[3303] in RedHat Linux List
Re: Protecting sendmail?
daemon@ATHENA.MIT.EDU (Eric Smith)
Thu Nov 7 22:03:41 1996
Date: 8 Nov 1996 03:40:11 -0000
From: Eric Smith <eric@brouhaha.com>
To: James Fidell <james@corp.netcom.net.uk>,
Vlad Petersen <vladimip@iceonline.com>,
Marcelo Dantas <marcelo@antares.com.br>
CC: redhat-list@redhat.com
In-reply-to: <199611072353.XAA09273@corp.netcom.net.uk> (message from James
Fidell on Thu, 7 Nov 1996 23:53:50 +0000 (GMT))
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
I tried fairly hard to get the attributions right in the foolowing, but I
apologize in advance for any errors.
Marcelo Dantas <marcelo@antares.com.br> wrote:
> Is there any configuration that can be made to sendmail so it
> will only accept connection from machines that belongs to my
> domain.
James Fidell <james@corp.netcom.net.uk> replied:
> I think it's probably a good idea for an ISP. I wouldn't necessarily
> want people using just any machine as a mail-relay -- some won't
> handle the load, others don't have the disk space to cope with failed
> messages or might result in reducing the disk space available for other
> applications and others masquerade in ways that will do strange things
> to outgoing e-mail addresses.
The best way to prevent unauthorized mail relaying through your hosts
is to switch from sendmail to qmail:
http://www.qmail.org
Qmail is more efficient that sendmail, and easier to configure. It only
took me three hours to unpack qmail, read the documentation, build and
install it, and set up two virtual domains. I was *never* able to get a
comparable configuration working with sendmail, despite 20 to 30 hours of
messing with it. And since qmail has a much simpler design and runs very
little stuff as root, it is much more secure.
Qmail configuration files are simple text files containing lists. There are
no complicated control languages or rules. A minimal setup only needs a
single config file /var/qmail/me containing the FQDN of the host.
There is an optional file /var/qmail/rcpthosts in which you can place a list
of hosts for which you will accept mail. Any attempt to use your server to
relay mail to hosts not in that list will be rejected by qmail's SMTP daemon.
Your machine won't even have to generate a bounce message.
Vlad Petersen <vladimip@iceonline.com> wrote:
> I guess you can prevent outside world from connecting
> to your smtp in /etc/hosts.allow and /etc/hosts.deny
> somehow, but in this case, no one will be able to send
> email to you either.
James Fidell <james@corp.netcom.net.uk> replied:
> And it means started sendmail from inetd. I'd not be keen to
> do that.
Qmail normally works this way. But then, qmail is so much more efficient
that sendmail that it can afford to.
Note that if you want one machine in your domain to act as an outgoing
relay host, you should set it up to accept email only from your internal
machines (using tcpd, /etc/hosts.{allow,deny}, or the like), but without
a /var/qmail/rcpthosts so that it will accept mail destined for any host.
Marcelo Dantas <marcelo@antares.com.br> wrote:
> The problem is that anyone, from anywhere, can log to it and
> generate a "fake mail".
James Fidell <james@corp.netcom.net.uk> replied:
> That's probably a case for better logging rather than preventing
> access.
No, preventing it (where possible) is clearly preferrable. If your SMTP
daemon won't allow unauthorized relaying, people will only be able to
forge email to your domain, which is annoying but won't cause system
administrators (and users) from other sites to complain to you because
they think bogus mail came from your site.
James Fidell <james@corp.netcom.net.uk> replied:
> I'm considering turning off incoming sendmail altogether on a number
> of our machines...
Just have a single machine that runs qmail and will accept connections from
the outside world, set its rcpthosts to only include your domain, and put
MX records in your DNS database for all your hosts pointing to the mail host.
You can configure qmail on that host to either deliver locally or via SMTP
to your internal hosts as you prefer.
On your internal hosts, prevent them from accepting mail from any host but
the mail host.
Cheers,
Eric
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
________________________________________________________________________
http://www.redhat.com/RedHat-FAQ http://www.redhat.com/RedHat-Errata
http://www.redhat.com/RedHat-Tips http://www.redhat.com/mailing-lists
------------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe redhat-list-request@redhat.com < /dev/null
