4.11 I'm running sendmail on my firewall or bastion host but I don't want my users accessing this machine to send and receive mail. The external MX records all point at the bastion host which works fine, but I want to configure a host on my internal network for my users to use to send and receive mail. How do I get the mail off of the bastion host and onto the internal host, and how do I still use the bastion host to route the mail?

On the bastion host edit your macro configuration file to include a mailertable entry:

   FEATURE(mailertable, `hash -o /etc/mail/mailertable')dnl
   

and then add the following to /etc/mail/mailertable:

   mydomain.com      SMTP:[xxx.xxx.xxx.xxx] (where xxx = the ip address of the desired internal host)
   

then run the command makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable

In the /etc/mail/access file of the bastion host add a line which explicitly allows relay from the internal mail host and then using the internal network address (e.g. 192.168.1.0) add a 550 rejection message so that none of your internal hosts can relay directly through the bastion host. Something like this would work:

 
   internal.domain.com       RELAY
   192.168.1.0               550 Use internal.domain.com as your SMTP host!
   

in the macro configuration file on the internal host add a line like this:

   define(`SMART_HOST',`bastion.domain.com')dnl
   

add the internal network address to the /etc/mail/access file on the internal mail host so that the clients will be explicitly authorized to relay through it. This should work fine:

   192.168.1.0               RELAY
   

The result will be that inbound mail to domain.com will be routed directly to the internal host using the mailertable entry and all outbound mail from the internal host will be relayed through the bastion host while SMTP attempts directly from the clients through the bastion host will be rejected.