Date: Tue, 22 May 2007 11:35:51 +1000 From: Mikhail Goriachev <mikhailg@webanoide.org> To: Maxim Khitrov <mkhitrov@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail ignores hosts.allow Message-ID: <465248F7.7060204@webanoide.org> In-Reply-To: <26ddd1750705211814p71597e9nb18005349f222c84@mail.gmail.com> References: <26ddd1750705211537j78ed83fdm921f7f5e5df5c4@mail.gmail.com> <46522BE0.4080407@webanoide.org> <26ddd1750705211652q500f95a1t15280ca017ed46df@mail.gmail.com> <46523D81.4050603@webanoide.org> <26ddd1750705211814p71597e9nb18005349f222c84@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Khitrov wrote: > On 5/21/07, Mikhail Goriachev <mikhailg@webanoide.org> wrote: >> Maxim Khitrov wrote: >>> On 5/21/07, Mikhail Goriachev <mikhailg@webanoide.org> wrote: >>>> Maxim Khitrov wrote: >>>>> Hello, >>>>> >>>>> I'm trying to restrict access to sendmail via hosts.allow. Don't need >>>>> a firewall, since I just want to block everyone but the localhost from >>>>> sending e-mail out. Anyway, it seems that sendmail ignores these >>>>> settings even though it was compiled with TCPWRAPPERS. I added >>>>> "sendmail : all : deny" as the very first line in hosts.allow, just to >>>>> see if it will let me connect from anywhere. It does - not just from >>>>> localhost, but from all remote locations as well. I have no problems >>>>> connecting and sending e-mail. Am I missing something? >>>> I followed your earlier thread (hopefully this is a related topic). This >>>> is strange. By default, sendmail is disabled. You don't even have to put >>>> anything into rc.conf: >>>> >>>> # grep sendmail /etc/defaults/rc.conf >>>> >>>> Sendmail listens and accepts local mail only. You can't connect to it >>>> from another machine: >>>> >>>> # telnet some.host.tld 25 >>>> Trying 1.2.3.4... >>>> telnet: connect to address 1.2.3.4: Connection refused >>>> telnet: Unable to connect to remote host >>>> >>>> You must've tweaked something to make it behave differently. >>>> >>>>> I tested the same setup with sshd, and that works properly. After a >>>>> quick search on google it seems that I'm not the only one with this >>>>> problem, but I couldn't find any solution to this. Any help is greatly >>>>> appreciated. >>>> Share with us your testing methodology. From previous thread, I >>>> understand that you just want something to submit your local mail (from >>>> daemons, scripts, etc). Then as others already said, a simple alias in >>>> /etc/mail/aliases and executing newaliases is sufficient. >>> Ok, so here's my current setup. I have sendmail_enable="NO" in rc.conf >>> (same as not having it there I guess), I've modified /etc/mail/aliases >>> to forward everything sent to root to my gmail account, and I added >>> "sendmail : all : deny" as the first line to /etc/hosts.allow while >>> I'm testing everything. Once I make sure that the deny rule works, >>> I'll allow access to sendmail only from localhost. This is all on >>> FreeBSD 6.2, but it's running in a jail, so that might have some >>> effect. >>> >>> >From my previous thread, sendmail is used only to accept messages sent >>> by processes running on the server, and send them to real e-mails >>> specified in /etc/aliases. That part works. However, even though >>> sendmail_enable is set to "NO" in rc.conf, sendmail still listens on >>> port 25, accepts mail from remote hosts, and the hosts.allow rule >>> doesn't seem to apply. Strange, isn't it? By the way, I just tried >>> removing sendmail_enable line from rc.conf completely and that had no >>> effect. >>> >>> All I do for testing is basically start/restart sendmail, then telnet >>> to the server from my workstation at home. I get a standard reply, and >>> can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on. >>> Relaying doesn't work, but sending to and all other aliases works fine >>> (which in this case is bad). >>> >>> Think this might be some bug when sendmail is running in a jail? I >>> haven't modified anything beyond what's mentioned in this e-mail, and >>> I've checked all the settings. I can definitely connect to the server >>> from remote hosts despite the rc.conf and hosts.allow configuration. >> This is a different story now. On your host machine (as in jails' host), >> sendmail binds to localhost and never responds to outside world. This is >> expected. However, sendmail in a jail, binds to jail's IP address and >> that is why you can talk to it from outside. >> >> Run this on your host: >> >> # sockstat -4l | grep sendmail >> >> The output should look like this: >> >> root sendmail 1624 4 tcp4 1.2.3.5:25 *:* >> root sendmail 1624 4 tcp4 1.2.3.4:25 *:* >> root sendmail 1624 4 tcp4 1.2.3.3:25 *:* >> root sendmail 1624 4 tcp4 1.2.3.2:25 *:* >> root sendmail 1208 3 tcp4 127.0.0.1:25 *:* >> >> The first four are jails. The last one is host's sendmail being "disabled". >> >> >> I'd suggest using a firewall to protect your jails instead of trying to >> completely disable sendmails. > > I cna't run that on my host, because I only have access to the jail > (I'm paying for a vps server with another host). That makes sense > however, I had a feeling that it was jail-related. But what about the > hosts.allow problem? I can run a firewall, of course, but hosts.allow > seems like a more efficient way of doing the same thing. I've already > got it configured and working with sshd, so I see no reason why > sendmail doesn't want to work the same way. Oh... right. Can't tell you much about hosts.allow, especially in jails, but I reckon someone else will. Good luck! Regards, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: mikhailg@webanoide.org Web: www.webanoide.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?465248F7.7060204>