[Mimedefang] Starting all over to kill invalid users

Fri Jul 7 13:30:36 EDT 2006

----- Original Message ----- 
From: "Adam Lanier" <adam at krusty.madoff.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Friday, July 07, 2006 12:31 PM
Subject: Re: [Mimedefang] Starting all over to kill invalid users

> I'm a little confused by your use of the term 'public address' for the
> relay.  Why are you using a different address for the host than what DNS
> is using?

My MXs are defined to the outside world through DNS. These have 216.30.205 
addresses. When mail arrives, it is NATted to an internal 10.0.0 address. 
The primary MX is also the mailbox server. When mail arrives at any of my 
secondary MX boxes, mail is sent directly to the internal mailbox server IP, 
avoiding the need to traverse the firewall again. Public is 216.30.205.0/24. 
Private is 10.0.0.0/24 or 10.0.0.0/8 or whatever.

An example:
DNS says mail.cnpapers.com is 216.30.205.106
DNS says cnpapers.com MX is 216.30.205.106
Mailboxes for *@cnpapers.com are on the server 10.0.0.200
Real IP of the NIC is 10.0.0.200 (primary MX server)
SMTP to cnpapers.com->Firewall->10.0.0.200
DNS say cnpapers.com MX secondary is 216.30.205.103
Real IP of the NIC is 10.0.0.201(secondary MX server)
SMTP to 216.30.205.103->Firewall->10.0.0.201->10.0.0.200

> If you want to avoid using a hard-coded IP address however, and don't
> yet have a DNS server setup on the MD host, you can simply add another
> entry in your hosts file that is distinct from the existing entries.
> For instance, if you're currently using foo.mailbox.host add a new entry
> with a different and unique hostname and the same IP address

> 10.10.1.1  foo.mailbox.host
> 10.10.1.1  bar.mailbox.host

I have in the host file for the MD server an additional entry like

10.0.0.200 mail.cnpapers.com

Unfortunately, I have not been able to get logging to work in any form to 
tell me if I am really using 10.0.0.200 or 216.30.205.106 when I tell 
md_check_against_smtp_server that the server to check is mail.cnpapers.com. 
It very well may be using 10.0.0.200. The actual SMTP message delivery is 
still using 216.30.205.106, which is proper for now as I don't have anything 
set up in any of the sendmail DBs.

> and use that in the md_check_against_smtp_server function call.  If it
> works you know that MD is using your hosts file.  If not, then your
> address resolution is not working as you expect.  It seems to me that
> you're trying to mask the actual address of an existing host with an
> entry in your hosts file.

Sendmail is definitely not using my host file for delivery, as I see in my 
logs. But MD may be using it. I just assumed that MD created a real SMTP 
connection when do the check. It sort of implies this in the man page. Until 
I figure out why either md_syslog or md_graphdefang_log is working, I really 
won't know.

> Without knowing more about the setup of your test MD box (mailertable,
> hosts, dns etc), it's kind of hard to diagnose why sendmail would be
> using a different address.  Keep in mind though, that the $rcpt_host
> variable passed to filter_recipient is exactly what sendmail thinks is
> the next hop for this recipient, thus the host most likely to know
> whether that address is valid or not.

> Confused?  Me too, good luck.

I'm really sorry to be so difficult. Thanks for all the help and efforts.

Steve