Can you believe I'm actually getting to this just now!
I have a sendmail server acting as a gateway. I'm doing the
whole blacklist
in the access.db, procmail to spamassassin to internal
exchange server, and
exchange server to sendmail to internet setup. All is
working great. THe
only problem is the private IP of the exchange server is in the email
header. I DO NOT want it there. I know it breaks the RFC,
but that is ok.
If the above sequence is indeed how the message is processed,
procmail
doesn't see the message after exchange server fiddled with it.
After posting this I realized how silly it was to send to procmail group. I
was tired and not thinking straight. Yup, this is in no way shape or form
about procmail.
There is simply no need at all for the internal IP address
to be in the
header. The gateway is working fine. So it possible to write
a regex in
sendmail to say something like:
Of course, _this_ isn't the list to ask how to write _SENDMAIL_
rules. This is a procmail list.
Yup.
If in header IP address = 172.16.1.X , then change to x.x.x.x?
A few issues with this (regardless of what approach you
choose to actually
achieve the transformation) spring to mind:
1. replacing an IP address with letters is bound to break
something. Oh, I dunno - perhaps mail scanners that check
all the headers
that a message has passed through (for a while now, some
sites have been
employing DNSBL in this fashion, though of course, it's after
they accept
all the headers, not up front).
x.x.x.x were just variables.
2. If you mean x.x.x.x to be a different IP address
sequence, ask
yourself, "whose IP is that, and what right do I even have to
abscond with
it?". In contrast, if the IP belongs to you, why not just
set up that host
with that IP address in the first place?
I would love it to just say my sendmail gateway. I have no problem with
using my own IP.
3. If the IP we're talking about is actually the IP
trying to be
masked, what's the big deal - the outside world can't even
route to it
because it is part of the RFC 1918 private IP space -- that
machine is only
visible to the internal network on which it is located. So, why the
concern over the outside world being able to see it in the headers?
Discovery is the first part to hacking. Knowing my internal exchange servers
IP is step one. Yes there are systems that lock it down something fierce.
But why give away the location of the safe, hoping you never get thru the
front door.
4. Breaking things isn't "ok". Intentionally striving to
certainly isn't.
You need to break a few eggs to make an omelet. I was never one to follow
rules to the "T" :-)
That's like telling the Wrieght brothers not to break the rules of gravity.
I know absolutely nothing about writing these types of
things yet. I've been
working on procmail, spamassassin, and firewall code.
Haven't looked at
sendmail code in any way shape or form yet. So please be gentle :)
Here's a gentle shove in the right direction: news:comp.mail.sendmail
This was a cross post. It went there already, but thanks.
I'm also cross posting this to the procmail list in the
hopes that maybe
someone has a recipe for this.
Dallman has posted an example script, but note that you'd
need to _invoke_
the recipe on the outbound mailer host, which itself will
require some
sendmail tweakage, because Procmail is an LDA and won't
simply be called by
sendmail when the mail passes through that host.
---
Sean B. Straw / Professional Software Engineering
Dallman's example was great for obfuscating incoming IP addresses. Which is
cool, because I didn't know how to do that either. I love procmail examples
:)
Trust me, after cross posting this message to the list, I wished there was a
"D'oh!" button to get it back! Upon further research, I think the 2 internal
IP addresses is a great idea. One for outgoing and one for incoming. So even
if they get thru the front door, they only have the IP of the server going
out. So they would have to fight another firewall.
Thanks,
Chris
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail