Sendmail Masqurading and root mails

Jeffrey Goldberg jeffrey at goldmark.org
Mon Aug 3 04:34:29 UTC 2009 

On Aug 2, 2009, at 8:22 PM, Danny Carroll wrote:

> I've added the following to the default sendmail mc file:
>
> MASQUERADE_AS(`mypublicdomain.com')dnl
> FEATURE(masquerade_envelope)dnl
> MASQUERADE_DOMAIN(beasie.lan)dnl
>
> Recompiled the cf files and restarted sendmail.
>
> Here is the kicker.  If I log in as a normal user it masquerades just
> fine.
>
> If I simply "su -"  to root, the masquerading works fine and the  
> mail is
> sent as the original logged in user.
>
> But if I log in as root via the console then it does not alter the  
> messages.

By default sendmail does not MASQUERADE root (figuring that you get  
root mail from several of your machines and want to see which machine  
it is from).  In the old days there was a feature  
"NO_MASQUERADE_ROOT", but looking through cf/README I see that that is  
one of the many things that have changed since I last seriously worked  
with sendmail.

Now sendmail has a class of "exposed" users.  These are usernames for  
which masquerading shouldn't take place.  By default, root is in there.

There is an .mc file directive

   EXPOSED(`username')

which, according to the documentation, adds usernames to the list that  
shouldn't be masqueraded.  Unfortunately, I don't see a mechanism for  
removing members from the E (Exposed) class.

You could try

  EXPOSED()

or

  EXPOSED(`')

to see if either will remove things in the E class.

The offending line in the generated .cf file is

  C{E}root

if you still end up with that, then root will not get masqueraded.

So if the above doesn't work, there probably is a clean way of  
clearing a class from the .mc file, but I don't know what it is.   
Hopefully others will be able to answer.

In the worst case, you could manually edit the generated .cf file, to  
remove the
  C{E}root
line, but that is not really a road I would recommend going down.

At the risk of suggesting something that you probably know you should  
do in the long run, but would take a lot of tedious work to set up,  
you should probably move away from having your private network be .lan.

Instead use .private.mypublicdomain.com and set up a local (on your  
private network) nameserver for that private subdomain.

Sorry I couldn't be of more help.

Cheers,

-j


-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/

More information about the freebsd-questions mailing list