[CentOS] Sendmail, localloop, and iptables -- should I be more paranoid?

Les Mikesell lesmikesell at gmail.com
Mon Nov 22 12:05:32 EST 2010


On 11/22/2010 10:06 AM, Robert Moskowitz wrote:
>
>>>
>>> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>>>
>>> But by default to allow sendmail to even work the iptables entry is:
>>>
>>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
>>> ACCEPT
>>>
>>> Without this, sendmail can't even connect to localloop. But should I
>>> handedit this line to something like:
>>>
>>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1
>>> --dport 25 -j ACCEPT
>>>
>>> And once you handedit iptables, you can't use the gnome firewall applet,
>>> I suspect...
>> Every security decision has its own tradeoffs, so first you need to
>> consider what you are trying to protect against. If you don't have a
>> program listening on a port, it doesn't matter whether it is explicitly
>> firewalled or not. A program needs root access to listen on ports below
>> 1024 - and anyone with root access can change the iptables settings
>> too...
>
> Ah, there is the combination I missed. I was concerned about sendmail
> doing what I thought it was suppose to do: only listen on loopback. If
> something could change that behaviour, it could also change any iptables
> settings.
>
> I have 25 blocked on the firewall anyway. But just looking at the i(s)
> and t(s). (while trying not to stuff more angels on the pinhead or some
> such metaphor).

Yes, it is always better to deny anything questionable - and to block at 
your border router(s) too, but realistically if someone can get that far 
you are fried anyway.  Also, even if sendmail does accept remote 
connections, it won't relay for them without additional changes to the 
config.

-- 
   Les Mikesell
    lesmikesell at gmail.com



More information about the CentOS mailing list