Ignoring last Received From

Glenn Steen glenn.steen at gmail.com
Tue Apr 24 14:10:25 IST 2007 

On 24/04/07, Alex <alex at skynet-srl.com> wrote:
> > Hi guys
> >
> > I'm playing with a damned configuration I cant' figure how to have i t
> > working.
> >
> > THE PROBLEM
> > =============
> > All the mail that comes on some servere passes on STMP servers that
> > are behind a firewall.
> >
> > Those servers are placed in a DMZ and use Postfix with load balancing.
> >
> > Those SMTP servers decide where to send their mail on different mail
> > servers using sendmail AND Mailscanner.
> >
> >
> > INTERNET ----->firewall----->SMTP servers (10.0.0.55)------- route to
> > SMTP using MS -->Mailscanner
> >
> > If I set up a wihitelist like the following
> >
> > From:   1.2.3.4    and   To: address at domain   yes
> >
> > it will never match since the headers of the received mail on the
> > Mailscanner servers look like
> >
> > Received from: 10.0.0.55 <----- this is the internal IP of the last
> > passed trough SMTP server
> > Received from : 1.2.3.4   <---- this is the public INTERNET server who
> > sent the mail and I cant' match to...
> >
> > THE SOLUTIONS I TRIED (with no success)
> > =====================
> > a) used the Remove Header in MS configuration, but this seems to only
> > match complete headers.
> >
> >    I cannote remove
> >   Received from : 10.0.0.
> >
> > but I can remove all the Received from headers (uselsess for my problem)
> >
> > b) It seems I cant find a m4 macro to tell sendmail not to add the
> > Received from  header (it's so easy in Postfix)
> >
> > I don't think I'm the  only one with this problem.
> >
> > How did you guys solved this?
> >
> >
> First of all thanks to all the guys who answered this (I discovered not
> so) simple question,
>
> Someone suggested to change the network architecture.
>
> This is not a choice, since not all the domains we manage have to pass
> through MS, so only specific ones are routed to the servers running MS.

Someone would be me then:-).
Of course you can change the topology.
You can let MailScanner avoid all non-managed domains.
Or you could manage them via a separate set of MX:s (instead of having
all going through the same set of servers)... The posibilities are
well-nigh endless:-D.
Would likely simplify your topology a whiole lot, removing a (then not
needed) layer of indirection;-).

> Furthermore it is not a spam detection problem, so writing a specific SA
> rules won't help since the spam detection works fine.
>
> The problem only arises when I to write a MS rule where the from IP
> address is involved, since MS seems to only consider the very last
> (indeed top-first) Received from header.
>
> From: 1.2.3.4 and From *@mydomain.com yes <--- never matches
>
> The Header says the last server the message passed through is our DMZ
> server (10.0.0.55) so it never matches the above From rule.

You might actually have more problems than that (in SA, no less), but
lets not go there:-).

>
> I think this damned thing may be managed in two ways:
>
> - Instructing sendmail on the private servers to not add the Received
> from header but don't know how to do that. In Postfix this is very easy:
> write a header_check rule that simply ignores the matching header so it
> doesn't get added to the final message and BANG it works!

This break one of the few MUST statements in the RFC. Not really a
good thing, even though you can do it with PF.

> - Instructing MS to match the second Received from: header instead of
> the first one (?????)

There is no provision for this in MS.

> I see someone else is having the same problem (may I say Welcome??)
>
> I have searched the internet for the IP hiding problem in Sendmail
> (usually used to hide internal private IP's and names from the external)
> but I came to a lot of infos (milter, voodoo and so on) but no specific
> ideas.
>
> Using procmail with formail may be a way, but it looks very complicated
> since the recipe's formail action should do a complete rewrite of the
> received from header, and to accomplish that I suspect it needs an
> external PERL/BASH/other scripting langiage that may lead to system
> vulnerabilities or instability.
>
> Any ideas out there??
>
As said, I think you are going at this a bit backward, trying to
defeat the standard instead of working with it. Sure, you might find a
solution eventually... Like, for example, not using Sendmail with the
"backend MS servers"... As you say, breaking the RFC in this
particular way is rather easy in Postfix... And Postfix works nice
with MailScanner....;-).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list