Re: sender rewrining advice

On 3/21/24 07:12, none wrote:

       internet             internet
     recv. email
          |                    ^
          |                    |
          |                    |
          V                    |
   +------------+       +------+-----+
   |      A     |       |      B     |
   |  mailert   +---1-->|    auth    |
   |  accessmap |       |            |
   |  ldapr     |       |            |
   +------+-----+       +------------+
          |
          |
          |
          V
   +------+-----+
   |      C     |
   |            |
   |  virtuser  |
   |            |
   +------------+
 host a: incomming, mx
host b: outgoing, smtp with user auth
host c: user mailboxes, user@example.com (not test@example.com)
 Indeed. I am trying to use email addresses here and not domains. So NDR are generated on host A / mx server.

I take it that host A is not fully aware of the recipient addresses that are on host B.  Thus why host A needs to bounce / DSN / NDR a message that it accepted responsibility for.
If host A was fully aware of the recipient addresses that are on host B, then host A could have rejected the inbound message and not need to send a bounce / DSN / NDR.  The bounce / DSN / NDR would be the responsibility of the system trying to send to host A.

I have there, access:
to:test@example.com    RELAY

Do you also have a corresponding REJECT?
    to:@example.com REJECT
Without the REJECT I would expect Sendmail to accept the message as part of the relay-domains configuration.

This ldap entry currently makes emails being routed from the mx server A to the outgoing server B

That's what I thought.

correct

Thank you for confirming.
I'll have to go Read The Fine Manual again to see how LDAP routing comes into play for relayed / non-local domains.

Yes the above does this currently with ldap routing. But I don't know if this is the best way to do it.

My dusty understanding of LDAP routing is that it's intended for multiple servers to share the same domain name(s); e.g. @example.com, and know which server hosts specific mailboxes.  Meaning that both host A and host C would be configured with @example.com in their local-host-names file.

host C, LOCAL is not in the spf records. I think external access is even blocked. I had spammers by passing spam blocking on the mx / host a and delivering directly to C

SPF is about the connecting host.
As such, GuerrillaMail.com will see host B as the connecting host and check it's IP against SPF records.
Depending on your configuration, hosts A, B, and C may need to either have allow list entries or valid SPF information for each other.

ok I made note of this, I will enhance this later.

:-)

I am not sure if my outgoing, host b, has access to the local-host-names. It is still using the same clusterid as host c and can probably access the local-host-names.

Even if it doesn't have access to the local-host-names file on hosts A or C, you could probably copy the contents to a similar file and configure the methodology to use that file in lieu of the local-host-names file.

But I think in the near future I will create a separate clusterid for the outgoing, host b.

Okay.

(Used to have everything in one host)

ACK

At some point in the future I would like to secure host b more, so authenticated users can only send out email with their assigned address.

I'm aware that such is done by some MTAs.  I've wondered about doing that with Sendmail.  But then I realized that users were authenticating, thus I would have a good idea (but no guarantee) who, or at least which account, was being used to abuse things.  I've not needed to actually go down this path (yet).

So currently I am able to route from host a to host b the emails send to test@example.com.
How should I go about to enable SRS for senders to test@example.com on host b?

You could SRS /everything/ leaving host B.  It won't actually hurt anything.
SRS your own envelopes is a little silly and maybe even questionable.
 From memory -- I'll look some time this weekend -- the SRS routine that I'm using uses the local-host-names file (class w) as part of the test to determine if envelope senders should be rewritten or not.
I don't think that it /must/ /be/ the local-host-names file (class w). I naively assume that you could use any file name you wanted and declare a new class to be used for this test.  It would be a minor change to the rules to look at that alternate named file / class.
--
Grant. . . .