[CentOS] Sendmail, localloop, and iptables -- should I be more paranoid?

Robert Moskowitz rgm at htt-consult.com
Mon Nov 22 20:12:30 EST 2010

On 11/22/2010 05:52 PM, Alexander Dalloz wrote:
> Am 22.11.2010 16:11, schrieb Robert Moskowitz:
>> By default, sendmail only listens on the localloop:
>> DAEMON_OPTIONS(`Port=smtp,Addr=, Name=MTA')dnl
>> But by default to allow sendmail to even work the iptables entry is:
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
>> Without this, sendmail can't even connect to localloop.
> No, that is not correct. You miss to see the following rule
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> in the default /etc/sysconfig/iptables config file. So there is no
> problem where you see one.

Last week I built a new Centos 5.5 server.  I installed logwatch and run 
logwatch to 'force' the output.  Before I did that, I had created 
/root/.forward with my email address.

Sendmail could not send the message.  I went into the gnome firewall 
applet and allowed smtp, adding the rule I showed and still nothing.  
Then I figured that the message was queued (that is what maillog said) 
and would stay there for a while, so I restarted sendmail, and the 
message went right out.

So empirical evidence strongly supports the need of this rule.

More information about the CentOS mailing list