Ignoring last received from
Alex
alex at skynet-srl.com
Thu Apr 26 08:32:40 IST 2007
>
> On 24/04/07, Alex <alex at skynet-srl.com> wrote:
>> > Hi guys
>> >
>> > I'm playing with a damned configuration I cant' figure how to have i t
>> > working.
>> >
>> > THE PROBLEM
>> > =============
>> > All the mail that comes on some servere passes on STMP servers that
>> > are behind a firewall.
>> >
>> > Those servers are placed in a DMZ and use Postfix with load balancing.
>> >
>> > Those SMTP servers decide where to send their mail on different mail
>> > servers using sendmail AND Mailscanner.
>> >
>> >
>> > INTERNET ----->firewall----->SMTP servers (10.0.0.55)------- route to
>> > SMTP using MS -->Mailscanner
>> >
>> > If I set up a wihitelist like the following
>> >
>> > From: 1.2.3.4 and To: address at domain yes
>> >
>> > it will never match since the headers of the received mail on the
>> > Mailscanner servers look like
>> >
>> > Received from: 10.0.0.55 <----- this is the internal IP of the last
>> > passed trough SMTP server
>> > Received from : 1.2.3.4 <---- this is the public INTERNET server who
>> > sent the mail and I cant' match to...
>> >
>> > THE SOLUTIONS I TRIED (with no success)
>> > =====================
>> > a) used the Remove Header in MS configuration, but this seems to only
>> > match complete headers.
>> >
>> > I cannote remove
>> > Received from : 10.0.0.
>> >
>> > but I can remove all the Received from headers (uselsess for my
>> problem)
>> >
>> > b) It seems I cant find a m4 macro to tell sendmail not to add the
>> > Received from header (it's so easy in Postfix)
>> >
>> > I don't think I'm the only one with this problem.
>> >
>> > How did you guys solved this?
>> >
>> >
>> First of all thanks to all the guys who answered this (I discovered not
>> so) simple question,
>>
>> Someone suggested to change the network architecture.
>>
>> This is not a choice, since not all the domains we manage have to pass
>> through MS, so only specific ones are routed to the servers running MS.
>
> Someone would be me then:-).
> Of course you can change the topology.
> You can let MailScanner avoid all non-managed domains.
> Or you could manage them via a separate set of MX:s (instead of having
> all going through the same set of servers)... The posibilities are
> well-nigh endless:-D.
> Would likely simplify your topology a whiole lot, removing a (then not
> needed) layer of indirection;-).
>
>> Furthermore it is not a spam detection problem, so writing a specific SA
>> rules won't help since the spam detection works fine.
>>
>> The problem only arises when I to write a MS rule where the from IP
>> address is involved, since MS seems to only consider the very last
>> (indeed top-first) Received from header.
>>
>> From: 1.2.3.4 and From *@mydomain.com yes <--- never matches
>>
>> The Header says the last server the message passed through is our DMZ
>> server (10.0.0.55) so it never matches the above From rule.
>
> You might actually have more problems than that (in SA, no less), but
> lets not go there:-).
>
What do you mean?? Please enlight me! Is there something important i missed?
>>
>> I think this damned thing may be managed in two ways:
>>
>> - Instructing sendmail on the private servers to not add the Received
>> from header but don't know how to do that. In Postfix this is very easy:
>> write a header_check rule that simply ignores the matching header so it
>> doesn't get added to the final message and BANG it works!
>
> This break one of the few MUST statements in the RFC. Not really a
> good thing, even though you can do it with PF.
>
>> - Instructing MS to match the second Received from: header instead of
>> the first one (?????)
>
> There is no provision for this in MS.
>
>> I see someone else is having the same problem (may I say Welcome??)
>>
>> I have searched the internet for the IP hiding problem in Sendmail
>> (usually used to hide internal private IP's and names from the external)
>> but I came to a lot of infos (milter, voodoo and so on) but no specific
>> ideas.
>>
>> Using procmail with formail may be a way, but it looks very complicated
>> since the recipe's formail action should do a complete rewrite of the
>> received from header, and to accomplish that I suspect it needs an
>> external PERL/BASH/other scripting langiage that may lead to system
>> vulnerabilities or instability.
>>
>> Any ideas out there??
>>
> As said, I think you are going at this a bit backward, trying to
> defeat the standard instead of working with it. Sure, you might find a
> solution eventually... Like, for example, not using Sendmail with the
> "backend MS servers"... As you say, breaking the RFC in this
> particular way is rather easy in Postfix... And Postfix works nice
> with MailScanner....;-).
>
> Cheers
Thanks. it has been a long time since I started thinking about moving my
sendmail servers to postfix and this may be the right time...
>>
>> You can look at all headers in a Custom Function. Very simple with
>> MailScanner. IIRC, Julian said something about being able to call
>> custom functions from within rulesets too, which I have not played
>> with but sounded intriguing!
>> See my basic example custom function posted here a few weeks ago.
>>
>> Ken Anderson
>> Pacific.Net
>>
>>
Good suggestion. I'll give it a try
Thanks to everyone and best regards
Alessandro
More information about the MailScanner
mailing list