From owner-freebsd-questions@FreeBSD.ORG Fri Mar 26 05:34:53 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E41016A4CE for ; Fri, 26 Mar 2004 05:34:53 -0800 (PST) Received: from smtp.covadmail.net (mx07.covadmail.net [63.65.120.67]) by mx1.FreeBSD.org (Postfix) with SMTP id 1BFC343D2F for ; Fri, 26 Mar 2004 05:34:51 -0800 (PST) (envelope-from strick@covad.net) Received: (covad.net 26379 invoked from network); 26 Mar 2004 13:34:45 -0000 Received: from unknown (HELO mist.nodomain) (strick@covad.net@67.101.100.94) by sun-qmail02 with SMTP; 26 Mar 2004 13:34:45 -0000 Received: from mist.nodomain (localhost [127.0.0.1]) by mist.nodomain (8.12.9p2/8.12.9) with ESMTP id i2QDYm1n001434; Fri, 26 Mar 2004 05:34:48 -0800 (PST) (envelope-from dan@mist.nodomain) Received: (from dan@localhost) by mist.nodomain (8.12.9p2/8.12.9/Submit) id i2QDYmLm001433; Fri, 26 Mar 2004 05:34:48 -0800 (PST) (envelope-from dan) Date: Fri, 26 Mar 2004 05:34:48 -0800 (PST) From: Dan Strick Message-Id: <200403261334.i2QDYmLm001433@mist.nodomain> To: David.Bear@asu.edu cc: freebsd-questions@freebsd.org cc: dan@mist.nodomain Subject: Re: sendmail local mta mode only X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Mar 2004 13:34:53 -0000 On Thu, 25 Mar 2004 19:24:08 -0700, David Bear wrote: >> > I would like to run the stock sendmail freebsd has as a local MTA > only... ie I don't want to listening on ANY real/public interface for > mail. I do want it to handle delivery of local messages to local > accounts -- and handle sending messages destined for external systems. > > any pointers ? >> Recent versions of the sendmail are installed non-setuid-root for security reasons (paranoia probably justified in the case of sendmail). Since local mail delivery requires root privilege in the general case, all local mail is forwarded to the smtp port on the local host for local delivery. If there is no sendmail daemon running as root and listening on the local smtp port, local mail cannot be delivered. Even on a non-networked single user workstation this is inconvenient because cron job output is delivered via email. I think you can modify /etc/mail/freebsd.submit.mc to deliver local mail the old way and make /usr/libexec/sendmail/sendmail setuid root. This may be documented /usr/src/contrib/sendmail/src/SECURITY. It looks ugly to me and may create worse security problems than running a sendmail daemon that listens on the smtp port. The standard FreeBSD version of sendmail is built with libwrap support. If your primary concern is hackers on other systems abusing your sendmail daemon, you can modify /etc/hosts.allow to permit smtp port access only from the local host. Life is too short to spend most of it trying to understand obscure sendmail documentation. Dan Strick strick@covad.net