On May 22, 2007, at 10:46, Maxim Khitrov wrote:

On 5/22/07, doug <[EMAIL PROTECTED]> wrote:
On Tue, 22 May 2007, Maxim Khitrov wrote:

> On 5/22/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> I suspect sendmail is reading /etc/hosts.allow
>> # Start by allowing everything (this prevents the rest of the file
>> # from working, so remove it when you need protection).
>> # The rules here work on a "First match wins" basis.
>> #ALL : ALL : allow
>> Did you comment out the above line?
>> Steve
> Here's the entire file as it is right now:
> # Deny sendmail to all clients (temporary)
> sendmail : all : deny
> # Allow anything from localhost
> all : <local ip> : allow
> # Process SSH deny rules
> sshd : /etc/hosts.evil : deny
> # Allow everything else
> all : all : allow
> Once I can get sendmail to block all connection requests, I'll move it > below the second rule. That way, only local processes will be able to
> use it. For now, however, that rule is being ignored completely.

The default configuration gives you what you want so I assume your goal is to see if you can make hosts.allow work within a jail. In general there are performance reasons not to use inetd to control ssh and sendmail. ssh under inetd causes more key generation. Sendmail has its own controls which give you
the equivalent (or better) than can be done with inetd.

I assume from an earlier post you are trying to make this work inside a jail. If
thats true you must also have in the jail rc.conf

   inetd_flags="-wW -a your-ip-address"

I assume you have this or you would not have been able to control ssh. All that said, I have only used inetd to control ftp/imap/pop3. It seems to me your specific question is: does this work inside a jail and is any special setup
required to make it work with sendmail. Sorry I can not help more.


I'm not sure I understand what you mean... I'm not using inetd, and
the default configuration doesn't block sendmail from all remote
hosts. The ssh server is running all by itself, same as sendmail. The
way I understand it is that as long as the server was compiled with
tcp wrappers, it should follow the rules in hosts.allow.

tcp wrappers must be coded into the application. The call which actually checks the access permissions in the hosts.allow file is hosts_access() (see man hosts_access). Checking through the sendmail source for version 8.13.8, there are no calls to hosts_access in the source code. You will need to patch sendmail to make it do what you want. There might be patches at www.sendmail.org for that, but I doubt it. openssh's sshd.c is probably a good template to use.

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to