-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of John Summerfield Sent: Sunday, January 14, 2007 7:19 PM To: CentOS mailing list Subject: Re: [CentOS] Firewalling SMTP
Ross S. W. Walker wrote:
If you have interfaces on the public Internet, then by all means firewall them, if you need to allow SMTP traffic over those public interfaces then allow port 25 from any host to localhost and use
Ok, Ok, Ok, when I said localhost I didn't mean 127.0.0.1, I meant the local IP for that interface. I just didn't feel like typing the local IP for that interface, so yes I am guilty of laziness, I always say loopback when I refer to 127.0.0.1, as localhost is really just some name somebody made up a while ago so there'd be an entry in hosts.
Nomachine except yourself can talk to _your_ localhost because (almost) everyone has their own localhost interface, and any attempt to talk to localhost on another machine will fail, even if you set up your own to do without localhost, because everyone's routing tables won't send the traffic anywhere useful.
If you don't mean the interface (lo on linux) with ip address 127.0.0.1 (and hostname localhost), then don't use the name localhost.
sendmail's access controls (/etc/mail/access) to determine
who can send
mail locally, relay mail etc. It's easier to control SMTP
access within
SMTP application then through firewall which handles
traffic at a lower
level.
years ago when I used sendmail, I found myself perpetually confused about the sendmail access rules (and mail in general) and could never get rules that worked. Possibly, part of the problem then was I'd not learned to not trust any information provided by those trying to send mail to me. For example:
I've just had a mishap with my mail service, I ran out of disk space and caused lots of mail errors. Some of the mail I couldn't accept came from hosts that introduced themselves: ehlo friend
or ehlo mail.home.intern
Obviously lies, so I tightened my postfix rules to reject incomplete hostnames (friend) and unknown hosts (mail.home.intern).
When I was fiddling with sendmail's access rules, I was looking at blocking email addresses, "from" domains, subjects & such. Absolutely useless, of course, on my small scale.
Of course IP addresses are the preferred method to securely identify a host or block of hosts. Hostnames are always forged these days.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.