Sendmail ignores hosts.allow

Mikhail Goriachev mikhailg at webanoide.org
Tue May 22 00:47:06 UTC 2007 

Maxim Khitrov wrote:
> On 5/21/07, Mikhail Goriachev <mikhailg at webanoide.org> wrote:
>> Maxim Khitrov wrote:
>>> Hello,
>>>
>>> I'm trying to restrict access to sendmail via hosts.allow. Don't need
>>> a firewall, since I just want to block everyone but the localhost from
>>> sending e-mail out. Anyway, it seems that sendmail ignores these
>>> settings even though it was compiled with TCPWRAPPERS. I added
>>> "sendmail : all : deny" as the very first line in hosts.allow, just to
>>> see if it will let me connect from anywhere. It does - not just from
>>> localhost, but from all remote locations as well. I have no problems
>>> connecting and sending e-mail. Am I missing something?
>> I followed your earlier thread (hopefully this is a related topic). This
>> is strange. By default, sendmail is disabled. You don't even have to put
>> anything into rc.conf:
>>
>> # grep sendmail /etc/defaults/rc.conf
>>
>> Sendmail listens and accepts local mail only. You can't connect to it
>> from another machine:
>>
>> # telnet some.host.tld 25
>> Trying 1.2.3.4...
>> telnet: connect to address 1.2.3.4: Connection refused
>> telnet: Unable to connect to remote host
>>
>> You must've tweaked something to make it behave differently.
>>
>>> I tested the same setup with sshd, and that works properly. After a
>>> quick search on google it seems that I'm not the only one with this
>>> problem, but I couldn't find any solution to this. Any help is greatly
>>> appreciated.
>> Share with us your testing methodology. From previous thread, I
>> understand that you just want something to submit your local mail (from
>> daemons, scripts, etc). Then as others already said, a simple alias in
>> /etc/mail/aliases and executing newaliases is sufficient.
> 
> Ok, so here's my current setup. I have sendmail_enable="NO" in rc.conf
> (same as not having it there I guess), I've modified /etc/mail/aliases
> to forward everything sent to root to my gmail account, and I added
> "sendmail : all : deny" as the first line to /etc/hosts.allow while
> I'm testing everything. Once I make sure that the deny rule works,
> I'll allow access to sendmail only from localhost. This is all on
> FreeBSD 6.2, but it's running in a jail, so that might have some
> effect.
> 
>>From my previous thread, sendmail is used only to accept messages sent
> by processes running on the server, and send them to real e-mails
> specified in /etc/aliases. That part works. However, even though
> sendmail_enable is set to "NO" in rc.conf, sendmail still listens on
> port 25, accepts mail from remote hosts, and the hosts.allow rule
> doesn't seem to apply. Strange, isn't it? By the way, I just tried
> removing sendmail_enable line from rc.conf completely and that had no
> effect.
> 
> All I do for testing is basically start/restart sendmail, then telnet
> to the server from my workstation at home. I get a standard reply, and
> can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on.
> Relaying doesn't work, but sending to and all other aliases works fine
> (which in this case is bad).
> 
> Think this might be some bug when sendmail is running in a jail? I
> haven't modified anything beyond what's mentioned in this e-mail, and
> I've checked all the settings. I can definitely connect to the server
> from remote hosts despite the rc.conf and hosts.allow configuration.

This is a different story now. On your host machine (as in jails' host),
sendmail binds to localhost and never responds to outside world. This is
expected. However, sendmail in a jail, binds to jail's IP address and
that is why you can talk to it from outside.

Run this on your host:

# sockstat -4l | grep sendmail

The output should look like this:

root     sendmail   1624  4  tcp4   1.2.3.5:25            *:*
root     sendmail   1624  4  tcp4   1.2.3.4:25            *:*
root     sendmail   1624  4  tcp4   1.2.3.3:25            *:*
root     sendmail   1624  4  tcp4   1.2.3.2:25            *:*
root     sendmail   1208  3  tcp4   127.0.0.1:25          *:*

The first four are jails. The last one is host's sendmail being "disabled".


I'd suggest using a firewall to protect your jails instead of trying to
completely disable sendmails.


Regards,
Mikhail.

-- 
Mikhail Goriachev
Webanoide

Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: mikhailg at webanoide.org
Web: www.webanoide.org

More information about the freebsd-questions mailing list