Sendmail ignores hosts.allow
Maxim Khitrov
mkhitrov at gmail.com
Tue May 22 17:46:42 UTC 2007
On 5/22/07, doug <doug at fledge.watson.org> wrote:
> On Tue, 22 May 2007, Maxim Khitrov wrote:
>
> > On 5/22/07, steveb at erienet.net <steveb at erienet.net> wrote:
> >> I suspect sendmail is reading /etc/hosts.allow
> >>
> >> # Start by allowing everything (this prevents the rest of the file
> >> # from working, so remove it when you need protection).
> >> # The rules here work on a "First match wins" basis.
> >> #ALL : ALL : allow
> >>
> >> Did you comment out the above line?
> >>
> >> Steve
> >
> > Here's the entire file as it is right now:
> >
> > # Deny sendmail to all clients (temporary)
> > sendmail : all : deny
> >
> > # Allow anything from localhost
> > all : <local ip> : allow
> >
> > # Process SSH deny rules
> > sshd : /etc/hosts.evil : deny
> >
> > # Allow everything else
> > all : all : allow
> >
> > Once I can get sendmail to block all connection requests, I'll move it
> > below the second rule. That way, only local processes will be able to
> > use it. For now, however, that rule is being ignored completely.
>
> The default configuration gives you what you want so I assume your goal is to
> see if you can make hosts.allow work within a jail. In general there are
> performance reasons not to use inetd to control ssh and sendmail. ssh under
> inetd causes more key generation. Sendmail has its own controls which give you
> the equivalent (or better) than can be done with inetd.
>
> I assume from an earlier post you are trying to make this work inside a jail. If
> thats true you must also have in the jail rc.conf
>
> inetd_flags="-wW -a your-ip-address"
>
> I assume you have this or you would not have been able to control ssh. All that
> said, I have only used inetd to control ftp/imap/pop3. It seems to me your
> specific question is: does this work inside a jail and is any special setup
> required to make it work with sendmail. Sorry I can not help more.
>
> Doug
I'm not sure I understand what you mean... I'm not using inetd, and
the default configuration doesn't block sendmail from all remote
hosts. The ssh server is running all by itself, same as sendmail. The
way I understand it is that as long as the server was compiled with
tcp wrappers, it should follow the rules in hosts.allow.
- Max
More information about the freebsd-questions
mailing list