I have set up entries in /etc/hosts.allow and /etc/hosts.deny as follows: /etc/hosts.allow sendmail : 10.0.0.0/255.0.0.0 sendmail : LOCAL /etc/hosts.deny sendmail : ALL When I try to connect to port 25 from an Internet host via telnet, the server still responds as usual. The only difference I see is this in my /var/log/maillog: Apr 24 15:41:49 server sendmail[20691]: m3OKfna20691: tcpwrappers (otherserver.example.com, xx.xx.xx.xx) rejection How do I make tcpwrappers simply drop the connection? I would prefer to do this with TCP Wrappers, at least until we get our official IPTables firewall policy worked out. thanks Sean
Ignacio Vazquez-Abrams
2008-Apr-24 21:32 UTC
[CentOS] TCPWrappers + Sendmail = not working
On Thu, 2008-04-24 at 15:45 -0500, Sean Carolan wrote:> I have set up entries in /etc/hosts.allow and /etc/hosts.deny as follows: > > /etc/hosts.allow > sendmail : 10.0.0.0/255.0.0.0 > sendmail : LOCAL > > /etc/hosts.deny > sendmail : ALL > > When I try to connect to port 25 from an Internet host via telnet, the > server still responds as usual. The only difference I see is this in > my /var/log/maillog: > > Apr 24 15:41:49 server sendmail[20691]: m3OKfna20691: tcpwrappers > (otherserver.example.com, xx.xx.xx.xx) rejection > > How do I make tcpwrappers simply drop the connection? I would prefer > to do this with TCP Wrappers, at least until we get our official > IPTables firewall policy worked out.$ ldd /usr/sbin/sendmail.sendmail | grep wrap libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00319000) tcp_wrappers never sees the connection directly. sendmail handles it from start to end. -- Ignacio Vazquez-Abrams <ivazqueznet at gmail.com> PLEASE don't CC me; I'm already subscribed -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20080424/4cd3c3d8/attachment-0001.sig>
> $ ldd /usr/sbin/sendmail.sendmail | grep wrap > libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00319000) > > tcp_wrappers never sees the connection directly. sendmail handles it > from start to end.Thanks for this info. I will set up an iptables rule to block this access.
On Thu, Apr 24, 2008 at 5:32 PM, Ignacio Vazquez-Abrams <ivazqueznet at gmail.com> wrote:> > $ ldd /usr/sbin/sendmail.sendmail | grep wrap > libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00319000)This means that sendmail is a valid option for hosts.allow or hosts.deny as sendmail has been compiled with support for libwrap. ~Jeffrey