From owner-freebsd-security Mon Jan 6 13:02:23 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id NAA27827 for security-outgoing; Mon, 6 Jan 1997 13:02:23 -0800 (PST) Received: from fools.ecpnet.com (moke@fools.ecpnet.com [204.246.64.101]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id NAA27822 for ; Mon, 6 Jan 1997 13:02:17 -0800 (PST) Received: from localhost (moke@localhost) by fools.ecpnet.com (8.8.4/8.8.4) with SMTP id PAA00357; Mon, 6 Jan 1997 15:00:17 -0600 (CST) Date: Mon, 6 Jan 1997 15:00:17 -0600 (CST) From: Jimbo Bahooli To: Giles Lean cc: freebsd-security@freebsd.org Subject: Re: sendmail....tricks... In-Reply-To: <199701060904.UAA00711@nemeton.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 6 Jan 1997, Giles Lean wrote: > > On Sun, 5 Jan 1997 18:47:29 -0600 (CST) Jimbo Bahooli wrote: > > > The first idea, which i have successfully accomplished, is logging and > > access control via tcp wrappers. > > Interesting; I think I'd go about it differently: > > Since sendmail currently supports using libwrap from Wietse Venema's > tcp_wrappers distribution, this could be used to block non-local > access to sendmail. With remote access to sendmail blocked it can use > a non-standard port and smap/smapd from the TIS firewall toolkit could > be used to talk to strangers. > > (Alternative to libwrap is one of the in-kernel firewalling solutions, > but I don't think these log as well as application level checking, and > must lose at least a little in performance for ordinary traffic.) Going into the experiment I was just trying to transparently move sendmail to a different port, the logging and access control came about from the use of tcp wrappers from inetd. I figured this a plus and decided to add that in. When time permits I am going to work on moving it to a non-root port and sendmail will run soley as user mailer. Another idea, but since I do not know the excacts of sendmail, would be to run a program to bind to port 25. Then start sendmail as user mailer or some other person. I understand this can be done from inetd, but a new sendmail is started each session which is alot of excess overhead even on systems that do not pass much mail.