From owner-freebsd-security Fri Sep 22 15:49:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 05A8F37B424 for ; Fri, 22 Sep 2000 15:49:47 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cbdE-00098h-00; Sat, 23 Sep 2000 00:49:24 +0200 Date: Sat, 23 Sep 2000 00:49:24 +0200 From: Neil Blakey-Milner To: David Pick Cc: Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state Message-ID: <20000923004924.A35072@mithrandr.moria.org> References: <200009222012.e8MKCRF12785@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from D.M.Pick@qmw.ac.uk on Fri, Sep 22, 2000 at 11:37:59PM +0100 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (23:37), David Pick wrote: > > > > sendmail_enable="YES" # run the sendmail MTA > > > > sendmail_outboundonly_enable="YES" # don't listen for messages from the network > > Hmm. Jumping into this half-way through, does this mean: > (1) outbound only > (2) not inbound 1. > the difference being that in (2) a local MTA woould be running and would > be allowed to accept messages from the local machine only. I've implemented > this by using IPFW to allow TCP calls to port 25 via the loopback interface > but not in from any "real" (real, tunnel, &c) interface. Yeah, it would be nice to offer this, but we can't assure ipfw/ipfilter rules, and my knowledge of sendmail configuration is dangerous. Is there a way to tell sendmail what IP addresses to bind? If it means rewriting the configuration file, we could investigate the use of sed to allow us to specify smarthost (DS in sendmail, IIRC) and what IP(s) to bind. > I feel (2) is more useful (but then, I would given what I do), but (1) might > be of interest to some people (no need tohave sendmail/exim/qmail listening). My thinking is that people who start firewalling things are quite able to change the option the way they like. > On a similar vein, I used to block incoming TCP connections to port 6000 (X) > until I found a hint on this list that adding "-nolisten tcp" to the server > setup line in /usr/X11R6/lib/X11/xdm/Xservers was a much better way to go. > (I use SSH extensivly ;-) In fact (IIRC) it was a message from Cy! Let me remember that. I'm supposed to be writing the all-encompassing "How to Secure your FreeBSD System" document "sometime soon" (TM). ;) I suppose making that the default might ire some people. Maybe we should ire some people. ;) Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message