-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of John Summerfield Sent: Sunday, January 14, 2007 5:21 PM To: CentOS mailing list Subject: Re: [CentOS] Firewalling SMTP
Denis Croombs wrote:
I have a Centos server and I want to only accept mail for
the local users
from 3 mail servers, but I still want the users to be able
to send emails
through this server, If I firewall the SMTP port to my 3
mail servers is
there any way users will be able to still send via the main
POP server ?
(currently using Sendmails SMTP-Auth)
sending mail is not a standard POP feature, and it's not what sendmail uses.
Your choices for limiting access to sendmail include:
- Limiting the addresses it listens to. You don't want it
listening to public IP addresses. 2. Using /etc/hosts.{allow,deny} to control what addresses sendmail accepts connexions from. 3. Using an external firewall to control who can connect to your mail server. This is appropriate, for example, when you use ADSL and have a "hardware" router manage your internet connexion. You can also choose to use a PC in this role (I do it with an HP Vectra Pentium II running Debian and Shorewall). 4. Using netfilter on your mail server as above. See www.netfilter.org and "man iptables." 5. Sendmail (probably) has its own additional means of controlling who can connect: I use Postfix, and for certain and sure Postfix has.
Note that smtp-auth controls (effectively) people, without regard for where they actually are on the Internet. If I kbow an account name and password for your system, I can use your servers from here in Western Australia unless use use one of the options above.
None of the options above has any implications for people sending email through your mail service provided that they are physically attached to some place you've authoriseed as above.
If you have interfaces on the public Internet, then by all means firewall them, if you need to allow SMTP traffic over those public interfaces then allow port 25 from any host to localhost and use sendmail's access controls (/etc/mail/access) to determine who can send mail locally, relay mail etc. It's easier to control SMTP access within SMTP application then through firewall which handles traffic at a lower level.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.