From owner-freebsd-questions@FreeBSD.ORG Tue May 22 18:46:14 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D3A0D16A400 for ; Tue, 22 May 2007 18:46:14 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoot.lafn.org (zoot.lafn.ORG [206.117.18.6]) by mx1.freebsd.org (Postfix) with ESMTP id 9DA3613C45A for ; Tue, 22 May 2007 18:46:14 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from [10.0.1.2] (pool-71-109-158-80.lsanca.dsl-w.verizon.net [71.109.158.80]) (authenticated bits=0) by zoot.lafn.org (8.13.6/8.13.4) with ESMTP id l4MIkBbo046642 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 22 May 2007 11:46:12 -0700 (PDT) (envelope-from bc979@lafn.org) In-Reply-To: <26ddd1750705221046m543c427ahf9c73878d14f6e2a@mail.gmail.com> References: <26ddd1750705211537j78ed83fdm921f7f5e5df5c4@mail.gmail.com> <20070522105732.A2743@erienet.net> <26ddd1750705220837n141787fdh6167c0cb07a8396f@mail.gmail.com> <20070522121629.X86945@fledge.watson.org> <26ddd1750705221046m543c427ahf9c73878d14f6e2a@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <9355E7E0-1B92-40A1-BDB2-D17FD1815814@lafn.org> Content-Transfer-Encoding: 7bit From: Doug Hardie Date: Tue, 22 May 2007 11:46:13 -0700 To: Maxim Khitrov X-Mailer: Apple Mail (2.752.3) X-Virus-Scanned: ClamAV 0.88.7/3282/Tue May 22 07:56:04 2007 on zoot.lafn.org X-Virus-Status: Clean Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail ignores hosts.allow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 May 2007 18:46:14 -0000 On May 22, 2007, at 10:46, Maxim Khitrov wrote: > On 5/22/07, doug wrote: >> On Tue, 22 May 2007, Maxim Khitrov wrote: >> >> > On 5/22/07, steveb@erienet.net wrote: >> >> I suspect sendmail is reading /etc/hosts.allow >> >> >> >> # Start by allowing everything (this prevents the rest of the file >> >> # from working, so remove it when you need protection). >> >> # The rules here work on a "First match wins" basis. >> >> #ALL : ALL : allow >> >> >> >> Did you comment out the above line? >> >> >> >> Steve >> > >> > Here's the entire file as it is right now: >> > >> > # Deny sendmail to all clients (temporary) >> > sendmail : all : deny >> > >> > # Allow anything from localhost >> > all : : allow >> > >> > # Process SSH deny rules >> > sshd : /etc/hosts.evil : deny >> > >> > # Allow everything else >> > all : all : allow >> > >> > Once I can get sendmail to block all connection requests, I'll >> move it >> > below the second rule. That way, only local processes will be >> able to >> > use it. For now, however, that rule is being ignored completely. >> >> The default configuration gives you what you want so I assume your >> goal is to >> see if you can make hosts.allow work within a jail. In general >> there are >> performance reasons not to use inetd to control ssh and sendmail. >> ssh under >> inetd causes more key generation. Sendmail has its own controls >> which give you >> the equivalent (or better) than can be done with inetd. >> >> I assume from an earlier post you are trying to make this work >> inside a jail. If >> thats true you must also have in the jail rc.conf >> >> inetd_flags="-wW -a your-ip-address" >> >> I assume you have this or you would not have been able to control >> ssh. All that >> said, I have only used inetd to control ftp/imap/pop3. It seems to >> me your >> specific question is: does this work inside a jail and is any >> special setup >> required to make it work with sendmail. Sorry I can not help more. >> >> Doug > > I'm not sure I understand what you mean... I'm not using inetd, and > the default configuration doesn't block sendmail from all remote > hosts. The ssh server is running all by itself, same as sendmail. The > way I understand it is that as long as the server was compiled with > tcp wrappers, it should follow the rules in hosts.allow. tcp wrappers must be coded into the application. The call which actually checks the access permissions in the hosts.allow file is hosts_access() (see man hosts_access). Checking through the sendmail source for version 8.13.8, there are no calls to hosts_access in the source code. You will need to patch sendmail to make it do what you want. There might be patches at www.sendmail.org for that, but I doubt it. openssh's sshd.c is probably a good template to use.