[CentOS] Firewalling SMTP

Mon Jan 15 00:42:38 UTC 2007
Ross S. W. Walker <rwalker at medallion.com>

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of John Summerfield
> Sent: Sunday, January 14, 2007 7:19 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] Firewalling SMTP
> 
> Ross S. W. Walker wrote:
> 
> > If you have interfaces on the public Internet, then by all means
> > firewall them, if you need to allow SMTP traffic over those public
> > interfaces then allow port 25 from any host to localhost and use


Ok, Ok, Ok, when I said localhost I didn't mean 127.0.0.1, I meant the
local IP for that interface. I just didn't feel like typing the local IP
for that interface, so yes I am guilty of laziness, I always say
loopback when I refer to 127.0.0.1, as localhost is really just some
name somebody made up a while ago so there'd be an entry in hosts.

> Nomachine except yourself can talk to _your_ localhost 
> because (almost) 
> everyone has their own localhost interface, and any attempt 
> to talk to 
> localhost on another machine will fail, even if you set up 
> your own to 
> do without localhost, because everyone's routing tables won't 
> send the 
> traffic anywhere useful.
> 
> If you don't mean the interface (lo on linux) with ip address 
> 127.0.0.1 
> (and hostname localhost), then don't use the name localhost.
> 
> > sendmail's access controls (/etc/mail/access) to determine 
> who can send
> > mail locally, relay mail etc. It's easier to control SMTP 
> access within
> > SMTP application then through firewall which handles 
> traffic at a lower
> > level.
> 
> years ago when I used sendmail, I found myself perpetually confused 
> about the sendmail access rules (and mail in general) and could never 
> get rules that worked. Possibly, part of the problem then was I'd not 
> learned to not trust any information provided by those trying to send 
> mail to me. For example:
> 
> I've just had a mishap with my mail service, I ran out of 
> disk space and 
> caused lots of mail errors. Some of the mail I couldn't 
> accept came from 
> hosts that introduced themselves:
> ehlo friend
> 
> or
> ehlo mail.home.intern
> 
> Obviously lies, so I tightened my postfix rules to reject incomplete 
> hostnames (friend) and unknown hosts (mail.home.intern).
> 
> When I was fiddling with sendmail's access rules, I was looking at 
> blocking email addresses, "from" domains, subjects & such. Absolutely 
> useless, of course, on my small scale.

Of course IP addresses are the preferred method to securely identify a
host or block of hosts. Hostnames are always forged these days.

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.