Date: Mon, 21 May 2007 20:33:07 -0400 (EDT) From: doug <doug@fledge.watson.org> To: Maxim Khitrov <mkhitrov@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail ignores hosts.allow Message-ID: <20070521201142.Y86945@fledge.watson.org> In-Reply-To: <26ddd1750705211652q500f95a1t15280ca017ed46df@mail.gmail.com> References: <26ddd1750705211537j78ed83fdm921f7f5e5df5c4@mail.gmail.com> <46522BE0.4080407@webanoide.org> <26ddd1750705211652q500f95a1t15280ca017ed46df@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 21 May 2007, Maxim Khitrov wrote: > On 5/21/07, Mikhail Goriachev <mikhailg@webanoide.org> wrote: >> Maxim Khitrov wrote: >> > Hello, >> > >> > I'm trying to restrict access to sendmail via hosts.allow. Don't need >> > a firewall, since I just want to block everyone but the localhost from >> > sending e-mail out. Anyway, it seems that sendmail ignores these >> > settings even though it was compiled with TCPWRAPPERS. I added >> > "sendmail : all : deny" as the very first line in hosts.allow, just to >> > see if it will let me connect from anywhere. It does - not just from >> > localhost, but from all remote locations as well. I have no problems >> > connecting and sending e-mail. Am I missing something? >> >> I followed your earlier thread (hopefully this is a related topic). This >> is strange. By default, sendmail is disabled. You don't even have to put >> anything into rc.conf: >> >> # grep sendmail /etc/defaults/rc.conf >> >> Sendmail listens and accepts local mail only. You can't connect to it >> from another machine: >> >> # telnet some.host.tld 25 >> Trying 1.2.3.4... >> telnet: connect to address 1.2.3.4: Connection refused >> telnet: Unable to connect to remote host >> >> You must've tweaked something to make it behave differently. >> >> > I tested the same setup with sshd, and that works properly. After a >> > quick search on google it seems that I'm not the only one with this >> > problem, but I couldn't find any solution to this. Any help is greatly >> > appreciated. >> >> Share with us your testing methodology. From previous thread, I >> understand that you just want something to submit your local mail (from >> daemons, scripts, etc). Then as others already said, a simple alias in >> /etc/mail/aliases and executing newaliases is sufficient. > > Ok, so here's my current setup. I have sendmail_enable="NO" in rc.conf > (same as not having it there I guess), I've modified /etc/mail/aliases > to forward everything sent to root to my gmail account, and I added > "sendmail : all : deny" as the first line to /etc/hosts.allow while > I'm testing everything. Once I make sure that the deny rule works, > I'll allow access to sendmail only from localhost. This is all on > FreeBSD 6.2, but it's running in a jail, so that might have some > effect. sendmail_enable="NO" means there is no sendmail daemon running. You can verify this via "ps -aux | grep sendmail". Remove that statement. Without a reboot you can start sendmail by cd /etc/mail; make start. Unless you have changed the freebsd.mc file and done a 'make install' I do not believe sendmail will accept from any connections except except on 127.0.0.1 (localhost). This is what you want I think. If that's it as others have said, there is no reason to use the hosts.allow mechanism. This is independent of the jail environment. sockstat|grep sendmail and you can see whats going on.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070521201142.Y86945>