> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of John Summerfield > Sent: Sunday, January 14, 2007 7:19 PM > To: CentOS mailing list > Subject: Re: [CentOS] Firewalling SMTP > > Ross S. W. Walker wrote: > > > If you have interfaces on the public Internet, then by all means > > firewall them, if you need to allow SMTP traffic over those public > > interfaces then allow port 25 from any host to localhost and use Ok, Ok, Ok, when I said localhost I didn't mean 127.0.0.1, I meant the local IP for that interface. I just didn't feel like typing the local IP for that interface, so yes I am guilty of laziness, I always say loopback when I refer to 127.0.0.1, as localhost is really just some name somebody made up a while ago so there'd be an entry in hosts. > Nomachine except yourself can talk to _your_ localhost > because (almost) > everyone has their own localhost interface, and any attempt > to talk to > localhost on another machine will fail, even if you set up > your own to > do without localhost, because everyone's routing tables won't > send the > traffic anywhere useful. > > If you don't mean the interface (lo on linux) with ip address > 127.0.0.1 > (and hostname localhost), then don't use the name localhost. > > > sendmail's access controls (/etc/mail/access) to determine > who can send > > mail locally, relay mail etc. It's easier to control SMTP > access within > > SMTP application then through firewall which handles > traffic at a lower > > level. > > years ago when I used sendmail, I found myself perpetually confused > about the sendmail access rules (and mail in general) and could never > get rules that worked. Possibly, part of the problem then was I'd not > learned to not trust any information provided by those trying to send > mail to me. For example: > > I've just had a mishap with my mail service, I ran out of > disk space and > caused lots of mail errors. Some of the mail I couldn't > accept came from > hosts that introduced themselves: > ehlo friend > > or > ehlo mail.home.intern > > Obviously lies, so I tightened my postfix rules to reject incomplete > hostnames (friend) and unknown hosts (mail.home.intern). > > When I was fiddling with sendmail's access rules, I was looking at > blocking email addresses, "from" domains, subjects & such. Absolutely > useless, of course, on my small scale. Of course IP addresses are the preferred method to securely identify a host or block of hosts. Hostnames are always forged these days. -Ross ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.