Solved Sendmail not communicating in jails (and virtusertable not being used)

K

kjpetrie

(9.3-RELEASE-p22)

I have two jails on lo1: sharedserver for apache24 and mailin running sendmail for incoming mail. I use simple PF rules to route incoming http connections to sharedserver and incoming smtp connections to mailin. Outgoing connections from the local network are routed to the external interface, em0.

Incoming mail and mail originating from mailin is sent as expected, using the addresses in virtusertable. However, mail originating from sharedserver seems to ignore its virtusertable and is deferred instead with "Connection refused by mx.xxxxx.org" where the MX record points to em0's IP address. (I presume this means em0 cannot act as a loopback when an outgoing packet is addressed to it.)

I see from pf.conf(5) that PF cannot "reflect packets back through the interface they arrive on" which seems to rule out writing a rule to redirect the packets to mailin since whether I intercept them at em0 or lo1 they would be required to go in and out on the same interface at once.

I have tried both sendmail_enable="YES" and sendmail_submit_enable="YES" in sharedserver's /etc/rc.conf. It seems to make no difference. The current set-up is:

Code: 
root@mailin:~ # service sendmail status
sendmail is running as pid 19482.
sendmail_clientmqueue is running as pid 19485.

Code: 
root@sharedserver:~ # service sendmail status
sendmail is running as pid 20240.
sendmail_clientmqueue is running as pid 20243.

Any help in troubleshooting would be appreciated.
 
Do you want to forward all mail from sharedserver to mailin? Then configure sharedserver to use a so-called "smarthost" and forward everything to the internal address of mailin. Then configure mailin to accept it. Once it's there you can route it to where it needs to go.

Sending it to the outside address (MX record) will prove difficult due to the fact packets cannot be sent back in the same interface they're going out of.
 
Thanks, but I don't want to send all mail to my incoming system. some mail will have to go out to the users who originated it for confirmation of sign-ups and that sort of thing. The problem only arose with local domains because of the way interfaces are handled in the kernel which only allows packets to pass in one direction at a time. (I'm not expert enough to know whether this is a limitation or a security advantage of FreeBSD over Linux. I imagine the two camps could argue at great length about whether loopback should be allowed on a non-loopback interface! I expect there are pros and cons aplenty. )

Actually, the real problem was that despite my belief I'd started by copying the /etc/mail files across as a starting point before configuring mail, it turned out sharedserver lacked a local-host-names file (not mentioned under virtusertable at https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/sendmail.html). Once that was written and make install restart run, virtusertable worked and the MX connection was by-passed.
 
kjpetrie said:
Thanks, but I don't want to send all mail to my incoming system. some mail will have to go out to the users who originated it for confirmation of sign-ups and that sort of thing.
Click to expand...
That can still be done but it will be the mailin server that does the actual sending. Personally I like to consolidate all mail to one server, so I only have one server with outgoing mail. As opposed to several different servers each sending out mail. With one server it's easier to catch abuse too.
 
You must log in or register to reply here.
Back
Top