SUMMARY: sendmail site hiding (LONG)

From: Dr. D.C. Williams (dcwill%ee.unr.edu@mailroute.UNR.EDU)
Date: Sat Sep 03 1994 - 05:32:55 CDT


G'day, ladies and gentlemen:

SUMMARY OF SUMMARY: Say "sendmail 8.6.9"

Many thanks to everyone who offered assistance, and thanks also to
those who said "I want to know that, too!" for making me realize
that I'm not the only one who doesn't speak sendmail (thank God
for real sysadmins!).

All of the specific suggestions (except the one that said "jump
off a bridge") are appended below. For many reasons (including
enhanced security, greatly improved comprehensibility, and what
seemed like the shortest path out of the dark woods), I elected to
go with sendmail 8.6.9. I used archie (but you have to search for
sendmail.8.6.9 for anything to show up) and found a site in Italy
(I think) and one in the U.S., but unfortunately, the specific
machine info is written on a notepad that is where I isn't right
now. If you can't find it using archie yourself, send me email
and I'll let you know next week. Apologies.

At least for the system I was hammering at the time, it installed
just as advertised and worked exceedingly well. All that's required
to have your machine "masquerade" as another (or use a specific
identifier for mail) is to set the DM parameter to whatever you like.
I recommend it for anyone who wants to use mail and not make a career
of learning how to (successfully) configure it.

Again, copious thanks to everyone who helped. I sincerely
hope that I haven't left anyone off the list, but my email system
just might have been a bit compromised while some idiot with a very
strong physical resemblence to me was hacking away at Sun's sendmail.cf
before installing sendmail 8.6.9. In no particular order, the sendmail
Hall of Fame:

hightower@afwc.af.mil
Larry_Chin@cchtor.ca.cch.com
brb@ike.safb.af.mil
william@wet.sbi.com
jamervi@sandia.gov
rnclear@sandia.gov
edk@mach10.utica1.kaman.com
nitkin@ptdcs2.intel.com
jason@qabc.uq.oz.au
fetrow@biostat.washington.edu

I received many requests for this info, so I will enclose the full
body of each message below:
------------------------------------------------------------------
The original SOS:

HP has a very nice feeature for sendmail.cf which is called site
hiding; by specifying DYfoo.bar.edu, all mail passing through the
mailhost will be sent with a return address as user@foo.bar.edu
regardless of the originating machine. I would like to be able to
do the same thing with 4.1.3, but site hiding isn't documented
(and doesn't work regardless). I've tried a number of configurations
and can't seem to get rid of the hostname, although I can change
the domain at will.

Currently, mail goes out as user@machine.foo.bar.edu.

I would like it to go out as user@foo.bar.edu after passing through
an HP mailhost that does this with a few dozen other machines.

Would someone be so kind as to send along the secret formula for
accomplishing this? Many thanks in advance.

----------------------------------------------------------
from hightower@afwc.af.mil:

This may not be the answer you are looking for, but...

I would *highly* recommend that you run sendmail 8.6.8 instead of the
stock Sun sendmail. Lots of security fixes, bug fixes, etc., plus it
allows you much more options and tweaks. For instance, this message was
sent from utah.afwc.af.mil, but note the return address as afwc.af.mil.

Compiling was not a problem--you just need to get all the packages. I
can assist you if you'd like.

Dave
______________________________________________________________________________
Dave Hightower | opinion? I'm allowed to have an opinion?
Systems Manager | well, if I DID have one, it'd be mine, all mine!
Air Force Wargaming Center | "Dum vivimus, vivamus!"
hightower@afwc.af.mil |
------------------------------------------------------------------------------

---------------------------------------------------------------
Larry_Chin@cchtor.ca.cch.com:

I believe in sendmail.main.cf there is a "Dm" macro defined.

Just set it to be foo.bar.edu and have all machines send their mail to
mailhost for final delivery.

Thu Sep 1 10:13:46 EDT 1994
===========================================================================
Larry Chin {larry@cchtor.ca.cch.com} System/Network Administrator
CCH Canadian Ltd. (416) 441-4001 ext. 349
===========================================================================

-----------------------------------------------------------------------

brb@ike.safb.af.mil:
 
Look in /etc/sendmail.cf at the section that begins with:

        #################################################
        #
        # General configuration information

        # local domain names
        #
        # These can now be determined from the domainname system call.
        # The first component of the NIS domain name is stripped off unless
        # it begins with a dot or a plus sign.

