Date: Tue, 22 May 2007 17:48:58 -0500 (CDT) From: Scott Bennett <bennett@cs.niu.edu> To: mkhitrov@gmail.com Cc: steveb@erienet.net, freebsd-questions@freebsd.org Subject: Re: Sendmail ignores hosts.allow Message-ID: <200705222248.l4MMmwYZ023913@mp.cs.niu.edu>
next in thread | raw e-mail | index | archive | help
On Tue, 22 May 2007 11:37:24 -0400 "Maxim Khitrov" <mkhitrov@gmail.com>
wrote:
>On 5/22/07, steveb@erienet.net <steveb@erienet.net> wrote:
>> I suspect sendmail is reading /etc/hosts.allow
Why would anyone expect that? /etc/hosts.allow is one of the control
files for the TCP wrapper program, tcpd. (See "man tcpd".)
>>
>> # Start by allowing everything (this prevents the rest of the file
>> # from working, so remove it when you need protection).
>> # The rules here work on a "First match wins" basis.
>> #ALL : ALL : allow
>>
>> Did you comment out the above line?
>>
>> Steve
>
>Here's the entire file as it is right now:
>
># Deny sendmail to all clients (temporary)
>sendmail : all : deny
>
># Allow anything from localhost
>all : <local ip> : allow
>
># Process SSH deny rules
>sshd : /etc/hosts.evil : deny
>
># Allow everything else
>all : all : allow
>
>Once I can get sendmail to block all connection requests, I'll move it
>below the second rule. That way, only local processes will be able to
>use it. For now, however, that rule is being ignored completely.
>
Okay. First off, as noted above, /etc/hosts.{allow,deny} are not
sendmail(8) control files. They are tcpd(8) control files.
Secondly, tcpd is normally interposed between inetd(8), which has
essentially no built-in means of deciding whether to accept or reject
TCP connections based upon the source address of the connection request.
Instead of listing a particular program in /etc/inetd.conf as the program
to run to service an incoming connection on a particular port, one lists
the tcpd program and provides *it* the path of the desired service program.
tcpd then looks at /etc/hosts.{allow,deny} to determine whether to close
the connection or to pass it along to the service program.
Third, it is possible to run sendmail in non-daemon mode. If one
does not wish to tie up kernel resources to keep a sendmail process in the
system all the time, for example, one can list sendmail in /etc/inetd.conf
for the SMTP port (25), so that an inbound connection will result in inetd(8)
forking off a sendmail process to handle it. (See "man sendmail", and try
"/usr/sbin/sendmail -bm" IIRC.) It is in this setup *only* that the
/etc/hosts.{allow,deny} files should have any effect whatsoever upon whether
incoming connections are handled by sendmail. N.B. even in this case, it
is tcpd reading those files and making the decisions, *not* sendmail.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705222248.l4MMmwYZ023913>