[CentOS] Firewalling SMTP

Mon Jan 15 00:18:34 UTC 2007
John Summerfield <debian at herakles.homelinux.org>

Ross S. W. Walker wrote:

> If you have interfaces on the public Internet, then by all means
> firewall them, if you need to allow SMTP traffic over those public
> interfaces then allow port 25 from any host to localhost and use

Nomachine except yourself can talk to _your_ localhost because (almost) 
everyone has their own localhost interface, and any attempt to talk to 
localhost on another machine will fail, even if you set up your own to 
do without localhost, because everyone's routing tables won't send the 
traffic anywhere useful.

If you don't mean the interface (lo on linux) with ip address 127.0.0.1 
(and hostname localhost), then don't use the name localhost.

> sendmail's access controls (/etc/mail/access) to determine who can send
> mail locally, relay mail etc. It's easier to control SMTP access within
> SMTP application then through firewall which handles traffic at a lower
> level.

years ago when I used sendmail, I found myself perpetually confused 
about the sendmail access rules (and mail in general) and could never 
get rules that worked. Possibly, part of the problem then was I'd not 
learned to not trust any information provided by those trying to send 
mail to me. For example:

I've just had a mishap with my mail service, I ran out of disk space and 
caused lots of mail errors. Some of the mail I couldn't accept came from 
hosts that introduced themselves:
ehlo friend

or
ehlo mail.home.intern

Obviously lies, so I tightened my postfix rules to reject incomplete 
hostnames (friend) and unknown hosts (mail.home.intern).

When I was fiddling with sendmail's access rules, I was looking at 
blocking email addresses, "from" domains, subjects & such. Absolutely 
useless, of course, on my small scale.



-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu

Please do not reply off-list