From owner-freebsd-questions Mon Aug 18 00:52:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id AAA05233 for questions-outgoing; Mon, 18 Aug 1997 00:52:21 -0700 (PDT) Received: from gatekeeper.barcode.co.il (gatekeeper.barcode.co.il [192.116.93.17]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA05228 for ; Mon, 18 Aug 1997 00:52:16 -0700 (PDT) Received: (from smap@localhost) by gatekeeper.barcode.co.il (8.8.5/8.6.12) id KAA25424; Mon, 18 Aug 1997 10:51:51 +0300 (IDT) X-Authentication-Warning: gatekeeper.barcode.co.il: smap set sender to using -f Received: from localhost.barcode.co.il(127.0.0.1) by gatekeeper.barcode.co.il via smap (V1.3) id sma025422; Mon Aug 18 10:51:32 1997 Message-ID: <33F7FEEF.4B8C@barcode.co.il> Date: Mon, 18 Aug 1997 10:51:11 +0300 From: Nadav Eiron X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: Jerry Kelley CC: freebsd-questions Subject: Re: sendmail on a firewall box References: <33F7C9E9.167EB0E7@iquest.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Jerry Kelley wrote: > > This is probably a loaded question and I'd bet that I'll get responses > on both sides but I'm going to ask this question anyway: > > 1) is it a major security hole to run sendmail on a firewall box? > > Okay, there, I said it. In the economy of a small business, it is not > always practical to have several servers providing services such as > firewalling and mail hosting. So, for my business, I want to set up a > FreeBSD box to act as the Internet access point and provide things like > DNS, mail hosting, NTP, and firewalling. I really don't have the dollars > to build a separate box for the firewall although I know that security > purists will frown and make some comments that security isn't cheap > anyway. > > I just want one box that provides the services to my small LAN. I want > that box to be the mail host for my company and also provide a > firewall/proxy service. > > Am I asking for too much? Not necessarily. Take a look at the TIS fwtk. It has a small utility called smap. This thing speaks enough SMTP to make mailers think it is actually delivering mail, but all it does is save the data into a file in a predefined directory (and is only about 800 lines of code, so there's not much room for security holes). A special daemon (called smapd) reads those files and hands them over to sendmail. This has the effect of not having outside access to sendmail. Also, smap does not run as root (if I recall correctly). We use such a setup here, and it has been mostly reliable, though some outside mailers make smap crash on a sig 11. We run smap on the standard SMTP port, and sendmail on another port which is blocked (by ipfw) for outside access. Inside access to sendmail is redirected through plug-gw (another utility from the fwtk) to the right port. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jerry Kelley > jerryk@iquest.net > "Expectations are life's greatest dangers." Nadav