From owner-freebsd-questions@FreeBSD.ORG Tue May 22 01:05:27 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C7A4C16A400 for ; Tue, 22 May 2007 01:05:27 +0000 (UTC) (envelope-from mikhailg@webanoide.org) Received: from shanshito.webanoide.org (shanshito.webanoide.org [150.101.108.110]) by mx1.freebsd.org (Postfix) with ESMTP id 270D613C457 for ; Tue, 22 May 2007 01:05:26 +0000 (UTC) (envelope-from mikhailg@webanoide.org) Received: from maxito.hba.navalradio.cl (maxito.hba.navalradio.cl [172.26.4.34]) (authenticated bits=0) by shanshito.webanoide.org (8.13.8/8.13.8) with ESMTP id l4M15Leq011804 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 22 May 2007 01:05:25 GMT (envelope-from mikhailg@webanoide.org) Message-ID: <465241D1.8060201@webanoide.org> Date: Tue, 22 May 2007 11:05:21 +1000 From: Mikhail Goriachev Organization: Webanoide User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: doug@safeport.com References: <26ddd1750705211537j78ed83fdm921f7f5e5df5c4@mail.gmail.com> <46522BE0.4080407@webanoide.org> <26ddd1750705211652q500f95a1t15280ca017ed46df@mail.gmail.com> <20070521201142.Y86945@fledge.watson.org> In-Reply-To: <20070521201142.Y86945@fledge.watson.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Maxim Khitrov , freebsd-questions@freebsd.org Subject: Re: Sendmail ignores hosts.allow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 May 2007 01:05:27 -0000 doug wrote: > > On Mon, 21 May 2007, Maxim Khitrov wrote: > >> On 5/21/07, Mikhail Goriachev wrote: >>> Maxim Khitrov wrote: >>>> Hello, >>>> >>>> I'm trying to restrict access to sendmail via hosts.allow. Don't need >>>> a firewall, since I just want to block everyone but the localhost from >>>> sending e-mail out. Anyway, it seems that sendmail ignores these >>>> settings even though it was compiled with TCPWRAPPERS. I added >>>> "sendmail : all : deny" as the very first line in hosts.allow, just to >>>> see if it will let me connect from anywhere. It does - not just from >>>> localhost, but from all remote locations as well. I have no problems >>>> connecting and sending e-mail. Am I missing something? >>> I followed your earlier thread (hopefully this is a related topic). This >>> is strange. By default, sendmail is disabled. You don't even have to put >>> anything into rc.conf: >>> >>> # grep sendmail /etc/defaults/rc.conf >>> >>> Sendmail listens and accepts local mail only. You can't connect to it >>> from another machine: >>> >>> # telnet some.host.tld 25 >>> Trying 1.2.3.4... >>> telnet: connect to address 1.2.3.4: Connection refused >>> telnet: Unable to connect to remote host >>> >>> You must've tweaked something to make it behave differently. >>> >>>> I tested the same setup with sshd, and that works properly. After a >>>> quick search on google it seems that I'm not the only one with this >>>> problem, but I couldn't find any solution to this. Any help is greatly >>>> appreciated. >>> Share with us your testing methodology. From previous thread, I >>> understand that you just want something to submit your local mail (from >>> daemons, scripts, etc). Then as others already said, a simple alias in >>> /etc/mail/aliases and executing newaliases is sufficient. >> Ok, so here's my current setup. I have sendmail_enable="NO" in rc.conf >> (same as not having it there I guess), I've modified /etc/mail/aliases >> to forward everything sent to root to my gmail account, and I added >> "sendmail : all : deny" as the first line to /etc/hosts.allow while >> I'm testing everything. Once I make sure that the deny rule works, >> I'll allow access to sendmail only from localhost. This is all on >> FreeBSD 6.2, but it's running in a jail, so that might have some >> effect. > > sendmail_enable="NO" means there is no sendmail daemon running. You can verify > this via "ps -aux | grep sendmail". Remove that statement. Without a reboot you > can start sendmail by cd /etc/mail; make start. sendmail_enable="NO" tells sendmail to bind to localhost only (hence it becomes unreachable from the outside): # sockstat -4l | grep sendmail root sendmail 42310 4 tcp4 127.0.0.1:25 *:* sendmail_enable="YES" starts/adds the submit capability: # sockstat -4l | grep sendmail root sendmail 42262 4 tcp4 *:25 *:* root sendmail 42262 5 tcp4 *:587 *:* In both cases, executing ps -aux shows sendmail daemon is running. The first knob is the default as per /etc/defaults/rc.conf > Unless you have changed the freebsd.mc file and done a 'make install' I do not > believe sendmail will accept from any connections except except on 127.0.0.1 > (localhost). This is what you want I think. If that's it as others have said, > there is no reason to use the hosts.allow mechanism. This is independent of the > jail environment. > > sockstat|grep sendmail > > and you can see whats going on. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: mikhailg@webanoide.org Web: www.webanoide.org