From owner-freebsd-security  Fri Sep 22 15:39:53 2000
Delivered-To: freebsd-security@freebsd.org
Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6])
	by hub.freebsd.org (Postfix) with ESMTP id 72AA637B422
	for <security@freebsd.org>; Fri, 22 Sep 2000 15:39:47 -0700 (PDT)
Received: from dialup-janus.css.qmw.ac.uk ([138.37.11.110])
	by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1)
	id 13cbTC-0001Ed-00; Fri, 22 Sep 2000 23:39:02 +0100
Received: from david by dialup-janus.css.qmw.ac.uk with local (Exim 2.12 #1)
	id 13cbSC-000Dyf-00; Fri, 22 Sep 2000 23:38:00 +0100
X-Mailer: exmh version 2.0.2 2/24/98
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Cc: Neil Blakey-Milner <nbm@mithrandr.moria.org>,
	security@FreeBSD.ORG, Peter Wemm <peter@netplex.com.au>
Subject: Re: sendmail default run state 
In-reply-to: Your message of "Fri, 22 Sep 2000 13:11:51 PDT."
             <200009222012.e8MKCRF12785@cwsys.cwsent.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 22 Sep 2000 23:37:59 +0100
From: David Pick <D.M.Pick@qmw.ac.uk>
Message-Id: <E13cbSC-000Dyf-00@dialup-janus.css.qmw.ac.uk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


<much snipping>

> > > sendmail_enable="YES" # run the sendmail MTA
> > > sendmail_outboundonly_enable="YES" # don't listen for messages from the network

Hmm. Jumping into this half-way through, does this mean:
 (1) outbound only
 (2) not inbound
the difference being that in (2) a local MTA woould be running and would
be allowed to accept messages from the local machine only. I've implemented
this by using IPFW to allow TCP calls to port 25 via the loopback interface
but not in from any "real" (real, tunnel, &c) interface.

I feel (2) is more useful (but then, I would given what I do), but (1) might
be of interest to some people (no need tohave sendmail/exim/qmail listening).

> > > sendmail_queuetime="30" # time in minutes between re-trying queued items
> > > sendmail_flags="" # additional sendmail flags

> > What do others think of this? (orignally Peter's idea)
> > 
> > I personally would really like 'sendmail_outbound_only="YES"' to be the
> > default in /etc/defaults/rc.conf, with an option in sysinstall's Network
> > Services for turning it on/off.

Agreed.

<much more snipping>

On a similar vein, I used to block incoming TCP connections to port 6000 (X)
until I found a hint on this list that adding "-nolisten tcp" to the server
setup line in /usr/X11R6/lib/X11/xdm/Xservers was a much better way to go.
(I use SSH extensivly ;-) In fact (IIRC) it was a message from Cy!

-- 
	David Pick




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message