[CentOS] Firewalling SMTP
Ross S. W. Walker
rwalker at medallion.com
Mon Jan 15 00:42:38 UTC 2007
> -----Original Message-----
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of John Summerfield
> Sent: Sunday, January 14, 2007 7:19 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] Firewalling SMTP
>
> Ross S. W. Walker wrote:
>
> > If you have interfaces on the public Internet, then by all means
> > firewall them, if you need to allow SMTP traffic over those public
> > interfaces then allow port 25 from any host to localhost and use
Ok, Ok, Ok, when I said localhost I didn't mean 127.0.0.1, I meant the
local IP for that interface. I just didn't feel like typing the local IP
for that interface, so yes I am guilty of laziness, I always say
loopback when I refer to 127.0.0.1, as localhost is really just some
name somebody made up a while ago so there'd be an entry in hosts.
> Nomachine except yourself can talk to _your_ localhost
> because (almost)
> everyone has their own localhost interface, and any attempt
> to talk to
> localhost on another machine will fail, even if you set up
> your own to
> do without localhost, because everyone's routing tables won't
> send the
> traffic anywhere useful.
>
> If you don't mean the interface (lo on linux) with ip address
> 127.0.0.1
> (and hostname localhost), then don't use the name localhost.
>
> > sendmail's access controls (/etc/mail/access) to determine
> who can send
> > mail locally, relay mail etc. It's easier to control SMTP
> access within
> > SMTP application then through firewall which handles
> traffic at a lower
> > level.
>
> years ago when I used sendmail, I found myself perpetually confused
> about the sendmail access rules (and mail in general) and could never
> get rules that worked. Possibly, part of the problem then was I'd not
> learned to not trust any information provided by those trying to send
> mail to me. For example:
>
> I've just had a mishap with my mail service, I ran out of
> disk space and
> caused lots of mail errors. Some of the mail I couldn't
> accept came from
> hosts that introduced themselves:
> ehlo friend
>
> or
> ehlo mail.home.intern
>
> Obviously lies, so I tightened my postfix rules to reject incomplete
> hostnames (friend) and unknown hosts (mail.home.intern).
>
> When I was fiddling with sendmail's access rules, I was looking at
> blocking email addresses, "from" domains, subjects & such. Absolutely
> useless, of course, on my small scale.
Of course IP addresses are the preferred method to securely identify a
host or block of hosts. Hostnames are always forged these days.
-Ross
______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.
More information about the CentOS
mailing list