[Mailman-Users] emails from mailman rejected with error "reject=550 Relaying denied. IP name possibly forged"

[Stephen J. Turnbull]

Abdullah Maskari writes:

 > So it seems that my problem is that my mailman server attempts to 
 > communicate with mailhost through mailhost's outward facing IP rather 
 > than through its internal network IP,

Aha!  I'll have to remember that, I wouldn't be surprised if it comes
up again.

 > I have added an entry for mailhost  in the hosts file

This is generally not recommended.  Most systems nowadays are
configured to use the nameservers whenever possible, and only fall
back to hosts when no nameserver can be contacted.  Although you can
change that priority (if you have write access to the appropriate
configuration, often /etc/host.conf), this isn't recommended either as
hosts is often untouched for years and easily becomes out of date and
inaccurate.

 > but sendmail still insists on communicating with mailhost through
 > mailhost's external IP.  I am not sure how to change this
 > behaviour.

First let me say this is way out of scope for this list.

That said, I can think of a couple of ways of addressing the
situation.

My first suggestion is that you give the outgoing (*internal* IP) and
incoming (*external* IP) SMTP gateways different names even if they're
implemented on the same host.  Then when your site expands enough to
need a more powerful host, or separate hosts to service incoming and
outgoing traffic, you just add the new host, change the DNS, and all
your internal mail goes to the right place, ditto external mail, and
nobody cares how your mail system works, it Just Works.

Second, you probably want internal hosts to be unable to see the
external gateway and vice versa, so you may want to run two name
servers, one (outside) which only knows about your hosts that provide
public services (like web and mailservers, and is configured to return
their external addresses), and one (inside) which knows about your
internal network, but doesn't know about your public hosts (at least,
not their public IP addresses and names), and recurses to your ISP's
nameserver (*not* your "outside" nameserver!) for "remote" sites.

If the first suggestion is impossible for some reason, you could
reconfigure to give the hosts file precedence.  (The suggestion about
two nameservers is optional if you're careful enough about firewalls,
and don't care if names and internal network details leak.)

You should also look at your working list server and see how its
configuration differs from this one.  If you used the hosts file dodge
on that one, then probably it is configured to give hosts precedence
over DNS.  My suggestion is to separate the DNS entries for outgoing
and incoming and to change that one too.

Steve