sendmail masquerading


Header sender (HS) -- The From: address in the message header. This address is frequently masqueraded/rewritten from to, especially when is not configured to handle mail directly.

Envelope sender (ES) -- The address provided by the MAIL FROM: SMTP command. Mail transport agents send delivery status notifications to this address, and often check for the existence of the domain portion of the email address in DNS. For this reason, if you are rewriting/masquerading the HS, it may be a good idea to masquerade the ES.

Header recipient (HR) -- The To: address in the message header. This is the recipient address specified by the author of the message. It is left intact unless you use the allmasquerade feature or domaintable.

Envelope recipient (ER) -- The address provided by the RCPT TO: SMTP command. It is the final destination address of the email. This may differ from the HR if the address is rewritten using the user database, aliases database, or virtusertable.

There are several ways to masquerade source addresses in sendmail for outbound mail. The features and directives listed below are used in the sendmail macro configuration (.mc) file.

Messages from hosts in class w and class M (class M values are added to class w for the purposes of masquerading) will have their HS address masqueraded with domain.

The ES address is masqueraded in addition to the HS address.

Masquerade HR addresses. This will change the HR address on inbound mail, and is generally not recommended.

Values in class w or class M are treated as domain names, and every host within these domains is considered a match for masquerading.

Example: if is in class M, will not be masqueraded by default; it will be masqueraded using this feature.

Class M

This sendmail class is used only for masquerading. Values for class M may be loaded from a file or listed individually.

To load values in class M from a file:

To load values in class M individually:

To only masquerade domains in class M (instead of class w and class M):

To exclude a particular host from being masqueraded:

Class E

Class E contains a list of usernames that override masquerading. Generally, you will not want messages from the root user masqueraded so that you can determine from which server these messages actually originated; the root user is in class E by default.

To add a user to class E:


The genericstable is used to masquerade the user portion of outbound mail. The genericstable uses values in class G to determine whether to apply user masquerading. Values for class G may be loaded from a file or listed individually.

To load values in class G using a file:

To load values in class G individually:

By default, the HS address is masqueraded. To additionally masquerade the ES address: FEATURE(masquerade_envelope)

Values in class G are treated as domain names, and every host within these domains is considered a match for masquerading.


The domaintable masquerades the ES, ER, HS, and HR. It is generally used when completely converting from one domain to another.

Testing masquerading

sendmail's address test mode makes it easy to test masquerading.

# sendmail -bt
/tryflags HS (to test the header sender address; other tryflags values would be ES, HR, and ER, for envelope sender, header recipient, and envelope recipient, respectively)
/try esmtp email_address_to_test

sendmail -bt
> /tryflags ES
> /try esmtp
Trying envelope sender address for mailer esmtp

(many lines omitted)

final            returns: user @ domain . com

Rcode = 0, addr =

genericstable example

Our mail server relays mail for several domains, one of which is Since we relay mail for multiple domains, we do not want to use the masquerade_as feature to potentially include hosts in class w, class M, or both.

We want the envelope sender and header sender addresses from and to be masqueraded as changes:


We use generics_entire_domain to allow us to add hosts to genericstable without having to rebuild

genericstable entries:

Back to
Last modified: 2006/11/03