Date: Tue, 22 May 2007 10:46:57 +1000 From: Mikhail Goriachev <mikhailg@webanoide.org> To: Maxim Khitrov <mkhitrov@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail ignores hosts.allow Message-ID: <46523D81.4050603@webanoide.org> In-Reply-To: <26ddd1750705211652q500f95a1t15280ca017ed46df@mail.gmail.com> References: <26ddd1750705211537j78ed83fdm921f7f5e5df5c4@mail.gmail.com> <46522BE0.4080407@webanoide.org> <26ddd1750705211652q500f95a1t15280ca017ed46df@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Khitrov wrote: > On 5/21/07, Mikhail Goriachev <mikhailg@webanoide.org> wrote: >> Maxim Khitrov wrote: >>> Hello, >>> >>> I'm trying to restrict access to sendmail via hosts.allow. Don't need >>> a firewall, since I just want to block everyone but the localhost from >>> sending e-mail out. Anyway, it seems that sendmail ignores these >>> settings even though it was compiled with TCPWRAPPERS. I added >>> "sendmail : all : deny" as the very first line in hosts.allow, just to >>> see if it will let me connect from anywhere. It does - not just from >>> localhost, but from all remote locations as well. I have no problems >>> connecting and sending e-mail. Am I missing something? >> I followed your earlier thread (hopefully this is a related topic). This >> is strange. By default, sendmail is disabled. You don't even have to put >> anything into rc.conf: >> >> # grep sendmail /etc/defaults/rc.conf >> >> Sendmail listens and accepts local mail only. You can't connect to it >> from another machine: >> >> # telnet some.host.tld 25 >> Trying 1.2.3.4... >> telnet: connect to address 1.2.3.4: Connection refused >> telnet: Unable to connect to remote host >> >> You must've tweaked something to make it behave differently. >> >>> I tested the same setup with sshd, and that works properly. After a >>> quick search on google it seems that I'm not the only one with this >>> problem, but I couldn't find any solution to this. Any help is greatly >>> appreciated. >> Share with us your testing methodology. From previous thread, I >> understand that you just want something to submit your local mail (from >> daemons, scripts, etc). Then as others already said, a simple alias in >> /etc/mail/aliases and executing newaliases is sufficient. > > Ok, so here's my current setup. I have sendmail_enable="NO" in rc.conf > (same as not having it there I guess), I've modified /etc/mail/aliases > to forward everything sent to root to my gmail account, and I added > "sendmail : all : deny" as the first line to /etc/hosts.allow while > I'm testing everything. Once I make sure that the deny rule works, > I'll allow access to sendmail only from localhost. This is all on > FreeBSD 6.2, but it's running in a jail, so that might have some > effect. > >>From my previous thread, sendmail is used only to accept messages sent > by processes running on the server, and send them to real e-mails > specified in /etc/aliases. That part works. However, even though > sendmail_enable is set to "NO" in rc.conf, sendmail still listens on > port 25, accepts mail from remote hosts, and the hosts.allow rule > doesn't seem to apply. Strange, isn't it? By the way, I just tried > removing sendmail_enable line from rc.conf completely and that had no > effect. > > All I do for testing is basically start/restart sendmail, then telnet > to the server from my workstation at home. I get a standard reply, and > can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on. > Relaying doesn't work, but sending to and all other aliases works fine > (which in this case is bad). > > Think this might be some bug when sendmail is running in a jail? I > haven't modified anything beyond what's mentioned in this e-mail, and > I've checked all the settings. I can definitely connect to the server > from remote hosts despite the rc.conf and hosts.allow configuration. This is a different story now. On your host machine (as in jails' host), sendmail binds to localhost and never responds to outside world. This is expected. However, sendmail in a jail, binds to jail's IP address and that is why you can talk to it from outside. Run this on your host: # sockstat -4l | grep sendmail The output should look like this: root sendmail 1624 4 tcp4 1.2.3.5:25 *:* root sendmail 1624 4 tcp4 1.2.3.4:25 *:* root sendmail 1624 4 tcp4 1.2.3.3:25 *:* root sendmail 1624 4 tcp4 1.2.3.2:25 *:* root sendmail 1208 3 tcp4 127.0.0.1:25 *:* The first four are jails. The last one is host's sendmail being "disabled". I'd suggest using a firewall to protect your jails instead of trying to completely disable sendmails. Regards, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: mikhailg@webanoide.org Web: www.webanoide.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46523D81.4050603>