Date: Mon, 06 Jan 1997 20:04:41 +1100 From: Giles Lean <giles@nemeton.com.au> To: Jimbo Bahooli <moke@fools.ecpnet.com> Cc: freebsd-security@freebsd.org Subject: Re: sendmail....tricks... Message-ID: <199701060904.UAA00711@nemeton.com.au> In-Reply-To: <Pine.BSF.3.95.970105182549.18011A-100000@fools.ecpnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 5 Jan 1997 18:47:29 -0600 (CST) Jimbo Bahooli wrote: > The first idea, which i have successfully accomplished, is logging and > access control via tcp wrappers. Interesting; I think I'd go about it differently: Since sendmail currently supports using libwrap from Wietse Venema's tcp_wrappers distribution, this could be used to block non-local access to sendmail. With remote access to sendmail blocked it can use a non-standard port and smap/smapd from the TIS firewall toolkit could be used to talk to strangers. (Alternative to libwrap is one of the in-kernel firewalling solutions, but I don't think these log as well as application level checking, and must lose at least a little in performance for ordinary traffic.) Access control isn't a lot of use for SMTP, anyway. Remember that a single SMTP connection can transfer multiple independent items of mail (The latest sendmail caches connections, too, making the multiple items per connection much more likely.) Worse than cached connections is the store and forward nature of Internet mail. You can block access to port 25 from my site, but all my mail goes via my ISP. If you block access from my ISP, you lose connectivity to all their clients, and they're about the largest ISP in Australia. Whoops!? Giles
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701060904.UAA00711>