如何在防火牆上設置Sendmail(2)

　　3.third-party mail relay 附另外一篇文章(文章荟萃)----sendmail 8.9.3 mail relay規則簡介 公司防火牆上sendmail配置舉例 divert(-1) include(`/usr/lib/sendmail-cf/m4/cf.m4') dnl let's define our OS type. This one is mandatory. OSTYPE(`Linux')dnl define(`confDEF_USER_ID',``8:12'') define(`ALIAS_FILE',`/etc/mail/aliases')dnl define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noeXPn,novrfy')dnl define(`confTO_QUEUERETURN', `4d')dnl define(`confTO_QUEUEWARN', `4h')dnl define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl undefine(`UUCP_RELAY')dnl undefine(`B99vNET_RELAY') dnl FEATURE(`redirect')dnl FEATURE(`always_add_domain')dnl FEATURE(`use_cw_file')dnl FEATURE(`local_procmail')dnl FEATURE(`nouucp')dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl FEATURE(`domaintable',`hash -o /etc/mail/domaintable') FEATURE(`Access_db', `hash -o /etc/mail/access')dnl FEATURE(`blacklist_recipients')dnl MAILER(procmail)dnl MAILER(smtp)dnl use_cw_file 默認為/etc/sendmail.cw文件，指明了屬於本地域處理的域名，發到這個域下的郵件為本地郵件。不要在 防火牆上設置company.com到sendmai.cw中，在內部網段上的郵件服務器上設置它。更新該文件不需要重 啟sendmail * How do I make all my addresses appear to be from a single host? Using the V8 configuration macros, use: MASQUERADE_AS(my.dom.ain) This will cause all addresses to be sent out as being from the indicated domain. If you're using version 8.7 sendmail, and you want to hide this information in the envelope as well as the headers, use: FEATURE(masquerade_envelope) If you also want to masquerade the recipients, use FEATURE(allmasquerade) Mailertable 用這個特性可跨越ＤＮＳ和DNS MX記錄而relay mail。也可跨越Smart_host(DSxxxx)項. 如 company.com relay:[192.168.11.1] 從防火牆上接收的發往company.com的郵件relay到192.168.11.1 Include a "mailer table" which can be used to override


routing for particular domains. The argument of the FEATURE may be the key definition. If none is specified, the definition used is: hash -o /etc/mailertable Keys in this database are fully qualified domain names or partial domains preceded by a dot -- for example, "vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU". Values must be of the form: mailer:domain where "mailer" is the internal mailer name, and "domain" is where to send the message. These maps are not reflected into the message header. As a special case, the forms: local:user will forward to the indicated user using the local mailer, local: will forward to the original user in the e-mail address using the local mailer, and error:code message will give an error message with the indicated code and message. Domaintable 域替換操作。 如果容易打錯，發往company.com的郵件誤寫為compayn.com則加入一行 compayn.com company.com Access.db 數據庫記錄包含兩部分：the key and the action: the key能是用戶名，域名，或ＩＰ地址。 The action能是ok, relay,reject discard, or and RFC821 message 如： cyberspammer.com 550 we don't accept mail form spammers okay.cyberspammer.com OK sendmail.org OK 128.32 relay Foobar.com reject [email protected] discard Virtusertable Virtusertable用在這樣的場合中: 發往本地系統的用戶的郵件被重定向到另一個用戶.注意一定要是本地用戶的郵件,否則不檢查virtusertable 數據庫文件.如: 在該防火牆上設定company.com到/etc/sendmail.cw中,然後在/etc/mail/virtusertable 加一行 [email protected] [email protected] virtusertable is a domain-specific form of aliasing, allowing multiple virtual domains to be hosted on one machine. For example, if the virtuser table contained: [email protected] foo-info [email protected] bar-info @baz.org [email protected] then mail addressed to [email protected] will be sent to the address foo-info, mail addressed to [email protected] will be delivered to bar-info, and mail addressed to anyone at baz.org will be sent to [email protected]. The username from the original address is passed as %1 allowing: @foo.org %[email protected] meaning [email protected] will be sent to [email protected]. All the host names on the left hand side (foo.com, bar.com, and baz.org) must be in $=w. The default map definition is: hash -o /etc/virtusertable FEATURE(genericstable,`hash -o /etc/mail/genericstable'): Use a hashed table with masquerading information. The unhashed file looks like this:

