On 5/21/07, Mikhail Goriachev <[EMAIL PROTECTED]> wrote:
Maxim Khitrov wrote:
> On 5/21/07, Mikhail Goriachev <[EMAIL PROTECTED]> wrote:
>> Maxim Khitrov wrote:
>>> I'm trying to restrict access to sendmail via hosts.allow. Don't need
>>> a firewall, since I just want to block everyone but the localhost from
>>> sending e-mail out. Anyway, it seems that sendmail ignores these
>>> settings even though it was compiled with TCPWRAPPERS. I added
>>> "sendmail : all : deny" as the very first line in hosts.allow, just to
>>> see if it will let me connect from anywhere. It does - not just from
>>> localhost, but from all remote locations as well. I have no problems
>>> connecting and sending e-mail. Am I missing something?
>> I followed your earlier thread (hopefully this is a related topic). This
>> is strange. By default, sendmail is disabled. You don't even have to put
>> anything into rc.conf:
>> # grep sendmail /etc/defaults/rc.conf
>> Sendmail listens and accepts local mail only. You can't connect to it
>> from another machine:
>> # telnet some.host.tld 25
>> Trying 188.8.131.52...
>> telnet: connect to address 184.108.40.206: Connection refused
>> telnet: Unable to connect to remote host
>> You must've tweaked something to make it behave differently.
>>> I tested the same setup with sshd, and that works properly. After a
>>> quick search on google it seems that I'm not the only one with this
>>> problem, but I couldn't find any solution to this. Any help is greatly
>> Share with us your testing methodology. From previous thread, I
>> understand that you just want something to submit your local mail (from
>> daemons, scripts, etc). Then as others already said, a simple alias in
>> /etc/mail/aliases and executing newaliases is sufficient.
> Ok, so here's my current setup. I have sendmail_enable="NO" in rc.conf
> (same as not having it there I guess), I've modified /etc/mail/aliases
> to forward everything sent to root to my gmail account, and I added
> "sendmail : all : deny" as the first line to /etc/hosts.allow while
> I'm testing everything. Once I make sure that the deny rule works,
> I'll allow access to sendmail only from localhost. This is all on
> FreeBSD 6.2, but it's running in a jail, so that might have some
>>From my previous thread, sendmail is used only to accept messages sent
> by processes running on the server, and send them to real e-mails
> specified in /etc/aliases. That part works. However, even though
> sendmail_enable is set to "NO" in rc.conf, sendmail still listens on
> port 25, accepts mail from remote hosts, and the hosts.allow rule
> doesn't seem to apply. Strange, isn't it? By the way, I just tried
> removing sendmail_enable line from rc.conf completely and that had no
> All I do for testing is basically start/restart sendmail, then telnet
> to the server from my workstation at home. I get a standard reply, and
> can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on.
> Relaying doesn't work, but sending to and all other aliases works fine
> (which in this case is bad).
> Think this might be some bug when sendmail is running in a jail? I
> haven't modified anything beyond what's mentioned in this e-mail, and
> I've checked all the settings. I can definitely connect to the server
> from remote hosts despite the rc.conf and hosts.allow configuration.
This is a different story now. On your host machine (as in jails' host),
sendmail binds to localhost and never responds to outside world. This is
expected. However, sendmail in a jail, binds to jail's IP address and
that is why you can talk to it from outside.
Run this on your host:
# sockstat -4l | grep sendmail
The output should look like this:
root sendmail 1624 4 tcp4 220.127.116.11:25 *:*
root sendmail 1624 4 tcp4 18.104.22.168:25 *:*
root sendmail 1624 4 tcp4 22.214.171.124:25 *:*
root sendmail 1624 4 tcp4 126.96.36.199:25 *:*
root sendmail 1208 3 tcp4 127.0.0.1:25 *:*
The first four are jails. The last one is host's sendmail being "disabled".
I'd suggest using a firewall to protect your jails instead of trying to
completely disable sendmails.
I cna't run that on my host, because I only have access to the jail
(I'm paying for a vps server with another host). That makes sense
however, I had a feeling that it was jail-related. But what about the
hosts.allow problem? I can run a firewall, of course, but hosts.allow
seems like a more efficient way of doing the same thing. I've already
got it configured and working with sshd, so I see no reason why
sendmail doesn't want to work the same way.
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"