1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • Have smarthost accept bounces for all machines in domain

    From Hauke Fath@21:1/5 to All on Wed Nov 30 10:11:39 2022
    Hi,

    I run a smarthost mail server through which the local machines (set up
    as nullclients) send their mail.

    For those machines which do send nightly maintenance mails, I have set

    EXPOSED_USER(`root')

    since I want to know which machine the mail is from. This works well,
    until these mails get forwarded, and upstream bounces the mails for
    policy reasons (un-registered host). Then, it turns out, the smarthost
    does not feel responsible for those bounces, leading to a double bounce
    and a dispute with the upstream postmaster.

    For historical reasons, the machines' DNS entries do not have the
    smarthost as MX. This could be fixed, but it would be painful b/c of
    upstream's byzantine registration system.

    How would I teach the smarthost to accept bounces to
    <root@otherhost.dom.ain>?

    Cheerio,
    Hauke

    --
    Now without signature.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Wed Nov 30 10:37:32 2022
    Am 30.11.2022 um 10:11:39 Uhr schrieb Hauke Fath:

    How would I teach the smarthost to accept bounces to <root@otherhost.dom.ain>?

    Which behavior do you exactly want?
    Should it just accept them for relaying or should it accept them and
    deliver them to a special place?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Hauke Fath on Wed Nov 30 11:09:13 2022
    Hauke Fath wrote:
    How would I teach the smarthost to accept bounces to <root@otherhost.dom.ain>?

    see cf/README: class {w} or virtusertable.

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Hauke Fath@21:1/5 to All on Wed Nov 30 20:57:45 2022
    Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
    wrote:

    Hauke Fath wrote:
    How would I teach the smarthost to accept bounces to <root@otherhost.dom.ain>?

    see cf/README: class {w} or virtusertable.

    I figured it wouldn't be easy. ;)

    Can I use wildcards for the hostname (as in 'root@*.dom.ain') with virtusertable?

    <https://comp.mail.sendmail.narkive.com/WTJbcDNf/virtusertable-and-wildcard-domains>
    appears to indicate not, but that was twenty years ago...

    Cheerio,
    Hauke

    --
    Now without signature.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Hauke Fath@21:1/5 to Marco Moock on Wed Nov 30 21:00:01 2022
    Marco Moock <mo01@posteo.de> wrote:

    Am 30.11.2022 um 10:11:39 Uhr schrieb Hauke Fath:

    How would I teach the smarthost to accept bounces to <root@otherhost.dom.ain>?

    Which behavior do you exactly want?
    Should it just accept them for relaying or should it accept them and
    deliver them to a special place?

    The latter.

    The smarthost handles mail for all *.dom.ain machines, so mail to root@host.dom.ain should go to root@smarthost.

    Cheerio,
    Hauke

    --
    Now without signature.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Hauke Fath on Wed Nov 30 15:26:53 2022
    Hauke Fath wrote:

    I figured it wouldn't be easy. ;)

    It is easy.

    Can I use wildcards for the hostname (as in 'root@*.dom.ain') with virtusertable?

    Did you check cf/README?

    virtuser_entire_domain
    If the virtusertable is enabled and VIRTUSER_DOMAIN or
    VIRTUSER_DOMAIN_FILE is used, this feature will cause
    addresses to be searched in the map if their domain
    parts are subdomains of elements in class {VirtHost}.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Hauke Fath@21:1/5 to All on Wed Nov 30 23:38:41 2022
    Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
    wrote:

    Can I use wildcards for the hostname (as in 'root@*.dom.ain') with virtusertable?

    Did you check cf/README?

    virtuser_entire_domain
    If the virtusertable is enabled and VIRTUSER_DOMAIN or
    VIRTUSER_DOMAIN_FILE is used, this feature will cause
    addresses to be searched in the map if their domain
    parts are subdomains of elements in class {VirtHost}.

    Hm.

    This means if 'dom.ain' is listed in class {VirtHost}, say as read in
    from VIRTUSER_DOMAIN_FILE, then mails to addresses @foo.dom.ain and
    bar.dom.ain will be run through virtusertable, too, correct? And does
    'dom.ain' actually have to resolve? Because in my setting it does not,
    the smarthost is just smarthost.dom.ain, and regular user addresses are
    of the form 'user@shorthand.dom.ain'.

    But the {foo,bar} subdomains would then still require a matching entry
    in virtusertable, say 'root@bar.dom.ain root', in order to be rewritten,
    and that for every host - unless there is a wildcard feature like 'root@*.dom.ain root'.

    Or am I completely off base?

    Cheerio,
    Hauke

    --
    Now without signature.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Hauke Fath on Thu Dec 1 00:36:46 2022
    Hauke Fath wrote:

    This means if 'dom.ain' is listed in class {VirtHost}, say as read in
    from VIRTUSER_DOMAIN_FILE, then mails to addresses @foo.dom.ain and bar.dom.ain will be run through virtusertable, too, correct? And does

    Yes.

    'dom.ain' actually have to resolve? Because in my setting it does not,

    No.

    But the {foo,bar} subdomains would then still require a matching entry
    in virtusertable, say 'root@bar.dom.ain root', in order to be rewritten,

    No.

    Try it with
    sendmail -bv root@dom.ain
    sendmail -bv root@bar.dom.ain

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Hauke Fath@21:1/5 to All on Thu Dec 1 21:52:28 2022
    Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
    wrote:

    But the {foo,bar} subdomains would then still require a matching entry
    in virtusertable, say 'root@bar.dom.ain root', in order to be rewritten,

    No.

    Try it with
    sendmail -bv root@dom.ain
    sendmail -bv root@bar.dom.ain

    With the first entry in virtusertable, the second command does not do
    TRT (local delivery) _unless_ the mail address is in virtusertable.

    Quoting Craig Hunt's sendmail Cookbook (via <https://books.google.de/books?id=upCgAjrpJfgC&pg=PT193&lpg=PT193&dq=%22virtuser_entire_domain%22&source=bl&ots=7SBh55fWpR&sig=ACfU3U27u_GjrVMoZTm6OChVw2dOTKbTXQ&hl=de&sa=X&ved=2ahUKEwjN9dL58Nb7AhWBHuwKHaqABssQ6AF6BAgaEAM#v=onepage&q=%22virtuser_entire_
    domain%22&f=false>):

    "A common mistake is to think that an entry like @school.ora.com applies
    to every host in the school.ora.com domain because the
    virtuser_entire_domain feature is used. A test shows this is not the
    case:

    [...]

    Both of the recipient addresses shown above are in a domain listed in$={VirtHost} and the virtuser_entire_domain feature is enabled. For
    these reasons, both of these addresses are matched
    against the virtusertable . But only the first address matches a key
    found in the database and is rerouted."

    Serving three virtual domains, I have machinations for virtusertable in
    place already. So I massaged the output of 'dig AXFR', and produced a
    long list of virtusertable entries, to be appended to the existing one.

    Problem solved.

    Cheerio,
    Hauke

    --
    Now without signature.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)