From owner-freebsd-questions@FreeBSD.ORG Tue May 22 22:49:38 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0D55916A46B for ; Tue, 22 May 2007 22:49:38 +0000 (UTC) (envelope-from bennett@cs.niu.edu) Received: from mp.cs.niu.edu (mp.cs.niu.edu [131.156.145.41]) by mx1.freebsd.org (Postfix) with ESMTP id BDC9C13C465 for ; Tue, 22 May 2007 22:49:37 +0000 (UTC) (envelope-from bennett@cs.niu.edu) Received: from mp.cs.niu.edu (bennett@localhost [127.0.0.1]) by mp.cs.niu.edu (8.14.1/8.14.1) with ESMTP id l4MMmxqZ023914; Tue, 22 May 2007 17:48:59 -0500 (CDT) Date: Tue, 22 May 2007 17:48:58 -0500 (CDT) From: Scott Bennett Message-Id: <200705222248.l4MMmwYZ023913@mp.cs.niu.edu> To: mkhitrov@gmail.com Cc: steveb@erienet.net, freebsd-questions@freebsd.org Subject: Re: Sendmail ignores hosts.allow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 May 2007 22:49:38 -0000 On Tue, 22 May 2007 11:37:24 -0400 "Maxim Khitrov" wrote: >On 5/22/07, steveb@erienet.net wrote: >> I suspect sendmail is reading /etc/hosts.allow Why would anyone expect that? /etc/hosts.allow is one of the control files for the TCP wrapper program, tcpd. (See "man tcpd".) >> >> # Start by allowing everything (this prevents the rest of the file >> # from working, so remove it when you need protection). >> # The rules here work on a "First match wins" basis. >> #ALL : ALL : allow >> >> Did you comment out the above line? >> >> Steve > >Here's the entire file as it is right now: > ># Deny sendmail to all clients (temporary) >sendmail : all : deny > ># Allow anything from localhost >all : : allow > ># Process SSH deny rules >sshd : /etc/hosts.evil : deny > ># Allow everything else >all : all : allow > >Once I can get sendmail to block all connection requests, I'll move it >below the second rule. That way, only local processes will be able to >use it. For now, however, that rule is being ignored completely. > Okay. First off, as noted above, /etc/hosts.{allow,deny} are not sendmail(8) control files. They are tcpd(8) control files. Secondly, tcpd is normally interposed between inetd(8), which has essentially no built-in means of deciding whether to accept or reject TCP connections based upon the source address of the connection request. Instead of listing a particular program in /etc/inetd.conf as the program to run to service an incoming connection on a particular port, one lists the tcpd program and provides *it* the path of the desired service program. tcpd then looks at /etc/hosts.{allow,deny} to determine whether to close the connection or to pass it along to the service program. Third, it is possible to run sendmail in non-daemon mode. If one does not wish to tie up kernel resources to keep a sendmail process in the system all the time, for example, one can list sendmail in /etc/inetd.conf for the SMTP port (25), so that an inbound connection will result in inetd(8) forking off a sendmail process to handle it. (See "man sendmail", and try "/usr/sbin/sendmail -bm" IIRC.) It is in this setup *only* that the /etc/hosts.{allow,deny} files should have any effect whatsoever upon whether incoming connections are handled by sendmail. N.B. even in this case, it is tcpd reading those files and making the decisions, *not* sendmail. Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at cs.niu.edu * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************