Sendmail ignores hosts.allow

Maxim Khitrov mkhitrov at gmail.com
Mon May 21 23:52:12 UTC 2007 

On 5/21/07, Mikhail Goriachev <mikhailg at webanoide.org> wrote:
> Maxim Khitrov wrote:
> > Hello,
> >
> > I'm trying to restrict access to sendmail via hosts.allow. Don't need
> > a firewall, since I just want to block everyone but the localhost from
> > sending e-mail out. Anyway, it seems that sendmail ignores these
> > settings even though it was compiled with TCPWRAPPERS. I added
> > "sendmail : all : deny" as the very first line in hosts.allow, just to
> > see if it will let me connect from anywhere. It does - not just from
> > localhost, but from all remote locations as well. I have no problems
> > connecting and sending e-mail. Am I missing something?
>
> I followed your earlier thread (hopefully this is a related topic). This
> is strange. By default, sendmail is disabled. You don't even have to put
> anything into rc.conf:
>
> # grep sendmail /etc/defaults/rc.conf
>
> Sendmail listens and accepts local mail only. You can't connect to it
> from another machine:
>
> # telnet some.host.tld 25
> Trying 1.2.3.4...
> telnet: connect to address 1.2.3.4: Connection refused
> telnet: Unable to connect to remote host
>
> You must've tweaked something to make it behave differently.
>
> > I tested the same setup with sshd, and that works properly. After a
> > quick search on google it seems that I'm not the only one with this
> > problem, but I couldn't find any solution to this. Any help is greatly
> > appreciated.
>
> Share with us your testing methodology. From previous thread, I
> understand that you just want something to submit your local mail (from
> daemons, scripts, etc). Then as others already said, a simple alias in
> /etc/mail/aliases and executing newaliases is sufficient.

Ok, so here's my current setup. I have sendmail_enable="NO" in rc.conf
(same as not having it there I guess), I've modified /etc/mail/aliases
to forward everything sent to root to my gmail account, and I added
"sendmail : all : deny" as the first line to /etc/hosts.allow while
I'm testing everything. Once I make sure that the deny rule works,
I'll allow access to sendmail only from localhost. This is all on
FreeBSD 6.2, but it's running in a jail, so that might have some
effect.

>From my previous thread, sendmail is used only to accept messages sent
by processes running on the server, and send them to real e-mails
specified in /etc/aliases. That part works. However, even though
sendmail_enable is set to "NO" in rc.conf, sendmail still listens on
port 25, accepts mail from remote hosts, and the hosts.allow rule
doesn't seem to apply. Strange, isn't it? By the way, I just tried
removing sendmail_enable line from rc.conf completely and that had no
effect.

All I do for testing is basically start/restart sendmail, then telnet
to the server from my workstation at home. I get a standard reply, and
can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on.
Relaying doesn't work, but sending to and all other aliases works fine
(which in this case is bad).

Think this might be some bug when sendmail is running in a jail? I
haven't modified anything beyond what's mentioned in this e-mail, and
I've checked all the settings. I can definitely connect to the server
from remote hosts despite the rc.conf and hosts.allow configuration.

- Maxim Khitrov

More information about the freebsd-questions mailing list