"Linux Gazette...making Linux just a little more fun!"


The Answer Guy


By James T. Dennis, linux-questions-only@ssc.com
Starshine Technical Services, http://www.starshine.org/


(?)'sendmail' Masquerading: What and Why

From Stephen Oberther on Tue, 07 Apr 1998

First of all let me say that I love the magazine and your column. This problem has been bothering me for quite some time now and I can't seem to figure out how to remedy it. I have a dial-up internet account but use my local sendmail for email distribution.

My question is this: Is there a way to have my actual email address stampled onto my email so that the recipient can just reply to the email normally and have the reply go to my account with my ISP? Currently, with the exception of this message if netscape works properly, the from field is posted with my username and my local machine name, as it should be. Is this possible at all or is it just a lost cause?

(!)Yes, there is a way to have your system "masquerade" as some other system or domain. In fact this is what most organizations do.

Note: this 'sendmail' masquerading feature should not be confused with "IP Masquerading" (which is a form of TCP/IP network address translation -- or NAT). In the contest of mail the term refers purely to how the headers of each piece of mail are constructed. (IP masquerading is at the transport layer of the OSI reference model while 'sendmail' masquerading is at the applications layer).

Now the fact that you mention Netscape (presumably NS Navigator or Communicator) raises a different issue. Some MUA's --- particularly those that have been ported from or significantly influenced by non-Unix code --- will bypass the normal conventions for mail handling under Unix and deliver their own mail directly to the apparent recipient (by doing the appropriate DNS query for MX records and engaging in a direct TCP dialog with that host's SMTP port. In many cases you can configure these to relay mail through some other system --- such as 'localhost' which will allow your 'sendmail' (or qmail, or vmail, or other local MTA (mail transport agent) to apply your local policies (like header rewrites) to the mail).

Host "hiding" via 'sendmail' masquerading is such a local policy. Assuming you're using 'sendmail' you can enable it with the following lines to your 'mc' (Macro Config) file:
FEATURE(always_add_domain)dnl
FEATURE(allmasquerade)dnl
FEATURE(always_add_domain)dnl
FEATURE(masquerade_envelope)dnl
MASQUERADE_AS($YOURHOST)dnl
Naturally you probably need other lines in there and you need to run this through the M4 macro preprocessor to generate your /etc/sendmail.cf file. (I do not recommend hand hacking the cf files as this is more error prone and harder to document and review later).

You might not need all of these features --- but I use them.

Note: this doesn't "hide" your internal host names and/or IP address in the "Received:" headers --- which is an FAQ in security (via obscurity) features. I merely affects the Reply-Path: and From: addresses.

The part about "masquerade_envelope" is one I've added more recently. It prevents some potentially alarming headers from appearing in my mail when a recieving or relaying mailhost's sendmail (or other MTA) can't do a proper "double reverse" lookup of my address. (Yes, my DNS and reverse DNS are out of sync --- and no, I haven't fought it out with my ISP nor have I assumed control of my own DNS. Let's not talk about the footwear on the cobbler's kids!).

(?)Oh and just in case the from address is wrong on this email it should be ...

Thanks in advance, Stephen Oberther

(!)The first test I would make in your situation is to pass a message straight to sendmail with a command like:
/usr/lib/sendmail -t -v -oe < $TESTMAIL
... where $TESTMAIL is the name of a file that has a reasonably formatted piece of mail (at least a To: and a Subject: line for a header, a blank line and a few lines of text for the body).

point the To: line at one of your other accounts to a friend or through some autoresponder (pick one that doesn't remove the headers). Then you can see what sort of rewriting is occuring. It may be that you system's MTA is already properly configured and you can focus on the MUA (mail user agent).


Copyright © 1998, James T. Dennis
Published in Linux Gazette Issue 28 May 1998


[ Table Of Contents ] [ Front Page ] [ Answer Guy Index ]