On Behalf Of John Summerfield
Sent: Sunday, January 14, 2007 7:19 PM
To: CentOS mailing list
Subject: Re: [CentOS] Firewalling SMTP
Ross S. W. Walker wrote:
If you have interfaces on the public Internet, then by all means
firewall them, if you need to allow SMTP traffic over those public
interfaces then allow port 25 from any host to localhost and use
Ok, Ok, Ok, when I said localhost I didn't mean 127.0.0.1, I meant the
local IP for that interface. I just didn't feel like typing the local IP
for that interface, so yes I am guilty of laziness, I always say
loopback when I refer to 127.0.0.1, as localhost is really just some
name somebody made up a while ago so there'd be an entry in hosts.
Nomachine except yourself can talk to _your_ localhost
everyone has their own localhost interface, and any attempt
to talk to
localhost on another machine will fail, even if you set up
your own to
do without localhost, because everyone's routing tables won't
traffic anywhere useful.
If you don't mean the interface (lo on linux) with ip address
(and hostname localhost), then don't use the name localhost.
sendmail's access controls (/etc/mail/access) to determine
who can send
mail locally, relay mail etc. It's easier to control SMTP
SMTP application then through firewall which handles
traffic at a lower
years ago when I used sendmail, I found myself perpetually confused
about the sendmail access rules (and mail in general) and could never
get rules that worked. Possibly, part of the problem then was I'd not
learned to not trust any information provided by those trying to send
mail to me. For example:
I've just had a mishap with my mail service, I ran out of
disk space and
caused lots of mail errors. Some of the mail I couldn't
accept came from
hosts that introduced themselves:
Obviously lies, so I tightened my postfix rules to reject incomplete
hostnames (friend) and unknown hosts (mail.home.intern).
When I was fiddling with sendmail's access rules, I was looking at
blocking email addresses, "from" domains, subjects & such. Absolutely
useless, of course, on my small scale.
Of course IP addresses are the preferred method to securely identify a
host or block of hosts. Hostnames are always forged these days.
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.