From owner-freebsd-questions@FreeBSD.ORG Mon May 21 23:52:12 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6ACEB16A41F for ; Mon, 21 May 2007 23:52:12 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.242]) by mx1.freebsd.org (Postfix) with ESMTP id 2A77713C465 for ; Mon, 21 May 2007 23:52:12 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so416285and for ; Mon, 21 May 2007 16:52:11 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MXlirZ7Tu6vDvzQLRjBXouqVqMG3gx0jDHTpxmV9uJdy89LkJ8ciPnIUYjo4Yp7VE3xsNrgfiI0vVmn53/2gN8uc7cFImRkGam7HDnFbSDTWpvCn/hs7fKJC0dKyr9uXbtkb3hS1erWu3HmAEf00WBORSO4QIaR1wZxZWuHjfFg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nkM43HyiwEuTVk2Po1SPSbwJFDLXgk6T1wXUMfaqrQmGBghUhF3H8PFcFMT82CjENl59Sn9x5a8jPiF37P4jinWP0c517r442h3pmJ/4D2wNx7x5Y3m8JDqi6uPDe2K41NuAXIxgofgiyTl0vsU2nct6n4l0NbWI33zTRugXrFc= Received: by 10.100.120.5 with SMTP id s5mr3358959anc.1179791531375; Mon, 21 May 2007 16:52:11 -0700 (PDT) Received: by 10.100.79.17 with HTTP; Mon, 21 May 2007 16:52:11 -0700 (PDT) Message-ID: <26ddd1750705211652q500f95a1t15280ca017ed46df@mail.gmail.com> Date: Mon, 21 May 2007 19:52:11 -0400 From: "Maxim Khitrov" To: freebsd-questions@freebsd.org In-Reply-To: <46522BE0.4080407@webanoide.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <26ddd1750705211537j78ed83fdm921f7f5e5df5c4@mail.gmail.com> <46522BE0.4080407@webanoide.org> Subject: Re: Sendmail ignores hosts.allow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2007 23:52:12 -0000 On 5/21/07, Mikhail Goriachev wrote: > Maxim Khitrov wrote: > > Hello, > > > > I'm trying to restrict access to sendmail via hosts.allow. Don't need > > a firewall, since I just want to block everyone but the localhost from > > sending e-mail out. Anyway, it seems that sendmail ignores these > > settings even though it was compiled with TCPWRAPPERS. I added > > "sendmail : all : deny" as the very first line in hosts.allow, just to > > see if it will let me connect from anywhere. It does - not just from > > localhost, but from all remote locations as well. I have no problems > > connecting and sending e-mail. Am I missing something? > > I followed your earlier thread (hopefully this is a related topic). This > is strange. By default, sendmail is disabled. You don't even have to put > anything into rc.conf: > > # grep sendmail /etc/defaults/rc.conf > > Sendmail listens and accepts local mail only. You can't connect to it > from another machine: > > # telnet some.host.tld 25 > Trying 1.2.3.4... > telnet: connect to address 1.2.3.4: Connection refused > telnet: Unable to connect to remote host > > You must've tweaked something to make it behave differently. > > > I tested the same setup with sshd, and that works properly. After a > > quick search on google it seems that I'm not the only one with this > > problem, but I couldn't find any solution to this. Any help is greatly > > appreciated. > > Share with us your testing methodology. From previous thread, I > understand that you just want something to submit your local mail (from > daemons, scripts, etc). Then as others already said, a simple alias in > /etc/mail/aliases and executing newaliases is sufficient. Ok, so here's my current setup. I have sendmail_enable="NO" in rc.conf (same as not having it there I guess), I've modified /etc/mail/aliases to forward everything sent to root to my gmail account, and I added "sendmail : all : deny" as the first line to /etc/hosts.allow while I'm testing everything. Once I make sure that the deny rule works, I'll allow access to sendmail only from localhost. This is all on FreeBSD 6.2, but it's running in a jail, so that might have some effect. >From my previous thread, sendmail is used only to accept messages sent by processes running on the server, and send them to real e-mails specified in /etc/aliases. That part works. However, even though sendmail_enable is set to "NO" in rc.conf, sendmail still listens on port 25, accepts mail from remote hosts, and the hosts.allow rule doesn't seem to apply. Strange, isn't it? By the way, I just tried removing sendmail_enable line from rc.conf completely and that had no effect. All I do for testing is basically start/restart sendmail, then telnet to the server from my workstation at home. I get a standard reply, and can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on. Relaying doesn't work, but sending to and all other aliases works fine (which in this case is bad). Think this might be some bug when sendmail is running in a jail? I haven't modified anything beyond what's mentioned in this e-mail, and I've checked all the settings. I can definitely connect to the server from remote hosts despite the rc.conf and hosts.allow configuration. - Maxim Khitrov