From owner-freebsd-security  Fri Sep 22 15:49:54 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194])
	by hub.freebsd.org (Postfix) with ESMTP id 05A8F37B424
	for <security@freebsd.org>; Fri, 22 Sep 2000 15:49:47 -0700 (PDT)
Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1)
	id 13cbdE-00098h-00; Sat, 23 Sep 2000 00:49:24 +0200
Date: Sat, 23 Sep 2000 00:49:24 +0200
From: Neil Blakey-Milner <nbm@mithrandr.moria.org>
To: David Pick <D.M.Pick@qmw.ac.uk>
Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	security@FreeBSD.ORG, Peter Wemm <peter@netplex.com.au>
Subject: Re: sendmail default run state
Message-ID: <20000923004924.A35072@mithrandr.moria.org>
References: <200009222012.e8MKCRF12785@cwsys.cwsent.com> <E13cbSC-000Dyf-00@dialup-janus.css.qmw.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <E13cbSC-000Dyf-00@dialup-janus.css.qmw.ac.uk>; from D.M.Pick@qmw.ac.uk on Fri, Sep 22, 2000 at 11:37:59PM +0100
Organization: Sunesi Clinical Systems
X-Operating-System: FreeBSD 3.3-RELEASE i386
X-URL: http://rucus.ru.ac.za/~nbm/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri 2000-09-22 (23:37), David Pick wrote:
> > > > sendmail_enable="YES" # run the sendmail MTA
> > > > sendmail_outboundonly_enable="YES" # don't listen for messages from the network
> 
> Hmm. Jumping into this half-way through, does this mean:
>  (1) outbound only
>  (2) not inbound

1.

> the difference being that in (2) a local MTA woould be running and would
> be allowed to accept messages from the local machine only. I've implemented
> this by using IPFW to allow TCP calls to port 25 via the loopback interface
> but not in from any "real" (real, tunnel, &c) interface.

Yeah, it would be nice to offer this, but we can't assure ipfw/ipfilter
rules, and my knowledge of sendmail configuration is dangerous.  Is
there a way to tell sendmail what IP addresses to bind?  If it means
rewriting the configuration file, we could investigate the use of sed to
allow us to specify smarthost (DS in sendmail, IIRC) and what IP(s) to
bind.

> I feel (2) is more useful (but then, I would given what I do), but (1) might
> be of interest to some people (no need tohave sendmail/exim/qmail listening).

My thinking is that people who start firewalling things are quite able
to change the option the way they like.

> On a similar vein, I used to block incoming TCP connections to port 6000 (X)
> until I found a hint on this list that adding "-nolisten tcp" to the server
> setup line in /usr/X11R6/lib/X11/xdm/Xservers was a much better way to go.
> (I use SSH extensivly ;-) In fact (IIRC) it was a message from Cy!

Let me remember that.  I'm supposed to be writing the all-encompassing
"How to Secure your FreeBSD System" document "sometime soon" (TM). ;)

I suppose making that the default might ire some people.  Maybe we
should ire some people. ;)

Neil
-- 
Neil Blakey-Milner
Sunesi Clinical Systems
nbm@mithrandr.moria.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message