sendmail on 127.0.0.1 only
 

hello all!

i want to configure sendmail on slackware 10.0 to only listen on the loopback address. right now, netstat -lpn returns (among other things):

tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 1352/sendmail: acce
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1352/sendmail: acce

i need senmail to listen on port 25 locally, but it shouldn't receive mail from outside. normally i install qmail, but this is my friend's box and he doesn't want it.

i have never understood sendmail. i've managed mail servers for 6 years, but have never used it. sendmail just makes no sense... i've done some searching on the web, but nothing i've found seems to work, such as putting DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') in sendmail-slackware.mc and recompiling.

thanks!

-eric

almost everything i found on google related to your question pretty much sounds like this:

(from http://www.deer-run.com/~hal/sysadmin/sendmail2.html )

this sounds like it's exactly what you did... you're using sendmail 8.12.11, right (slack 10)???

maybe it's not a sendmail issue???

i'm not sure... anyways, i just wanted to contribute my two cents...

good luck...

@whysyn

Since I have no experience of mail servers and you clearly have waaaay more than me :), do you think you can explain this to me?

If you disable external listening of port 25, doesn't that mean people can't e-mail you?

If I mailed your address, wouldn't I look up your domain, then connect to your port 25, which would then e-mail it to you? Or have I got something wrong :)?

Like I said, I am completely new to this sort of thing and have done very little research, I always thought you had to allow external clients to connect to port 25 but only allow them to e-mail your domain?

If you can explain that to me, that'd be great :)

Steve

Your best solution would be to block outside traffic to your port 25 using iptables.

Even if you need customized access (in the future), iptables should be the "gatekeeper".

I did this. It was a while back so I hope I get it right.

I suspect that you are already firewalled, but want to clean up at the source, not just rely on the 'gatekeeper'?

The critical file in all this is /etc/mail/sendmail.cf but you cannot modify this file directly, you have to use m4, so make sure m4 is installed, it is currently m4-1.4.1-i486-1.

sendmail-slackware.mc will be the template which is copied to config.mc which in turn is compiled to generate a new /etc/mail/sendmail.cf!

back up /usr/share/sendmail/cf/cf/sendmail-slackware.mc

then edit it:

dnl# This is the default sendmail .mc file for Slackware. To generate
dnl# the sendmail.cf file from this (perhaps after making some changes),
dnl# use the m4 files in /usr/share/sendmail/cf like this:
dnl#
dnl# cp sendmail-slackware.mc /usr/share/sendmail/cf/config.mc
dnl# cd /usr/share/sendmail/cf
dnl# sh Build config.cf
dnl#
dnl# You may then install the resulting .cf file:
dnl# cp config.cf /etc/mail/sendmail.cf
dnl#
include(`../m4/cf.m4')
VERSIONID(`default setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
dnl# These settings help protect against people verifying email addresses
dnl# at your site in order to send you email that you probably don't want:
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl# Uncomment the line below to send outgoing mail through an external server:
dnl define(`SMART_HOST',`mailserver.example.com')
dnl# No timeout for ident:
define(`confTO_IDENT', `0')dnl
dnl# Enable the line below to use smrsh to restrict what sendmail can run:
dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
dnl# See the README in /usr/share/sendmail/cf for a ton of information on
dnl# how these options work:
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
dnl# Toby starts here
dnl Don't create a default MSA configuration
FEATURE(`no_default_msa')dnl
dnl Limit the MSA to the loopback address
DAEMON_OPTIONS(`Name=MSA, Port=587, Addr=127.0.0.1, M=E')dnl
dnl Limit the MTA to the 127.0.0.1 interface
DAEMON_OPTIONS(`Name=MTA, Addr=127.0.0.1')dnl
dnl#Toby ends here
dnl# Turn this feature on if you don't always have DNS, or enjoy junk mail:
dnl FEATURE(`accept_unresolvable_domains')dnl
EXPOSED_USER(`root')dnl
dnl# Also accept mail for localhost.localdomain:
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl



see the new lines between dnl# Toby starts here - dnl#Toby ends here ??

now if you want you can keep an eye out for errors, open up a console and type

tail -f /var/log/maillog

then

cd /usr/share/sendmail/cf/cf
cp sendmail-slackware.mc config.mc
m4 /usr/share/sendmail/cf/m4/cf.m4 config.mc > /etc/mail/sendmail.cf


restart Sendmail with the command:

/etc/rc.d/rc.sendmail restart


if that went ok, you can do some checks:



root@darkstar:~# netstat -an | grep :25 | grep tcp
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN



or



root@darkstar:~# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dhcpcd 835 root 4u IPv4 2374 UDP *:bootpc
cupsd 2399 root 0u IPv4 4391 TCP localhost:631 (LISTEN)
sendmail 2416 root 3u IPv4 4406 TCP localhost:submission (LISTEN)
sendmail 2416 root 5u IPv4 4407 TCP localhost:smtp (LISTEN)
privoxy 2489 privoxy 3u IPv4 4619 TCP localhost:8118 (LISTEN)
privoxy 2677 privoxy 3u IPv4 4619 TCP localhost:8118 (LISTEN)
root@darkstar:~#

as you can see I did a similar mod to cups :-)



tobyl