Re: Sendmail IP interface assignment -- how to?
On 2007-10-04 10:32, Rob <[EMAIL PROTECTED]> wrote: >Matthew Seaman wrote: >> You also need: >> FEATURE(no_default_msa) >> otherwise, you're definitely heading in the right direction. > > Thanks, Matthew! That was the piece I was missing. I tried my > Daemon_Options above, but found out its presence does not disable the > default config to listen on all interfaces. I got it working by > directly editing the .cf, but your trick does it from the macro > config. > > The final result ended up as: > FEATURE(no_default_msa)dnl # turn off MSA on all ports; only ue what's in > Daemon_Options > DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA') > DAEMON_OPTIONS(`Port=smtp,Addr=172.23.23.10,Name=MTA') > DAEMON_OPTIONS(`Port=2525,Addr=172.23.23.10,Name=MTA')dnl # smtp on alt port > DAEMON_OPTIONS(`Port=587,Addr=127.0.0.1,Name=MSA,M=E') > > Once I knew the right keywords to google, I found this article that might > be of use to others: "Five Tips for a Better sendmail Configuration" > http://www.onlamp.com/pub/a/onlamp/2004/01/15/sendmail.html?page=1 Interesting bit of online posting, but watch out for misinformation or even outdated information though. The article may seem useful for `no_default_msa', but it also contains a wealth of bogus stuff like: "There are good reasons to compile your own copy of sendmail instead of using the copy provided to you as part of your Unix distribution. First, the copy of sendmail included in your Unix distribution is probably grossly out of date. sendmail changes frequently, and some of these changes provide critical security fixes. Sticking with an outdated copy of sendmail is just asking for trouble." In the case of FreeBSD, this is usually wrong, and bad advice. We have a pretty active Sendmail maintainer, Gregory Shapiro, who is also part of the Sendmail development team. Whenever a new release of Sendmail is out, Mr. Shapiro updates the Sendmail version of FreeBSD-CURRENT and after a reasonable amount of testing (usually a few days, to make sure nothing was broken) "backports" the upgraded version to FreeBSD-STABLE. The quoted paragraph may be true for a semi-random Linux distribution, but this is FreeBSD; we don't usually do stuff by "manually compiling and merrily hacking away at whatever we fancied this afternoon" :-) Just $0.02 of a long-time Sendmail fan, - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Sendmail IP interface assignment -- how to?
Matthew Seaman wrote: Rob wrote: That closed port 25 on the extra NIC, but netstat still shows "tcp4 *.submission LISTEN". I definitely need to close port 587 in the 2nd NIC, but I was wondering about "best practices" for this. Shouldn't the submission thing ONLY be on the localhost IP? I'm thinking I can use: DAEMON_OPTIONS(`Addr=127.0.0.1,Port=587,Name=MSA,M=E') You also need: FEATURE(no_default_msa) otherwise, you're definitely heading in the right direction. Thanks, Matthew! That was the piece I was missing. I tried my Daemon_Options above, but found out its presence does not disable the default config to listen on all interfaces. I got it working by directly editing the .cf, but your trick does it from the macro config. The final result ended up as: FEATURE(no_default_msa)dnl # turn off MSA on all ports; only ue what's in Daemon_Options DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA') DAEMON_OPTIONS(`Port=smtp,Addr=172.23.23.10,Name=MTA') DAEMON_OPTIONS(`Port=2525,Addr=172.23.23.10,Name=MTA')dnl # smtp on alt port DAEMON_OPTIONS(`Port=587,Addr=127.0.0.1,Name=MSA,M=E') Once I knew the right keywords to google, I found this article that might be of use to others: "Five Tips for a Better sendmail Configuration" http://www.onlamp.com/pub/a/onlamp/2004/01/15/sendmail.html?page=1 -Thanks, Rob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Sendmail IP interface assignment -- how to?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rob wrote: > Hi All, > > Working on standard sendmail 8.13.8 on FreeBSD 6.2. Machine has a 2nd > NIC that I want to use for a jail environment, so I'm trying to get rid > of all the extraneous servers listening on it. > > Sendmail was of course listening on the smtp and submission ports on all > interfaces. I tracked down the sendmail option DaemonPortOptions to > configure this. > > In the STANDARD sendmail.cf file there was: >O DaemonPortOptions=Name=MTA >O DaemonPortOptions=Port=587, Name=MSA, M=E > > So I edited the .mc macro to add: >DAEMON_OPTIONS(`Addr=127.0.0.1,Port=smtp,Name=MTA') >DAEMON_OPTIONS(`Addr=172.23.23.10,Port=smtp,Name=MTA') > > Which built sendmail.cf with: >O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA >O DaemonPortOptions=Addr=172.23.23.10,Port=smtp,Name=MTA >O DaemonPortOptions=Port=587, Name=MSA, M=E > > That closed port 25 on the extra NIC, but netstat still shows "tcp4 > *.submission LISTEN". I definitely need to close port 587 in the 2nd > NIC, but I was wondering about "best practices" for this. Shouldn't the > submission thing ONLY be on the localhost IP? I'm thinking I can use: >DAEMON_OPTIONS(`Addr=127.0.0.1,Port=587,Name=MSA,M=E') > > Am I going in the right direction here? It looks like I've turned off > smtp as intended, but wondering if I'm doing the right thing with > restricting submission. Any other suggestions on configuring this? > (other than "don't use sendmail") This is on a live server, so I don't > want to hose things up too much experimenting! You also need: FEATURE(no_default_msa) otherwise, you're definitely heading in the right direction. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHBIBo8Mjk52CukIwRCMqsAJ9koqDKX8+yEo4PlgkpnkMomBzP1QCfZWL4 oMPDP3aRNnQ5IsKd0v7F3tc= =SqaV -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"