logs to an external address that doesn't send
> them from root?

You most probably want to make it so that root email from the set of  
machines is forwarded appropriately rather than disabling root from  
being exposed.  But, if you still really want to do so, you'll either  
need to set up a custom domain rather than using generic.m4, or simply  
remove the line "C{E}root" from your sendmail.cf.

-- 
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4991B253-DB77-4855-813B-025831CD319A>