Sendmail ignores hosts.allow
Doug Hardie
bc979 at lafn.org
Tue May 22 18:46:14 UTC 2007
On May 22, 2007, at 10:46, Maxim Khitrov wrote:
> On 5/22/07, doug <doug at fledge.watson.org> wrote:
>> On Tue, 22 May 2007, Maxim Khitrov wrote:
>>
>> > On 5/22/07, steveb at erienet.net <steveb at erienet.net> wrote:
>> >> I suspect sendmail is reading /etc/hosts.allow
>> >>
>> >> # Start by allowing everything (this prevents the rest of the file
>> >> # from working, so remove it when you need protection).
>> >> # The rules here work on a "First match wins" basis.
>> >> #ALL : ALL : allow
>> >>
>> >> Did you comment out the above line?
>> >>
>> >> Steve
>> >
>> > Here's the entire file as it is right now:
>> >
>> > # Deny sendmail to all clients (temporary)
>> > sendmail : all : deny
>> >
>> > # Allow anything from localhost
>> > all : <local ip> : allow
>> >
>> > # Process SSH deny rules
>> > sshd : /etc/hosts.evil : deny
>> >
>> > # Allow everything else
>> > all : all : allow
>> >
>> > Once I can get sendmail to block all connection requests, I'll
>> move it
>> > below the second rule. That way, only local processes will be
>> able to
>> > use it. For now, however, that rule is being ignored completely.
>>
>> The default configuration gives you what you want so I assume your
>> goal is to
>> see if you can make hosts.allow work within a jail. In general
>> there are
>> performance reasons not to use inetd to control ssh and sendmail.
>> ssh under
>> inetd causes more key generation. Sendmail has its own controls
>> which give you
>> the equivalent (or better) than can be done with inetd.
>>
>> I assume from an earlier post you are trying to make this work
>> inside a jail. If
>> thats true you must also have in the jail rc.conf
>>
>> inetd_flags="-wW -a your-ip-address"
>>
>> I assume you have this or you would not have been able to control
>> ssh. All that
>> said, I have only used inetd to control ftp/imap/pop3. It seems to
>> me your
>> specific question is: does this work inside a jail and is any
>> special setup
>> required to make it work with sendmail. Sorry I can not help more.
>>
>> Doug
>
> I'm not sure I understand what you mean... I'm not using inetd, and
> the default configuration doesn't block sendmail from all remote
> hosts. The ssh server is running all by itself, same as sendmail. The
> way I understand it is that as long as the server was compiled with
> tcp wrappers, it should follow the rules in hosts.allow.
tcp wrappers must be coded into the application. The call which
actually checks the access permissions in the hosts.allow file is
hosts_access() (see man hosts_access). Checking through the sendmail
source for version 8.13.8, there are no calls to hosts_access in the
source code. You will need to patch sendmail to make it do what you
want. There might be patches at www.sendmail.org for that, but I
doubt it. openssh's sshd.c is probably a good template to use.
More information about the freebsd-questions
mailing list