Date: Mon, 6 Jan 1997 15:00:17 -0600 (CST) From: Jimbo Bahooli <moke@fools.ecpnet.com> To: Giles Lean <giles@nemeton.com.au> Cc: freebsd-security@freebsd.org Subject: Re: sendmail....tricks... Message-ID: <Pine.BSF.3.95.970106144729.277A-100000@fools.ecpnet.com> In-Reply-To: <199701060904.UAA00711@nemeton.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 6 Jan 1997, Giles Lean wrote: > > On Sun, 5 Jan 1997 18:47:29 -0600 (CST) Jimbo Bahooli wrote: > > > The first idea, which i have successfully accomplished, is logging and > > access control via tcp wrappers. > > Interesting; I think I'd go about it differently: > > Since sendmail currently supports using libwrap from Wietse Venema's > tcp_wrappers distribution, this could be used to block non-local > access to sendmail. With remote access to sendmail blocked it can use > a non-standard port and smap/smapd from the TIS firewall toolkit could > be used to talk to strangers. > > (Alternative to libwrap is one of the in-kernel firewalling solutions, > but I don't think these log as well as application level checking, and > must lose at least a little in performance for ordinary traffic.) Going into the experiment I was just trying to transparently move sendmail to a different port, the logging and access control came about from the use of tcp wrappers from inetd. I figured this a plus and decided to add that in. When time permits I am going to work on moving it to a non-root port and sendmail will run soley as user mailer. Another idea, but since I do not know the excacts of sendmail, would be to run a program to bind to port 25. Then start sendmail as user mailer or some other person. I understand this can be done from inetd, but a new sendmail is started each session which is alot of excess overhead even on systems that do not pass much mail.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970106144729.277A-100000>