Seems like if you run NIS and do not have a Dm line, the first
component of NIS domain name is stripped. You're in luck if the NIS
domain name is the same as the DNS domain name.

Just a thought...

Bruce Baier
brb@ike.safb.af.mil

-----------------------------------------------------------------------

>From william@wet.sbi.com Thu Sep 1 11:39 PDT 1994

Don't use Sun's sendmail.

Standard BSD `sendmail 8.6.9' allows this kind of thing by `masquerading'
and restamping an email's From: line...

        Will.
       ____________
      / _/ _ / / / | Salomon Brothers International Limited
     /_ / _ / / /_ |---------------------------------------------
    /___/___/_/___/ | William Charles - Unix Systems Administrator

------------------------------------------------------------------------

from jamervi@sandia.gov:

What we do here is in ruleset 11 we change the line:

R$+ $@$1<@$w> tack on our hostname

to

R$+ $@$1<@sandia.gov> tack on our hostname

and the line in the DDN Mailer specification:

R$+ $@$1<@$m> tack on our domain

to

R$+ $@$1<@sandia.gov> tack on our domain

That does for us what it looks like you want to do for you.

Hope it helps

                         \\\|///
                        \\ ~ ~ //
                        (/ @ @ /)
         +------------oOOo-(_)-oOOo-------------+
         | Joe Mervini |
         | Sandia National Labs Division 1236 |
         | P.O. Box 5800 |
         | Albuquerque, NM 87185-1193 |
         | 505-845-7253 Fax 505-845-7890 |
         | e-mail: jamervi@sandia.gov |
         +--------------------------------------+
                        \__||__/
                        _|| ||_
                       (__| |__)

------------------------------------------------

from rnclear@sandia.gov:
 
D.C.,
        I don't know why these changes are necessary but someone who
        was very literate in sendmail.cf files suggested I make the
        following changes to the sendmail.cf file ruleset S11.

############################################################
#####
##### Ethernet Mailer specification
#####
##### Messages processed by this configuration are assumed to remain
##### in the same domain. This really has nothing particular to do
##### with Ethernet - the name is historical.

Mether, P=[TCP], F=msDFMuCX, S=11, R=21, A=TCP $h
S11
R$*<@$+>$* $@$1<@$2>$3 already ok
#R$+ $@$1<@$w> tack on our hostname
#
# The "w" was commented out as per SUN and the @foo.bar was
# installed to allow the mailer to mask the full machine name.
# 10/4/93 rnc.
#
R$+ $@$1<@foo.bar> tack on our hostname

Hope this helps.

                                   Richard N. Cleary
     _/_/_/ _/ _/ _/ SANDIA NATIONAL LABORATORIES _/_/_/
   _/ _/_/ _/ _/ P.O. Box 5800 _/_/
  _/_/_/ _/ _/ _/ _/ Albuquerque, NM 87185-1193 _/_/_/_/_/_/
     _/ _/ _/_/ _/ rnclear@sandia.gov - E-Mail _/ _/_/ _/
_/_/_/ _/ _/ _/_/_/_/ 505/845-7836 - Phone (voice-mail) _/ _/_/ _/

-----------------------------------------------------------------------

from edk@mach10.utica1.kaman.com:
 
I don't know if this will help or not, but it seems to address (no pun intended)
your problem.

Ed Killian

System Engineer
System Administrator
Kaman Sciences Corporation Phone (315) 734-3629
258 Genesee Street FAX (315) 734-3699
Utica, New York 13502-4627 email edk@utica1.kaman.com
#############################################################################
The opinions expressed are mine, wholly mine, and nothing but mine.
#############################################################################

----- Begin Included Message -----

>From sun-managers-relay@ra.mcs.anl.gov Thu Jan 27 23:02:50 1994
Date: Thu, 27 Jan 1994 12:36:18 +0000
From: eamonn.mcgonigle@compapp.dcu.ie
To: sun-managers@eecs.nwu.edu
Subject: SUMMARY: Setting out-going mail to "Firstname.Lastname@domain" format
Cc: glaqua@cal012.bprc.ab.ca

I asked in despair and desperation....
> Dear Sunmanagers,
> I give up...how do you persuade sendmail to convert the outgoing mail address
> to 'Firstname.Lastname@domain' format ??? I've been R'ing TFMs but can find
> no reference to it, and my own attempts at it have all been doomed to failure.

