Sendmail ignores hosts.allow

Mikhail Goriachev mikhailg at webanoide.org
Tue May 22 01:05:27 UTC 2007 

doug wrote:
> 
> On Mon, 21 May 2007, Maxim Khitrov wrote:
> 
>> On 5/21/07, Mikhail Goriachev <mikhailg at webanoide.org> wrote:
>>> Maxim Khitrov wrote:
>>>> Hello,
>>>>
>>>> I'm trying to restrict access to sendmail via hosts.allow. Don't need
>>>> a firewall, since I just want to block everyone but the localhost from
>>>> sending e-mail out. Anyway, it seems that sendmail ignores these
>>>> settings even though it was compiled with TCPWRAPPERS. I added
>>>> "sendmail : all : deny" as the very first line in hosts.allow, just to
>>>> see if it will let me connect from anywhere. It does - not just from
>>>> localhost, but from all remote locations as well. I have no problems
>>>> connecting and sending e-mail. Am I missing something?
>>> I followed your earlier thread (hopefully this is a related topic). This
>>> is strange. By default, sendmail is disabled. You don't even have to put
>>> anything into rc.conf:
>>>
>>> # grep sendmail /etc/defaults/rc.conf
>>>
>>> Sendmail listens and accepts local mail only. You can't connect to it
>>> from another machine:
>>>
>>> # telnet some.host.tld 25
>>> Trying 1.2.3.4...
>>> telnet: connect to address 1.2.3.4: Connection refused
>>> telnet: Unable to connect to remote host
>>>
>>> You must've tweaked something to make it behave differently.
>>>
>>>> I tested the same setup with sshd, and that works properly. After a
>>>> quick search on google it seems that I'm not the only one with this
>>>> problem, but I couldn't find any solution to this. Any help is greatly
>>>> appreciated.
>>> Share with us your testing methodology. From previous thread, I
>>> understand that you just want something to submit your local mail (from
>>> daemons, scripts, etc). Then as others already said, a simple alias in
>>> /etc/mail/aliases and executing newaliases is sufficient.
>> Ok, so here's my current setup. I have sendmail_enable="NO" in rc.conf
>> (same as not having it there I guess), I've modified /etc/mail/aliases
>> to forward everything sent to root to my gmail account, and I added
>> "sendmail : all : deny" as the first line to /etc/hosts.allow while
>> I'm testing everything. Once I make sure that the deny rule works,
>> I'll allow access to sendmail only from localhost. This is all on
>> FreeBSD 6.2, but it's running in a jail, so that might have some
>> effect.
> 
> sendmail_enable="NO" means there is no sendmail daemon running. You can verify 
> this via "ps -aux | grep sendmail". Remove that statement. Without a reboot you 
> can start sendmail by cd /etc/mail;   make start.


sendmail_enable="NO" tells sendmail to bind to localhost only (hence it
becomes unreachable from the outside):

# sockstat -4l | grep sendmail
root     sendmail   42310 4  tcp4   127.0.0.1:25          *:*

sendmail_enable="YES" starts/adds the submit capability:

# sockstat -4l | grep sendmail
root     sendmail   42262 4  tcp4   *:25                  *:*
root     sendmail   42262 5  tcp4   *:587                 *:*


In both cases, executing ps -aux shows sendmail daemon is running.


The first knob is the default as per /etc/defaults/rc.conf



> Unless you have changed the freebsd.mc file and done a 'make install' I do not 
> believe sendmail will accept from any connections except except on 127.0.0.1 
> (localhost). This is what you want I think. If that's it as others have said, 
> there is no reason to use the hosts.allow mechanism. This is independent of the 
> jail environment.
> 
>    sockstat|grep sendmail
> 
> and you can see whats going on.



-- 
Mikhail Goriachev
Webanoide

Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: mikhailg at webanoide.org
Web: www.webanoide.org

More information about the freebsd-questions mailing list