From owner-freebsd-questions@FreeBSD.ORG Tue May 22 01:14:21 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BCF5616A421 for ; Tue, 22 May 2007 01:14:21 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.245]) by mx1.freebsd.org (Postfix) with ESMTP id 7B61D13C45A for ; Tue, 22 May 2007 01:14:21 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so420064and for ; Mon, 21 May 2007 18:14:20 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZSx2Usm7HNTd6bYb1wRsUAWHjDnx+dyKxO83a/J1rEgRMlrwqysx47AGEhuNzhm2ULkKHdJTaarz4J/ljlF9AfjbxYG9pIS7ZjA9IYW1CZv/BCxkwlTiHRlBT7wmxydCG2kRYYRdg6gRQofZKluaDy5wCn4BbG57fBDaKlUZW6E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VXJ3nvreaE+1dFQLv5qnrruRjszPZvnK0E63Hd4Cx/LM/Tj5yaSfkEsvu8JGJiRyT+ssgPIVxQdcm90T2CmuIg0NPU83NfHT0yNms9mFdvcI2DHoRrkf/tIHtPLy/hv8ULWUzfkjX0lY62Om6Sq0io/GH9lB1qk3uX+X3V+uRao= Received: by 10.100.91.6 with SMTP id o6mr3435905anb.1179796460556; Mon, 21 May 2007 18:14:20 -0700 (PDT) Received: by 10.100.79.17 with HTTP; Mon, 21 May 2007 18:14:20 -0700 (PDT) Message-ID: <26ddd1750705211814p71597e9nb18005349f222c84@mail.gmail.com> Date: Mon, 21 May 2007 21:14:20 -0400 From: "Maxim Khitrov" To: freebsd-questions@freebsd.org In-Reply-To: <46523D81.4050603@webanoide.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <26ddd1750705211537j78ed83fdm921f7f5e5df5c4@mail.gmail.com> <46522BE0.4080407@webanoide.org> <26ddd1750705211652q500f95a1t15280ca017ed46df@mail.gmail.com> <46523D81.4050603@webanoide.org> Subject: Re: Sendmail ignores hosts.allow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 May 2007 01:14:21 -0000 On 5/21/07, Mikhail Goriachev wrote: > Maxim Khitrov wrote: > > On 5/21/07, Mikhail Goriachev wrote: > >> Maxim Khitrov wrote: > >>> Hello, > >>> > >>> I'm trying to restrict access to sendmail via hosts.allow. Don't need > >>> a firewall, since I just want to block everyone but the localhost from > >>> sending e-mail out. Anyway, it seems that sendmail ignores these > >>> settings even though it was compiled with TCPWRAPPERS. I added > >>> "sendmail : all : deny" as the very first line in hosts.allow, just to > >>> see if it will let me connect from anywhere. It does - not just from > >>> localhost, but from all remote locations as well. I have no problems > >>> connecting and sending e-mail. Am I missing something? > >> I followed your earlier thread (hopefully this is a related topic). This > >> is strange. By default, sendmail is disabled. You don't even have to put > >> anything into rc.conf: > >> > >> # grep sendmail /etc/defaults/rc.conf > >> > >> Sendmail listens and accepts local mail only. You can't connect to it > >> from another machine: > >> > >> # telnet some.host.tld 25 > >> Trying 1.2.3.4... > >> telnet: connect to address 1.2.3.4: Connection refused > >> telnet: Unable to connect to remote host > >> > >> You must've tweaked something to make it behave differently. > >> > >>> I tested the same setup with sshd, and that works properly. After a > >>> quick search on google it seems that I'm not the only one with this > >>> problem, but I couldn't find any solution to this. Any help is greatly > >>> appreciated. > >> Share with us your testing methodology. From previous thread, I > >> understand that you just want something to submit your local mail (from > >> daemons, scripts, etc). Then as others already said, a simple alias in > >> /etc/mail/aliases and executing newaliases is sufficient. > > > > Ok, so here's my current setup. I have sendmail_enable="NO" in rc.conf > > (same as not having it there I guess), I've modified /etc/mail/aliases > > to forward everything sent to root to my gmail account, and I added > > "sendmail : all : deny" as the first line to /etc/hosts.allow while > > I'm testing everything. Once I make sure that the deny rule works, > > I'll allow access to sendmail only from localhost. This is all on > > FreeBSD 6.2, but it's running in a jail, so that might have some > > effect. > > > >>From my previous thread, sendmail is used only to accept messages sent > > by processes running on the server, and send them to real e-mails > > specified in /etc/aliases. That part works. However, even though > > sendmail_enable is set to "NO" in rc.conf, sendmail still listens on > > port 25, accepts mail from remote hosts, and the hosts.allow rule > > doesn't seem to apply. Strange, isn't it? By the way, I just tried > > removing sendmail_enable line from rc.conf completely and that had no > > effect. > > > > All I do for testing is basically start/restart sendmail, then telnet > > to the server from my workstation at home. I get a standard reply, and > > can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on. > > Relaying doesn't work, but sending to and all other aliases works fine > > (which in this case is bad). > > > > Think this might be some bug when sendmail is running in a jail? I > > haven't modified anything beyond what's mentioned in this e-mail, and > > I've checked all the settings. I can definitely connect to the server > > from remote hosts despite the rc.conf and hosts.allow configuration. > > This is a different story now. On your host machine (as in jails' host), > sendmail binds to localhost and never responds to outside world. This is > expected. However, sendmail in a jail, binds to jail's IP address and > that is why you can talk to it from outside. > > Run this on your host: > > # sockstat -4l | grep sendmail > > The output should look like this: > > root sendmail 1624 4 tcp4 1.2.3.5:25 *:* > root sendmail 1624 4 tcp4 1.2.3.4:25 *:* > root sendmail 1624 4 tcp4 1.2.3.3:25 *:* > root sendmail 1624 4 tcp4 1.2.3.2:25 *:* > root sendmail 1208 3 tcp4 127.0.0.1:25 *:* > > The first four are jails. The last one is host's sendmail being "disabled". > > > I'd suggest using a firewall to protect your jails instead of trying to > completely disable sendmails. I cna't run that on my host, because I only have access to the jail (I'm paying for a vps server with another host). That makes sense however, I had a feeling that it was jail-related. But what about the hosts.allow problem? I can run a firewall, of course, but hosts.allow seems like a more efficient way of doing the same thing. I've already got it configured and working with sshd, so I see no reason why sendmail doesn't want to work the same way. - Max