As you can see, I got it working ! Actually, I stumbled on the solution by
trial and error soon after posting the request. The problem was that the
aliases I had in /etc/aliaes on the NIS master weren't going into the
mail.byaddr NIS map. The reason for this is that (drum roll....) only aliases
of the form

aliasname: realname@host

(with the "@host" being the critical part) go into the mail.byaddr map. Once
over this hurdle, it was relatively simple to persuade the sendmail.cf on the
server to do the conversion.

The rest of this summary contains the specifics of how its done at
our site and excerpts from some respondants about how they managed to crack it.
It may be useful to someone - if you're not interested, you can skip the rest
of this (rather long) message (or if you responded to the original query, skip
the the bottom to see your name in lights !!!!)

Here it goes...:

The /etc/aliases file at our site contains an entry for every staff member
which looks like this:

Eamonn.McGonigle: eamonn@compapp.dcu.ie

These go into the mail.byaddr map, with "eamonn@compapp.dcu.ie" being the key
and "Eamonn.McGonigle" being the result of a lookup with that key (the opposite
of a normal alias lookup).

The sendmail.cf on our mail gateway is trained to convert the sender address to
'user@compapp.dcu.ie' regardless of which machine the message originated from,
and to accept messages destined for 'user', 'user@singlehost',
'user@compapp.dcu.ie', 'user@host.compapp.dcu.ie' etc etc and to treat them as
local. The following extract from the .cf file does most of the work:-

############################################################
#
# DDN Mailer specification
#
# Send mail on the Defense Data Network
# (such as Arpanet or Milnet)

#Mddn, P=[TCP], F=msDFMuCX, S=22, R=22, A=TCP $h, E=\r\n
# We want the sender to be rewritten as firstname.lastname@domain
Mddn, P=[TCP], F=msDFMuCX, S=32, R=22, A=TCP $h, E=\r\n

# map containing the inverse of mail.aliases
DZmail.byaddr

S22
#R$*<@LOCAL>$* $:$1
#R$-<@$-> $:$>3${Z$1@$2$} invert aliases
#R$*<@$+.$*>$* $@$1<@$2.$3>$4 already ok
#R$+<@$+>$* $@$1<@$2.$m>$3 tack on our domain
#R$+ $@$1<@$m> tack on our domain
# Rewrite 'user', 'user@host' or 'user@host.ourdomain' as 'user@ourdomain'.
# (EMcG)
R$+<@$->$* $@$1<@LOCAL>$3 user@host
R$+<@$+.LOCAL>$* $@$1<@LOCAL>$3 user@host.thisdomain
R$+<@$+>$* $@$1<@$2>$3 user@host.anydomain
R$+ $@$1<@LOCAL> user

S32
# This ruleset looks up the 'Z' NIS map (Z defined above) to convert 'username'
# to 'firstname.lastname' (EMcG)
R$* $:$>22$1 affix LOCAL to locals
R$-<@LOCAL> $:${Z$1@$m$}<@LOCAL> convert username
R$-@$m<@LOCAL> $@$1<@LOCAL> fix names not converted

Ruleset 32 converts from username to firstname.lastname. It looks up
'username@compapp.dcu.ie' in the NIS map. The return value will be either
'Firstname.Lastname' or 'username@compapp.dcu.ie' depending on whether or not
it finds a match. In either case, it tags '<@LOCAL> on the end. The last line
of ruleset 32 simply converts the 'username@compapp.dcu.ie<@LOCAL> (in the case
where no match is found) to 'username<@LOCAL>'. There are probably 1000 better
ways to do this...but it works and its not tooooo ugly (I think !).

On a completely different tack, several people pointed out that IDA sendmail
or sendmail 8 can do all this (and other things) with far less trouble and
heartache. A number of other solutions were proposed using Sun's sendmail,
the bones of which I've included below.

| From davec@cs.ust.hk Wed Jan 26 06:21:33 1994
| Hal Stern has an excellent column in every month's
| issue of SunWorld magazine on sys admin stuff.
| You should get it.
|
| In the November and December issue he covers some sendmail
| stuff. And quoting from his article:
| [text of article deleted - if/when I get Hal's permission to do so, I'll
| forward it to anyone who wants it.

