From owner-freebsd-questions@FreeBSD.ORG Tue May 22 00:33:09 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5E38116A469 for ; Tue, 22 May 2007 00:33:09 +0000 (UTC) (envelope-from doug@fledge.watson.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by mx1.freebsd.org (Postfix) with ESMTP id 145A913C483 for ; Tue, 22 May 2007 00:33:08 +0000 (UTC) (envelope-from doug@fledge.watson.org) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.13.8/8.13.8) with ESMTP id l4M0X7dB097412; Mon, 21 May 2007 20:33:08 -0400 (EDT) (envelope-from doug@fledge.watson.org) Received: from localhost (doug@localhost) by fledge.watson.org (8.13.8/8.13.8/Submit) with ESMTP id l4M0X7CT097409; Mon, 21 May 2007 20:33:07 -0400 (EDT) (envelope-from doug@fledge.watson.org) Date: Mon, 21 May 2007 20:33:07 -0400 (EDT) From: doug To: Maxim Khitrov In-Reply-To: <26ddd1750705211652q500f95a1t15280ca017ed46df@mail.gmail.com> Message-ID: <20070521201142.Y86945@fledge.watson.org> References: <26ddd1750705211537j78ed83fdm921f7f5e5df5c4@mail.gmail.com> <46522BE0.4080407@webanoide.org> <26ddd1750705211652q500f95a1t15280ca017ed46df@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (fledge.watson.org [127.0.0.1]); Tue, 22 May 2007 01:33:08 +0100 (BST) Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail ignores hosts.allow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: doug@safeport.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 May 2007 00:33:09 -0000 On Mon, 21 May 2007, Maxim Khitrov wrote: > On 5/21/07, Mikhail Goriachev wrote: >> Maxim Khitrov wrote: >> > Hello, >> > >> > I'm trying to restrict access to sendmail via hosts.allow. Don't need >> > a firewall, since I just want to block everyone but the localhost from >> > sending e-mail out. Anyway, it seems that sendmail ignores these >> > settings even though it was compiled with TCPWRAPPERS. I added >> > "sendmail : all : deny" as the very first line in hosts.allow, just to >> > see if it will let me connect from anywhere. It does - not just from >> > localhost, but from all remote locations as well. I have no problems >> > connecting and sending e-mail. Am I missing something? >> >> I followed your earlier thread (hopefully this is a related topic). This >> is strange. By default, sendmail is disabled. You don't even have to put >> anything into rc.conf: >> >> # grep sendmail /etc/defaults/rc.conf >> >> Sendmail listens and accepts local mail only. You can't connect to it >> from another machine: >> >> # telnet some.host.tld 25 >> Trying 1.2.3.4... >> telnet: connect to address 1.2.3.4: Connection refused >> telnet: Unable to connect to remote host >> >> You must've tweaked something to make it behave differently. >> >> > I tested the same setup with sshd, and that works properly. After a >> > quick search on google it seems that I'm not the only one with this >> > problem, but I couldn't find any solution to this. Any help is greatly >> > appreciated. >> >> Share with us your testing methodology. From previous thread, I >> understand that you just want something to submit your local mail (from >> daemons, scripts, etc). Then as others already said, a simple alias in >> /etc/mail/aliases and executing newaliases is sufficient. > > Ok, so here's my current setup. I have sendmail_enable="NO" in rc.conf > (same as not having it there I guess), I've modified /etc/mail/aliases > to forward everything sent to root to my gmail account, and I added > "sendmail : all : deny" as the first line to /etc/hosts.allow while > I'm testing everything. Once I make sure that the deny rule works, > I'll allow access to sendmail only from localhost. This is all on > FreeBSD 6.2, but it's running in a jail, so that might have some > effect. sendmail_enable="NO" means there is no sendmail daemon running. You can verify this via "ps -aux | grep sendmail". Remove that statement. Without a reboot you can start sendmail by cd /etc/mail; make start. Unless you have changed the freebsd.mc file and done a 'make install' I do not believe sendmail will accept from any connections except except on 127.0.0.1 (localhost). This is what you want I think. If that's it as others have said, there is no reason to use the hosts.allow mechanism. This is independent of the jail environment. sockstat|grep sendmail and you can see whats going on.