FAQ
I have a Centos server and I want to only accept mail for the local users
from 3 mail servers, but I still want the users to be able to send emails
through this server, If I firewall the SMTP port to my 3 mail servers is
there any way users will be able to still send via the main POP server ?
(currently using Sendmails SMTP-Auth)

Thanks

Denis

Search Discussions

  • Don Knott at Jan 14, 2007 at 2:08 pm
    Hello-

    If you firewall smtp to only accept connections from your 3 internal hosts,
    you won't get any inbound email from outside since external hosts can't
    reach the smtp server. Outbound mail will work ok from that server or the 3
    firewall allowed internal hosts.

    POP is for retrieving email from the server.

    If your goal is to have the CentOS box serve as a mail gateway for inbound &
    outbound email, you'd use /etc/mail/access to control how sendmail handles
    connections from hosts. In that file you'd give your 3 internal hosts
    permission to relay mail through that server.
    On 1/14/07, Denis Croombs wrote:

    I have a Centos server and I want to only accept mail for the local users
    from 3 mail servers, but I still want the users to be able to send emails
    through this server, If I firewall the SMTP port to my 3 mail servers is
    there any way users will be able to still send via the main POP server ?
    (currently using Sendmails SMTP-Auth)

    Thanks

    Denis

    _______________________________________________
    CentOS mailing list
    CentOS@centos.org
    http://lists.centos.org/mailman/listinfo/centos
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.centos.org/pipermail/centos/attachments/20070114/f7633590/attachment.htm
  • Mike Kercher at Jan 14, 2007 at 4:31 pm
    ________________________________

    From: centos-bounces@centos.org
    On Behalf Of Don Knott
    Sent: Sunday, January 14, 2007 8:09 AM
    To: CentOS mailing list
    Subject: Re: [CentOS] Firewalling SMTP


    On 1/14/07, Denis Croombs wrote:

    I have a Centos server and I want to only accept mail
    for the local users
    from 3 mail servers, but I still want the users to be
    able to send emails
    through this server, If I firewall the SMTP port to my 3
    mail servers is
    there any way users will be able to still send via the
    main POP server ?
    (currently using Sendmails SMTP-Auth)

    Thanks

    Denis


    ____________________________

    I would setup SMTP-Auth and have sendmail ALSO listen on port 587 for
    users' to relay their mail. An external mail server would not attempt
    to deliver mail to a port other than 25. I'd use iptables to drop all
    connections to port 25 except for the 3 external hosts you
    want...problem solved.

    Mike
  • John Summerfield at Jan 14, 2007 at 10:20 pm

    Denis Croombs wrote:
    I have a Centos server and I want to only accept mail for the local users
    from 3 mail servers, but I still want the users to be able to send emails
    through this server, If I firewall the SMTP port to my 3 mail servers is
    there any way users will be able to still send via the main POP server ?
    (currently using Sendmails SMTP-Auth)
    sending mail is not a standard POP feature, and it's not what sendmail uses.

    Your choices for limiting access to sendmail include:
    1. Limiting the addresses it listens to. You don't want it listening to
    public IP addresses.
    2. Using /etc/hosts.{allow,deny} to control what addresses sendmail
    accepts connexions from.
    3. Using an external firewall to control who can connect to your mail
    server. This is appropriate, for example, when you use ADSL and have a
    "hardware" router manage your internet connexion. You can also choose to
    use a PC in this role (I do it with an HP Vectra Pentium II running
    Debian and Shorewall).
    4. Using netfilter on your mail server as above. See www.netfilter.org
    and "man iptables."
    5. Sendmail (probably) has its own additional means of controlling who
    can connect: I use Postfix, and for certain and sure Postfix has.

    Note that smtp-auth controls (effectively) people, without regard for
    where they actually are on the Internet. If I kbow an account name and
    password for your system, I can use your servers from here in Western
    Australia unless use use one of the options above.

    None of the options above has any implications for people sending email
    through your mail service provided that they are physically attached to
    some place you've authoriseed as above.