| From tdjp1@cus.cam.ac.uk Wed Jan 26 09:19:56 1994 (Dr. Tim Perkins)
|
| This is a problem that I've been trying to solve for a while and have
| come up with some kind of solution although I'm not completely happy
| with it. Basically, you need to get sendmail to use ruleset S1 to do the
| conversion for outgoing mail (sender only). We have one machine that
| collects all mail on our network before forwarding to more `intelligent'
| mailers run by the University. The /etc/sendmail.cf on our server system
| includes the following lines:
|
| # Translate id -> First.Last for outgoing mail only
| S1
| Rtdjp1 Tim.Perkins
|
| Kill and restart the "/usr/lib/sendmail -bd -q" process.
|
| The above lines were created manually which is fine for a small site.
| For larger installations you may be able to start from a data file
| (/etc/passwd?) and process it to produce both an include file for
| sendmail and the NIS /etc/aliases map---should be fairly easy with awk
| I guess.
|
| My information on sendmail comes from:
| Sun System & Network Administration
| Sendmail-care and feeding by Reg Quinton (found on sunsite?)
| something by Charles Hendrick (on this mailing list I think)

| From feldt@phyast.nhn.uoknor.edu Wed Jan 26 15:18:35 1994 (Andy Feldt)
| Organization: Dept. Physics & Astronomy, The University of Oklahoma
|
| Here is the summary I kept...
|
| Good luck!
|
| Andy Feldt
| System Support Programmer
| Department of Physics and Astronomy
| The University of Oklahoma
|
| ----- Begin Included Message -----
|
| >From sun-managers-relay@ra.mcs.anl.gov Fri Mar 12 01:55:32 1993
| Date: Thu, 11 Mar 93 13:55:27 CST
| From: Mike.Jenkins@NCTS.NAVY.MIL (Mike Jenkins)
| To: sun-managers@eecs.nwu.edu
| Subject: SUMMARY: how to rewrite outgoing mail?
| Cc: pdijlh@pii.com, suresh@cis.njit.edu
|
| >How do I rewrite outgoing mail to lastname.firstname@domainname?
|
| Most of the responses I got were "I'd like to do that also". A few
| said this is easily done with Sendmail+IDA found at uxc.cso.uiuc.edu.
| I decided to work with the sendmail that comes with SunOS.
|
| The key to rewriting sender addresses is the metasymbol "${x key$}"
| which looks up "key" in NIS map $x and returns the value. This is used
| in the ddn mailer ruleset S22 to look up sender addresses of the
| form "user@host" in the mail.byaddr NIS map and rewrite it to the
| value found in mail.byaddr. The ddn mailer is my outgoing mailer
| so I worked on it.
|
| Most of our sender addresses look like "user" and a few like "user@client".
| I added a rule to S22 to also look up "user" in mail.byaddr. I also
| added some lines to /var/yp/Makefile to rebuild mail.byaddr from the
| Firstname.Lastname aliases in /etc/aliases.
|
| If you are similiarly configured like us, all it takes is a line to
| S22, 4 lines to /var/yp/Makefile, and a properly setup aliases file.
| See below for details. I hope it works for you!
|
|
| Mike Jenkins
| -----------------------------------------------------------------
|
|
| The rule added right after S22:
|
| S22
| R$- $:$>3${Z$1$} user
| ...
|
| The /var/yp/Makefile changes at aliases.time:
|
| ...
| rm $(YPDBDIR)/$(DOM)/mail.aliases;
| #
| # Build my own mail.byaddr wiping out existing mail.byaddr
| #
| @(egrep '^[A-Z][a-z]*\.[A-Z][a-z]*:' $(DIR)/aliases $(CHKPIPE))\
| |( sed -e 's/:/ /' -e 's/@themailhost//' -e 's/,/ /' $(CHKPIPE))\
| |( awk '{print $$2,$$1}' $(CHKPIPE))\
| | $(MAKEDBM) - $(YPDBDIR)/$(DOM)/mail.byaddr;
| #
| ...
|
| The aliases file:
|
| joe: joe@themailhost
| Joe.Smith: joe@themailhost
| sue: sue@herclient
| Sue.Allen: sue@herclient, sue@elsewhere
|
| The mail.byaddr built from aliases file:
|
| Key Value
| --- -----
| joe Joe.Smith
| sue@herclient Sue.Allen
|
|
|
| ----- End Included Message -----
 

