> I have a question regarding sendmail configuration over a firewall. This
> firewall is using smap to receive mail, and sendmail to send the outgoing
> The topology looks something like the following:
> Untrusted Trusted
> World ---- Firewall ----- Mailhost -- PostOffice1
> +---- PostOffice2
> +---- PostOffice3
> We want the following to happen:
> All mail from the internal trusted hosts will arrive at the Firewall
> with destination addresses and from addresses. We want all outgoing mail
> to appear to be originating from user @
name (ie user @
> will require the outgoing from header to be rewritten.
> We want all incoming mail to the Firewall to parse through an aliases
> file which may rewrite the outgoing email address. Also, all mail destined
> for the internal network will be handed off to the internal Mailhost. The
> Mailhost is not intelligent enough to rewrite headers, so we must rewrite
> the headers with the firewall such that it identifies to which post office
> the mail is destined. I realize this is not a normal function of a fw, however
> this is going to have to be as such.
> Two things. Rewrite To headers based on an aliasees file, and rewrite
> outgoing from addresses if they are NOT to a set of hosts. I can make the
> outgoing headers be rewritten, however it will then change the destination
> addresses within the domain to user @
I can make the sendmail
> parse the aliases file and hand it off to the mailhost correctly, but then
> mail that "replies" to sent mail from the internal hosts is destined for
> user @
name, instead of user @
I could use MX
> records to make PostOfficeX.domain.name have two destinations, firewall
> and mailhost, with mailhost a higher priority, to "hop" it through, however
> this is not preferred.
> I have struggled with this for some time, and have not been able to figure
> out how to do it.
> Any help appreciated. I apologize if this is too narrow of a concern, though
> I can see this configuration being of use in many firewall configurations.
> Alan Hannan alan @
Unless I misunderstand your question, I think that you have the answer but
you have to organize your thoughts. While I am not an expert on sendmail, I
have spoken with many who are. The solutions that is frequently recommended
is as follows.
1) Setup the sendmail.cf file on each internal machine to send non-local
mail to the firewall.
2) On the firewall configure sendmail with the "site hiding option" which
changes the From: header to your desired domain name.
1) confiugre MX records on the firewall to forward incoming mail, destined
for your domain, to your internal mail servers. For example, your MX
record would be:
yourdomain.com MX mailserver1
2) setup system alias files on your mail servers to forward users mail to
the proper internal machines. Sendmail does not rewrite the From header;
internal users can still reply to the mail. For example, if the user chuck
wants to receive his mail on an internal machine calle babbage, the mail
should contain an alias similar to the following:
com chuck @
When external users reply to your users messages, the reply will come
to the firewall which forwards it to the mail servers . The mail servers
check the user name in the alias file and sends the mail to the proper