From owner-freebsd-security  Mon Jan  6 01:45:01 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id BAA23519
          for security-outgoing; Mon, 6 Jan 1997 01:45:01 -0800 (PST)
Received: from perki0.connect.com.au (perki0.connect.com.au [192.189.54.85])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id BAA23507
          for <freebsd-security@freebsd.org>; Mon, 6 Jan 1997 01:44:55 -0800 (PST)
Received: (from uucp@localhost) by perki0.connect.com.au id UAA19151
  (8.7.6h/IDA-1.6); Mon, 6 Jan 1997 20:41:08 +1100 (EST)
>Received: from localhost.nemeton.com.au (localhost.nemeton.com.au [127.0.0.1])
          by nemeton.com.au (8.8.4/8.8.4) with SMTP
	  id UAA00711; Mon, 6 Jan 1997 20:04:41 +1100 (EST)
Message-Id: <199701060904.UAA00711@nemeton.com.au>
To: Jimbo Bahooli <moke@fools.ecpnet.com>
cc: freebsd-security@freebsd.org
Subject: Re: sendmail....tricks... 
In-reply-to: <Pine.BSF.3.95.970105182549.18011A-100000@fools.ecpnet.com> 
Date: Mon, 06 Jan 1997 20:04:41 +1100
From: Giles Lean <giles@nemeton.com.au>
Content-Type: text
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


On Sun, 5 Jan 1997 18:47:29 -0600 (CST)  Jimbo Bahooli wrote:

> The first idea, which i have successfully accomplished, is logging and
> access control via tcp wrappers.

Interesting; I think I'd go about it differently:

Since sendmail currently supports using libwrap from Wietse Venema's
tcp_wrappers distribution, this could be used to block non-local
access to sendmail.  With remote access to sendmail blocked it can use
a non-standard port and smap/smapd from the TIS firewall toolkit could
be used to talk to strangers.

(Alternative to libwrap is one of the in-kernel firewalling solutions,
but I don't think these log as well as application level checking, and
must lose at least a little in performance for ordinary traffic.)

Access control isn't a lot of use for SMTP, anyway. Remember that a
single SMTP connection can transfer multiple independent items of mail
(The latest sendmail caches connections, too, making the multiple
items per connection much more likely.)

Worse than cached connections is the store and forward nature of
Internet mail.  You can block access to port 25 from my site, but all
my mail goes via my ISP.  If you block access from my ISP, you lose
connectivity to all their clients, and they're about the largest ISP
in Australia.  Whoops!?

Giles