| From: octela!jfd@uunet.UU.NET (John F. Detke)
|
| Well don't feel bad, it isn't obvious, at least it wasn't to me or several
| sendmail gurus I asked. The solution I came up with I ran by Eric who said
| it seemed to make sense. What I did was munged together a system using
| the Berkeley user DB (which eric is developing, and it is hard to find info
| on) and then in sendmail's cf file access that DB thusly:
|
| # Eng User DB
| Kfirstlastmap btree /etc/users
|
| and then tacked on:
|
| # jfd hack to rewrite to first.last
| R$+ < @ $m . > $:$(firstlastmap $1:mailname $:$1 $) < @ $m . >
|
| to Ruleset 31, which is used for sender masquerading. I figured if yo
| could masquerade as another machine, why not another user? It works.
|
| In the lastest Sunworld there's a good article that shows how to do this
| using NIS maps. I rewrite on machines I'd rather not run NIS on, for security
| reasons.
|

One last "editorial" comment...
It is pretty bad that nowhere in the documentation is the mail.byaddr map
discussed, that the man pages don't contain an entry for mkalias (which
generates the map) and that the whole mechanism it there but totally
undocumented by Sun. Come on, folks...you can do better than that.

Thanks to all who took the time and trouble to respond....:

From: davec@cs.ust.hk (Dave Curado)
From: eric.deschamps@diva.fr (Eric Deschamps)
From: tdjp1@cus.cam.ac.uk (Tim Perkins)
From: bobr@houston.wireline.SLB.COM ( Bob Reardon )
From: feldt@phyast.nhn.uoknor.edu (Andy Feldt)
From: Larry Belvin <Larry.Belvin@analog.com>
From: glaqua@cal012.bprc.ab.ca (Gordon Laqua)
From: octela!jfd@uunet.UU.NET (John F. Detke)
From: Jon Wright <Jon.Wright@citibank.com.au>
From: Larry Chin <Larry_Chin@cchtor.cch.com>
From: Kevin Quinlan <Kevin.Quinlan@insignia.co.uk>

...and anyone whose reply is in transit still.

-------------------------------------------------------------------------------
 Eamonn McGonigle, Phone: (+353 1) 7045649
 School of Computer Applications, FAX: (+353 1) 7045442
 Dublin City University, Mail: eamonn@compapp.dcu.ie
 Dublin 9,
 IRELAND.

----------------------------------------------------------------------------

from nitkin@ptdcs2.intel.com:
 
You need to modify rule set 1 (sender header) to do the host hiding.
Define a class which covers all possible host names which can be found in
user@hostname.foo.bar.edu. Say you have 10 systems on your network
m1.foo.bar.edu, m2.foo.bar.edu, m3.foo.bar.edu, ... Near the top of
your sendmail.cf:

Dw m1 m2 m3 m4 m5 m6 m7 m8 m9 m10

Now modify rule set 1 (under S1 in sendmail.cf) to look for these names
and rewrite the sender header with foo.bar.edu instead of machine.foo.bar.edu.

R$- $@$1<@foo.bar.edu>
R$*<@$=w>$* $@$1<@foo.bar.edu>$3

These rules probably aren't exactly right. I use IDA sendmail which has
a much different internal representation of addresses than Sun. I don't
recall the exact flow and form of addresses in the Sun sendmail.cf. It
should be close enough to get you started and you can polish it up from
here.

-- 
- Nate Itkin
- Portland Technology Development, Intel Corporation      Aloha, Oregon
- E-mail:  Nate-Itkin@ptdcs2.intel.com

------------------------------------------------------------------

from jason@qabc.uq.oz.au: sendmail 8.6.9

# who I masquerade as (null for no masquerading) DMqabc.uq.oz.au

pretty simple.. but then most things in 8 6 9 are.

-jason

-----------------------------------------------------------------

from fetrow@biostat.washington.edu: You mean something like: # Our local subdomain name # Change this to match your full subdomain name #DSdept.washington.edu DSbiostat.washington.edu # Choose one of these two lines, the first says your From: addresses should # be of the form: user@dept.washington.edu, the second says they should # be of the form: user@host.dept.washington.edu. DF$S #DF$H

--

-Dave Fetrow mail: SC-32 (Biostat), University of Washington, Seattle, Wa. 98195 USA phone: (206)-685-2376

----------------------------------------------------------------------

END OF SUMMARY (phew . . . thanks again!)



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:09:09 CDT