From owner-freebsd-questions@FreeBSD.ORG Tue May 22 20:21:55 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D54BF16A400 for ; Tue, 22 May 2007 20:21:55 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.248]) by mx1.freebsd.org (Postfix) with ESMTP id 92CFE13C43E for ; Tue, 22 May 2007 20:21:55 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so486232and for ; Tue, 22 May 2007 13:21:55 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=D5m+r4kYjHu/wCmUvI/RSxm51fA/EhtveueYBRs8zhB5TEUscUL5/04lv4C9mA/45FCaq4faUVuDUnaa2vSmLlnvE+67vU/HP/q9LcK18b9qHpfiZo3hjtLlS472Rg4BVGJmKPTkBi5roItdbk9NG9l+PbxvG3l/h+UTm8Pvrbc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=l0BxWfonK+vkF7Ie7OPJVvU74Cxnk4H5gDYdQOXBC4PYcFn/T3qiL3fFN48OebWc0MoOANj0cz3mLoF8e98Km6zE6VjivB3GDacmReLa+TmyTiO+Fy4rhCucYycBy1607naWpZN471nssi+TuvwLZYPd8+63GiAUQXFCxgqXCD8= Received: by 10.100.135.16 with SMTP id i16mr4178460and.1179865310023; Tue, 22 May 2007 13:21:50 -0700 (PDT) Received: by 10.100.79.17 with HTTP; Tue, 22 May 2007 13:21:49 -0700 (PDT) Message-ID: <26ddd1750705221321n39d72034m3773ecce8ab49da1@mail.gmail.com> Date: Tue, 22 May 2007 16:21:49 -0400 From: "Maxim Khitrov" To: freebsd-questions@freebsd.org In-Reply-To: <465340C0.3040705@xxiii.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <26ddd1750705211537j78ed83fdm921f7f5e5df5c4@mail.gmail.com> <20070522105732.A2743@erienet.net> <26ddd1750705220837n141787fdh6167c0cb07a8396f@mail.gmail.com> <20070522121629.X86945@fledge.watson.org> <26ddd1750705221046m543c427ahf9c73878d14f6e2a@mail.gmail.com> <9355E7E0-1B92-40A1-BDB2-D17FD1815814@lafn.org> <465340C0.3040705@xxiii.com> Subject: Re: Sendmail ignores hosts.allow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 May 2007 20:21:55 -0000 On 5/22/07, Rob wrote: > Doug Hardie wrote: > > On May 22, 2007, at 10:46, Maxim Khitrov wrote: > >>> > # Deny sendmail to all clients (temporary) > >>> > sendmail : all : deny > > > tcp wrappers must be coded into the application. The call which > > actually checks the access permissions in the hosts.allow file is > > hosts_access() (see man hosts_access). Checking through the sendmail > > I have to disagree with that. I run unmodified 8.13.8 on 6.2, and it DOES respect hosts.allow. Just not in the way you might assume. > > I can telnet to port 25, it allows connections from *anywhere*, and will respond to a HELO. It's not until I give it a "mail to:" that it protests with "550 5.0.0 Access denied". I use "FEATURE(delay_checks)" in the cf file, which may have some effect on this. > > The log file shows: > May 22 14:56:47 cartman sm-mta[74026]: l4MIullh074026: tcpwrappers (unknown, 192.31.130.140) rejection > > The actual options & version look like: > $ sendmail -bp -d0.1 > Version 8.13.8 > Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 > NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SCANF > STARTTLS TCPWRAPPERS USERDB XDEBUG > $ uname -rms > FreeBSD 6.2-RELEASE i386 > > > -RW You know, I could have sworn that I checked actually sending the message through telnet yesterday with the deny rule in place. You're right through, it fails right after I give it mail from command. Guess I didn't keep good track of what I was checking each time. Do you know if there is a reason they chose to do it this way? Accept the connection, but don't allow the client to do anything with it? I didn't find FEATURE(delay_checks) in any of my cf files, so I think it's something else. Well at any rate, thanks for your help. - Max