[TCLUG] Re: Sendmail Security...

Tue Feb 27 11:06:53 CST 2001

Does it accept incoming mail though (bounces, etc.)?  If so, you don't want
to use ipchains.  If bounces go somewhere else and the box doesn't receive
incoming mail, you need 2 ipchains lines.  One to allow your majordomo box
to talk to it, and one to allow packets that are not TCP SYN packets
(otherwise, it won't be able to communicate with other mail servers when
sending mail).  

If you use kernel 2.4, you should be able to use iptables with only the
first line allowing your majordomo host, 2.4 has stateful firewalling, so
you shouldn't need to worry about the second line (which is a hack to make a
stupid packet filter act like a firewall and isn't nearly as secure as a
true stateful firewall).

Otherwise, you could switch to a more secure smtp server like qmail or
postfix.  There's no way in hell I will ever run sendmail again, it's like
inviting people into your system.  I suggest postfix, it's easy to set up,
and it's designed around security.  Qmail works well too, but it's kind of a
beeyotch to set up, but it's very very fast.

jay

> -----Original Message-----
> From: mjn [mailto:mjn at umn.edu]
> Sent: Tuesday, February 27, 2001 9:56 AM
> To: Twirling Pickles of Death
> Subject: [TCLUG] Re: Sendmail Security...
> 
> 
> My understanding of the access_db feature is it is for 
> selective denial of
> SMTP relaying and not necessarily for denying access to SMTP 
> (delivery)
> for all but a select one or two...perhaps i am wrong in that 
> perception.
> 
> Since I am not really relaying any mail, nor do I plan on it, I don't
> think this is quite the fix i am looking for (again, I may be totally
> wrong in my understanding of access_db).  While it is a nice 
> feature for
> blocking unsolicited spammers, it does not perform quite the 
> way I'd like.
> 
> I'd like to deny SMTP connects from all but the mail gateway. 
>  They way
> we have things set up is something like this:
> 
> - Novell Groupwise 5.5 with internet aliases for all of our majordomo
>   lists and majordomo it self.  
> 
> - The majordomo box is set up with masquerade_as and an MX entry
>   of the Groupwise box
> 
> So all mail to majordomo should come from that one host.  My 
> thinking is
> that limiting SMTP access with ipchains or wrappers would 
> provide another
> level of assurance and eliminate any chance that box gets 
> used for ill.
> 
> I have access_db enabled in my current sendmail.cf and, given the
> allowable sytax for entries, there is no (simple?) way to 
> accomplish this.
> 
> If I were to enable wrapper support, would that limit my delivery
> capability as well or will sendmail be free to connect to whomever it
> chooses and only limit who connects to it?
> 
> Hope that makes sense...thanks again
> 
> ____________________________
> Mike Neuharth
> ADCS Technology Specialist
> http://www.umn.edu/adcs
> 
> E-Mail          : mjn at umn.edu
> Page Mail       : 6126486512 at page.metrocall.com
> http://supermonkeycollider.dyndns.org/
> ____________________________
> 
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> 