Date: Tue, 22 May 2007 16:21:49 -0400 From: "Maxim Khitrov" <mkhitrov@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Sendmail ignores hosts.allow Message-ID: <26ddd1750705221321n39d72034m3773ecce8ab49da1@mail.gmail.com> In-Reply-To: <465340C0.3040705@xxiii.com> References: <26ddd1750705211537j78ed83fdm921f7f5e5df5c4@mail.gmail.com> <20070522105732.A2743@erienet.net> <26ddd1750705220837n141787fdh6167c0cb07a8396f@mail.gmail.com> <20070522121629.X86945@fledge.watson.org> <26ddd1750705221046m543c427ahf9c73878d14f6e2a@mail.gmail.com> <9355E7E0-1B92-40A1-BDB2-D17FD1815814@lafn.org> <465340C0.3040705@xxiii.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/22/07, Rob <r17fbsd@xxiii.com> wrote: > Doug Hardie wrote: > > On May 22, 2007, at 10:46, Maxim Khitrov wrote: > >>> > # Deny sendmail to all clients (temporary) > >>> > sendmail : all : deny > > > tcp wrappers must be coded into the application. The call which > > actually checks the access permissions in the hosts.allow file is > > hosts_access() (see man hosts_access). Checking through the sendmail > > I have to disagree with that. I run unmodified 8.13.8 on 6.2, and it DOES respect hosts.allow. Just not in the way you might assume. > > I can telnet to port 25, it allows connections from *anywhere*, and will respond to a HELO. It's not until I give it a "mail to:" that it protests with "550 5.0.0 Access denied". I use "FEATURE(delay_checks)" in the cf file, which may have some effect on this. > > The log file shows: > May 22 14:56:47 cartman sm-mta[74026]: l4MIullh074026: tcpwrappers (unknown, 192.31.130.140) rejection > > The actual options & version look like: > $ sendmail -bp -d0.1 > Version 8.13.8 > Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 > NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SCANF > STARTTLS TCPWRAPPERS USERDB XDEBUG > $ uname -rms > FreeBSD 6.2-RELEASE i386 > > > -RW You know, I could have sworn that I checked actually sending the message through telnet yesterday with the deny rule in place. You're right through, it fails right after I give it mail from command. Guess I didn't keep good track of what I was checking each time. Do you know if there is a reason they chose to do it this way? Accept the connection, but don't allow the client to do anything with it? I didn't find FEATURE(delay_checks) in any of my cf files, so I think it's something else. Well at any rate, thanks for your help. - Max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?26ddd1750705221321n39d72034m3773ecce8ab49da1>