Date: Sat, 23 Sep 2000 00:49:24 +0200 From: Neil Blakey-Milner <nbm@mithrandr.moria.org> To: David Pick <D.M.Pick@qmw.ac.uk> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, security@FreeBSD.ORG, Peter Wemm <peter@netplex.com.au> Subject: Re: sendmail default run state Message-ID: <20000923004924.A35072@mithrandr.moria.org> In-Reply-To: <E13cbSC-000Dyf-00@dialup-janus.css.qmw.ac.uk>; from D.M.Pick@qmw.ac.uk on Fri, Sep 22, 2000 at 11:37:59PM %2B0100 References: <200009222012.e8MKCRF12785@cwsys.cwsent.com> <E13cbSC-000Dyf-00@dialup-janus.css.qmw.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri 2000-09-22 (23:37), David Pick wrote: > > > > sendmail_enable="YES" # run the sendmail MTA > > > > sendmail_outboundonly_enable="YES" # don't listen for messages from the network > > Hmm. Jumping into this half-way through, does this mean: > (1) outbound only > (2) not inbound 1. > the difference being that in (2) a local MTA woould be running and would > be allowed to accept messages from the local machine only. I've implemented > this by using IPFW to allow TCP calls to port 25 via the loopback interface > but not in from any "real" (real, tunnel, &c) interface. Yeah, it would be nice to offer this, but we can't assure ipfw/ipfilter rules, and my knowledge of sendmail configuration is dangerous. Is there a way to tell sendmail what IP addresses to bind? If it means rewriting the configuration file, we could investigate the use of sed to allow us to specify smarthost (DS in sendmail, IIRC) and what IP(s) to bind. > I feel (2) is more useful (but then, I would given what I do), but (1) might > be of interest to some people (no need tohave sendmail/exim/qmail listening). My thinking is that people who start firewalling things are quite able to change the option the way they like. > On a similar vein, I used to block incoming TCP connections to port 6000 (X) > until I found a hint on this list that adding "-nolisten tcp" to the server > setup line in /usr/X11R6/lib/X11/xdm/Xservers was a much better way to go. > (I use SSH extensivly ;-) In fact (IIRC) it was a message from Cy! Let me remember that. I'm supposed to be writing the all-encompassing "How to Secure your FreeBSD System" document "sometime soon" (TM). ;) I suppose making that the default might ire some people. Maybe we should ire some people. ;) Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000923004924.A35072>