[CentOS] Firewalling SMTP

Sun Jan 14 22:33:36 UTC 2007
Ross S. W. Walker <rwalker at medallion.com>

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of John Summerfield
> Sent: Sunday, January 14, 2007 5:21 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] Firewalling SMTP
> 
> Denis Croombs wrote:
> > I have a Centos server and I want to only accept mail for 
> the local users
> > from 3 mail servers, but I still want the users to be able 
> to send emails
> > through this server, If I firewall the SMTP port to my 3 
> mail servers is
> > there any way users will be able to still send via the main 
> POP server ?
> > (currently using Sendmails SMTP-Auth)
> 
> sending mail is not a standard POP feature, and it's not what 
> sendmail uses.
> 
> Your choices for limiting access to sendmail include:
> 1. Limiting the addresses it listens to. You don't want it 
> listening to 
> public IP addresses.
> 2. Using /etc/hosts.{allow,deny} to control what addresses sendmail 
> accepts connexions from.
> 3. Using an external firewall to control who can connect to your mail 
> server. This is appropriate, for example, when you use ADSL 
> and have a 
> "hardware" router manage your internet connexion. You can 
> also choose to 
> use a PC in this role (I do it with an HP Vectra Pentium II running 
> Debian and Shorewall).
> 4. Using netfilter on your mail server as above. See 
> www.netfilter.org 
> and "man iptables."
> 5. Sendmail (probably) has its own additional means of 
> controlling who 
> can connect: I use Postfix, and for certain and sure Postfix has.
> 
> Note that smtp-auth controls (effectively) people, without regard for 
> where they actually are on the Internet. If I kbow an account 
> name and 
> password for your system, I can use your servers from here in Western 
> Australia unless use use one of the options above.
> 
> None of the options above has any implications for people 
> sending email 
> through your mail service provided that they are physically 
> attached to 
> some place you've authoriseed as above.
> 

If you have interfaces on the public Internet, then by all means
firewall them, if you need to allow SMTP traffic over those public
interfaces then allow port 25 from any host to localhost and use
sendmail's access controls (/etc/mail/access) to determine who can send
mail locally, relay mail etc. It's easier to control SMTP access within
SMTP application then through firewall which handles traffic at a lower
level.

-Ross




______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.