1. Forum
  2. USENET
  3. comp.mail.sendmail

  • Question: should submit.mc include nocanonify by default?

    From Stacey Marshall@stacey.marshall@gmail.com to comp.mail.sendmail on Mon May 12 18:10:52 2025
    From Newsgroup: comp.mail.sendmail

    Question, should submit.mc include nocanonify by default?

    I was a little surprised to see SMTP client queue (sendmail -Ac) trying
    to look up DNS names as I thought it only collected mail for local
    accounts. In the configuration in question the Mail Transfer Agent
    (sendmail -bl) is configured to forward all mail to a gateway machine
    for actual delivery, and only that gateway machine has access to DNS.

    From a fair amount of digging I found FEATURE(`nocanonify') is what was needed in submit.mc to prevent DNS lookups. Modified a copy of
    submit.mc with the sample from contrib/bsdi.mc:

    # diff submit.mc submit_nocanonify.mc
    23a24,32
    dnl # Use FEATURE(`nocanonify') to skip address canonification via $[
    ... $].
    dnl # This would generally only be used by sites that only act as
    mail gateways
    dnl # or which have user agents that do full canonification themselves.
    dnl # You may also want to use:
    dnl # define(`confBIND_OPTS',`-DNSRCH -DEFNAMES')
    dnl # to turn off the usual resolver options that do a similar thing.
    dnl # Examples:
    FEATURE(`nocanonify')
    dnl define(`confBIND_OPTS',`-DNSRCH -DEFNAMES')
    #
    # make submit.cf
    test ! -f submit.cf || /usr/bin/mv submit.cf submit.cf.prev
    /usr/bin/m4 ../m4/cf.m4 submit.mc > submit.cf

    Using truss confirms no call to libresolv res_* functions:

    # echo canonify test@example.com | sudo truss -t\!all -f
    -ulibresolv:res_\* /usr/sbin/sendmail
    -C/etc/mail/cf/cf/submit_nocanonify.cf -bt
    ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
    Enter <ruleset> <address>
    canonify input: test @ example . com
    Canonify2 input: test < @ example . com >
    Canonify2 returns: test < @ example . com . >
    canonify returns: test < @ example . com . >


    For comparison the standard submit.cf without nocanonify is see to call res_querydomain

    # echo canonify test@example.com | sudo truss -t\!all -f
    -ulibresolv:res_\* /usr/sbin/sendmail -C/etc/mail/cf/cf/submit.cf -bt
    ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
    Enter <ruleset> <address>
    canonify input: test @ example . com
    Canonify2 input: test < @ example . com >
    5882/1@1: -> libresolv:res_querydomain(0x7fc0b5e4a4d0, 0x4324bf,
    0x1, 0x1c, 0x7fc0b5e45b70, 0x2000)
    5882/1@1: <- libresolv:res_querydomain() = 197
    Canonify2 returns: test < @ example . com . >
    canonify returns: test < @ example . com . >


    Thus I was wondering if submit.mc should include the nocanonify feature
    by default?

    Thanks in advance, Stacey
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Marco Moock@mm@dorfdsl.de to comp.mail.sendmail on Tue May 13 21:28:58 2025
    From Newsgroup: comp.mail.sendmail

    On 12.05.2025 18:10 Uhr Stacey Marshall wrote:

    Question, should submit.mc include nocanonify by default?

    I was a little surprised to see SMTP client queue (sendmail -Ac)
    trying to look up DNS names as I thought it only collected mail for
    local accounts. In the configuration in question the Mail Transfer
    Agent (sendmail -bl) is configured to forward all mail to a gateway
    machine for actual delivery, and only that gateway machine has access
    to DNS.

    Most machines that handle mail have access to DNS nowadays. If your's
    doesn't, disable such lookups.

    Thus I was wondering if submit.mc should include the nocanonify
    feature by default?

    I do not see a reason for that as most machines have access to DNS. A
    default setting is something that fits general situations and not
    corner cases.

    Most servers also check the recipient domains and reject stuff that
    isn't an FQDN or unresolvable, so the default checks are sane.
    --
    kind regards
    Marco

    Send spam to 1747066252muell@stinkedores.dorfdsl.de

    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Stacey Marshall@stacey.marshall@gmail.com to comp.mail.sendmail on Wed May 14 17:54:18 2025
    From Newsgroup: comp.mail.sendmail

    On 13/05/2025 20:28, Marco Moock wrote:
    On 12.05.2025 18:10 Uhr Stacey Marshall wrote:

    Thus I was wondering if submit.mc should include the nocanonify
    feature by default?

    I do not see a reason for that as most machines have access to DNS. A
    default setting is something that fits general situations and not
    corner cases.

    Most servers also check the recipient domains and reject stuff that
    isn't an FQDN or unresolvable, so the default checks are sane.


    Thanks Marco for you response. I should perhaps of added that in
    the site's scenario the mail was then stuck in the submit queue
    and not forwarded to the MTA (sendmail.cf queue) which would have
    forwarded to the relay.

    While I commonly see suggestions to make a change to sendmail.mc this is
    the first time I've had to suggest a site change submit.mc. But I am a relatively new to sendmail configuration myself, so perhaps it is just
    my lack of experience.

    Does that extra information make any difference?

    Thanks again,

    Stace

    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Andrzej Adam Filip@anfi@onet.eu to comp.mail.sendmail on Wed May 14 20:27:36 2025
    From Newsgroup: comp.mail.sendmail

    Marco Moock <mm@dorfdsl.de> wrote:
    On 12.05.2025 18:10 Uhr Stacey Marshall wrote:

    Question, should submit.mc include nocanonify by default?

    I was a little surprised to see SMTP client queue (sendmail -Ac)
    trying to look up DNS names as I thought it only collected mail for
    local accounts. In the configuration in question the Mail Transfer
    Agent (sendmail -bl) is configured to forward all mail to a gateway
    machine for actual delivery, and only that gateway machine has access
    to DNS.

    Most machines that handle mail have access to DNS nowadays. If your's doesn't, disable such lookups.

    Thus I was wondering if submit.mc should include the nocanonify
    feature by default?

    I do not see a reason for that as most machines have access to DNS. A
    default setting is something that fits general situations and not
    corner cases.

    Most servers also check the recipient domains and reject stuff that
    isn't an FQDN or unresolvable, so the default checks are sane.

    As I understand submit.mc is supposed to be "one size fits *ALL* ".
    IMHO Your argument makes very good sense only if submit.mc is supposed
    to be modified not only in super rare cases.
    --
    [Andrew] Andrzej A. Filip
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Stacey Marshall@stacey.marshall@gmail.com to comp.mail.sendmail on Tue Jun 17 14:00:23 2025
    From Newsgroup: comp.mail.sendmail

    On 14/05/2025 19:27, Andrzej Adam Filip wrote:

    As I understand submit.mc is supposed to be "one size fits *ALL* ".
    IMHO Your argument makes very good sense only if submit.mc is supposed
    to be modified not only in super rare cases.

    Thanks Andrew,
    That was my take on it too.

    I really didn't expect the local service to be looking up addresses in
    DNS. The submit.mc file shipped with Solaris 11.4 is the unaltered
    version from sendmail 8.18.1. Hence my question.

    kind regards,
    Stacey

    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Marco Moock@mm@dorfdsl.de to comp.mail.sendmail on Tue Jun 17 21:19:46 2025
    From Newsgroup: comp.mail.sendmail

    On 12.05.2025 18:10 Uhr Stacey Marshall wrote:

    I was a little surprised to see SMTP client queue (sendmail -Ac)
    trying to look up DNS names as I thought it only collected mail for
    local accounts.

    True, and default is to restrict those users to their own mail address
    (local user name and hostname of machine), but that can be lifted (see TrustedUser). In that case it makes sense to check if the domain exist.

    If you don't want that, disable it. :-)
    --
    kind regards
    Marco

    Send spam to 1747066252muell@stinkedores.dorfdsl.de

    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Claus =?iso-8859-1?Q?A=DFmann?=@INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org to comp.mail.sendmail on Wed Jun 18 01:42:35 2025
    From Newsgroup: comp.mail.sendmail

    Stacey Marshall wrote:

    I was a little surprised to see SMTP client queue (sendmail -Ac) trying
    to look up DNS names as I thought it only collected mail for local
    accounts.

    What gave you that impression?
    It's the "MSP": mail submission program - all local mail submissions
    use it unless they use SMTP directly.
    Hence that program (sendmail with the submit.cf file) makes all the
    changes required for mail submission, e.g, add missing headers and
    fix incomplete addresses - which means it should "canonify" addresses
    so the MTA doesn't have to do it.

    See sendmail/SECURITY.
    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Stacey Marshall@stacey.marshall@gmail.com to comp.mail.sendmail on Mon Jun 23 13:46:47 2025
    From Newsgroup: comp.mail.sendmail

    On 18/06/2025 06:42, Claus A|fmann wrote:

    See sendmail/SECURITY.

    I see that I misunderstood what used submit.cf and its functionality.
    Having re-read sendmail/SECURITY and cf/README (section
    MESSAGE SUBMISSION PROGRAM) has been most helpful.

    Thank you.

    Stacey
    --- Synchronet 3.21b-Linux NewsLink 1.2