bg [email protected] root [email protected] nobody [email protected] This file will tell sendmail to rewrite the FROM addresses of your mail, so you will be able to relay all you mail over your ISPs mail server. The first row contains the local address, the second one the address which should be used instead. In order for sendmail to read this file you have to hash it with this command: makemap -r hash genericstable.db < genericstable GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain'): You have to add you local domain name to this file, so sendmail knows what mail is local and has to be masqueraded. To get you local domain, run "hostname". FAQ: * I'm getting "Local configuration error" messages, such as: 553 MX list for domain.net points back to relay.domain.net 554 ... Local configuration error How can I solve this problem? You have asked mail to the domain (e.g., domain.net) to be forwarded to a specific host (in this case, relay.domain.net) by using an MX record, but the relay machine doesn't recognize itself as domain.net. Add domain.net to /etc/sendmail.cw (if you are using FEATURE(use_cw_file)) or add "Cw domain.net" to your configuration file. IMPORTANT: When making changes to your configuration file, be sure you kill and restart the sendmail daemon (for ANY change in the configuration, not just this one): kill `head -1 /etc/sendmail.pid` sh -c "`tail -1 /etc/sendmail.pid`" Mail for the Home Network ------the Stand Alone Config FEATURE(always_add_domain)dnl 這是被建議的選項，這個特性強迫local or program mailer需要全稱域名 FEATURE(allmasquerade) 我在防火牆上用這個特性強迫所有的郵件象是來自站點的正式域名，你需要聯合 MASQUERADE_AS特性 FEATURE(masquerade_entire_domain) 這個特性強迫你的域內的任何主機象是來自同一個域 FEATURE(masquerade_envelope) MASQUERADE_AS(company.com) 明顯地，這是為上面的偽裝特性定義的值 MASQUERADE_DOMAIN( company.com othername.com ) 如果你有多個內部域名，想偽裝為同一個公司域名 環境: 考慮這樣的情況:一個公司運行一台Sendmail的Linux郵件服務器,這台機器連有LAN,但通過PPP連接, Cable modem,or DSL連接上網通過ISP的郵件主機發送郵件. 且該機器上有兩個用戶jephe and hongyi (用windows機器向company.com發送郵件),域名為company.com,ISP 域名為isp.net,郵件主機為 mail.isp.net且兩人在isp.net上有相同帳號[email protected] and [email protected] 要求:

kill `head -1 /etc/sendmail.pid` sh -c "`tail -1 /etc/sendmail.pid`" Mail for the Home Network ------the Stand Alone Config FEATURE(always_add_domain)dnl 這是被建議的選項，這個特性強迫local or program mailer需要全稱域名 FEATURE(allmasquerade) 我在防火牆上用這個特性強迫所有的郵件象是來自站點的正式域名，你需要聯合 MASQUERADE_AS特性 FEATURE(masquerade_entire_domain) 這個特性強迫你的域內的任何主機象是來自同一個域 FEATURE(masquerade_envelope) MASQUERADE_AS(company.com) 明顯地，這是為上面的偽裝特性定義的值 MASQUERADE_DOMAIN( company.com othername.com ) 如果你有多個內部域名，想偽裝為同一個公司域名 環境: 考慮這樣的情況:一個公司運行一台Sendmail的Linux郵件服務器,這台機器連有LAN,但通過PPP連接, Cable modem,or DSL連接上網通過ISP的郵件主機發送郵件. 且該機器上有兩個用戶jephe and hongyi (用windows機器向company.com發送郵件),域名為company.com,ISP 域名為isp.net,郵件主機為 mail.isp.net且兩人在isp.net上有相同帳號[email protected] and [email protected] 要求:

這個特性強迫你的域內的任何主機象是來自同一個域 FEATURE(masquerade_envelope) MASQUERADE_AS(company.com) 明顯地，這是為上面的偽裝特性定義的值 MASQUERADE_DOMAIN( company.com othername.com ) 如果你有多個內部域名，想偽裝為同一個公司域名 環境: 考慮這樣的情況:一個公司運行一台Sendmail的Linux郵件服務器,這台機器連有LAN,但通過PPP連接, Cable modem,or DSL連接上網通過ISP的郵件主機發送郵件. 且該機器上有兩個用戶jephe and hongyi (用windows機器向company.com發送郵件),域名為company.com,ISP 域名為isp.net,郵件主機為 mail.isp.net且兩人在isp.net上有相同帳號[email protected] and [email protected] 要求: