Re: Nullclient with root aliased and user accounts masqueraded...

On 2008.05.15 17:46:45 +0000, mouss wrote:
> Robert Nickel wrote:
> >Sorry for the subject, it's a strange nut I'm trying to deal with here.
> >
> >Background:
> >  Two domains are in play, foo.com and bar.com
> >  Client machines are of the form host.foo.com and host.bar.com in fairly
> >    equal numbers.
> >  Unqualified email sent from a any host should have one of two things 
> >  happen depending on the address:
> >      1. If it's root, use /etc/aliases (or virtual_aliases) to expand
> >         recipient to root+hostfqdn <at> bar.com and the from should remain as
> >         root <at> hostfqdn.
> >      2. All other email for local user accounts should be masqueraded to
> >         user <at> bar.com.
> >
> >As an example, take my workstation with a fqdn of coin.foo.com.
> >
> >If I send unqualified email as root to root, it should send email that 
> >looks like this:
> >
> >  From: root <at> coin.foo.com
> >  To: root+coin.foo.com <at> bar.com
> >  Subject: ....
> >
> >Email sent from the same host as root to user robert should look thusly:
> >  From: root <at> coin.foo.com
> >  To: robert <at> bar.com
> >  Subject: blah
> >
> >I've been poking around for several days and tried a number of different
> >configs up to and including using recipient_cannonical_maps to no avail.
> >  
> 
> 
> not clear what you are trying to say, but stop using "unqualified" 
> addresses. <foo <at> example.com> is valid. <foo> is not.
> 
> if you insist on using unqualfied addresses, then read the docs about 
> myorigin.

I don't insist on it, it's just an artifact of the services running on the
system.  I have been reading the docs on myorigin and just about everything
else I can.  I would not dream of bothering the list if I hadn't.

A note of the scale of the problem.  I have thousands of machines spread over
two separate domain names (the foo.com and bar.com above).  One domain
(bar.com above) has valid email addresses user <at> bar.com for all of the users
that would be using the system (save service accounts).

I want alias maps to work so that the service accounts created by packages
will actually forward to the correct email account (usually root).  I want
root email to be subject to local alias expansion as well so that the alias
file can forward the mail to the appropriate person.

The core issue is that different users on different machines running cron
jobs.  If the user (robert in the example above) has a cron job without
setting MAILTO (or forgets to redirect stderr to stdout), cron will send email
to the unqualified address robert.  I would like this email to forward to
robert <at> bar.com without having to enumerate all of the users in my domain on
each machine. 

If I use nullclient as defined in the Standar Configs document, these emails
are dropped or masqueraded to a domain other than the sending machines fqdn.
Yes, I can read mail headers and see where the mail came from but I honestly
don't want to have to teach hundreds of people how to do so.  This is
undesirable because it will mask configuration issues that the user in
question should repair or send email that will be useless to the user. [0]

If I setup a basic listener on loopback, these emails are delivered to the
local mail spool.  This is undesirable because the user then has to go ferret
the email off of the system.  See scale note above.

Setting myorigin will force all the headers to be @$myorigin instead of
@$myhostname which won't allow for real diagnosis of where the mail came from.

I hope that clears it up some.  If not, can you tell me what's missing?

--Robert

[0] To further complicate this issue, this email frequently gets delivered to
a mail system that strips mail headers out of the mail, effectively masking
the origin even further.