    --

    Cheers
    John

    -- spambait
    1aaaaaaa@coco.merseine.nu Z1aaaaaaa@coco.merseine.nu

    Please do not reply off-list
  • Ross S. W. Walker at Jan 14, 2007 at 10:33 pm

    -----Original Message-----
    From: centos-bounces@centos.org
    On Behalf Of John Summerfield
    Sent: Sunday, January 14, 2007 5:21 PM
    To: CentOS mailing list
    Subject: Re: [CentOS] Firewalling SMTP

    Denis Croombs wrote:
    I have a Centos server and I want to only accept mail for
    the local users
    from 3 mail servers, but I still want the users to be able
    to send emails
    through this server, If I firewall the SMTP port to my 3
    mail servers is
    there any way users will be able to still send via the main
    POP server ?
    (currently using Sendmails SMTP-Auth)
    sending mail is not a standard POP feature, and it's not what
    sendmail uses.

    Your choices for limiting access to sendmail include:
    1. Limiting the addresses it listens to. You don't want it
    listening to
    public IP addresses.
    2. Using /etc/hosts.{allow,deny} to control what addresses sendmail
    accepts connexions from.
    3. Using an external firewall to control who can connect to your mail
    server. This is appropriate, for example, when you use ADSL
    and have a
    "hardware" router manage your internet connexion. You can
    also choose to
    use a PC in this role (I do it with an HP Vectra Pentium II running
    Debian and Shorewall).
    4. Using netfilter on your mail server as above. See
    www.netfilter.org
    and "man iptables."
    5. Sendmail (probably) has its own additional means of
    controlling who
    can connect: I use Postfix, and for certain and sure Postfix has.

    Note that smtp-auth controls (effectively) people, without regard for
    where they actually are on the Internet. If I kbow an account
    name and
    password for your system, I can use your servers from here in Western
    Australia unless use use one of the options above.

    None of the options above has any implications for people
    sending email
    through your mail service provided that they are physically
    attached to
    some place you've authoriseed as above.
    If you have interfaces on the public Internet, then by all means
    firewall them, if you need to allow SMTP traffic over those public
    interfaces then allow port 25 from any host to localhost and use
    sendmail's access controls (/etc/mail/access) to determine who can send
    mail locally, relay mail etc. It's easier to control SMTP access within
    SMTP application then through firewall which handles traffic at a lower
    level.

    -Ross




    ______________________________________________________________________
    This e-mail, and any attachments thereto, is intended only for use by
    the addressee(s) named herein and may contain legally privileged
    and/or confidential information. If you are not the intended recipient
    of this e-mail, you are hereby notified that any dissemination,
    distribution or copying of this e-mail, and any attachments thereto,
    is strictly prohibited. If you have received this e-mail in error,
    please immediately notify the sender and permanently delete the
    original and any copy or printout thereof.
  • John Summerfield at Jan 15, 2007 at 12:18 am

    Ross S. W. Walker wrote:

    If you have interfaces on the public Internet, then by all means
    firewall them, if you need to allow SMTP traffic over those public
    interfaces then allow port 25 from any host to localhost and use
    Nomachine except yourself can talk to _your_ localhost because (almost)
    everyone has their own localhost interface, and any attempt to talk to
    localhost on another machine will fail, even if you set up your own to
    do without localhost, because everyone's routing tables won't send the
    traffic anywhere useful.

    If you don't mean the interface (lo on linux) with ip address 127.0.0.1
    (and hostname localhost), then don't use the name localhost.
    sendmail's access controls (/etc/mail/access) to determine who can send
    mail locally, relay mail etc. It's easier to control SMTP access within
    SMTP application then through firewall which handles traffic at a lower
    level.
    years ago when I used sendmail, I found myself perpetually confused
    about the sendmail access rules (and mail in general) and could never
    get rules that worked. Possibly, part of the problem then was I'd not
    learned to not trust any information provided by those trying to send
    mail to me. For example:

    I've just had a mishap with my mail service, I ran out of disk space and
    caused lots of mail errors. Some of the mail I couldn't accept came from
    hosts that introduced themselves:
    ehlo friend

    or
    ehlo mail.home.intern

    Obviously lies, so I tightened my postfix rules to reject incomplete
    hostnames (friend) and unknown hosts (mail.home.intern).

    When I was fiddling with sendmail's access rules, I was looking at
    blocking email addresses, "from" domains, subjects & such. Absolutely
    useless, of course, on my small scale.



    --

    Cheers
    John

    -- spambait
    1aaaaaaa@coco.merseine.nu Z1aaaaaaa@coco.merseine.nu

    Please do not reply off-list
  • Ross S. W. Walker at Jan 15, 2007 at 12:42 am

    -----Original Message-----
    From: centos-bounces@centos.org
    On Behalf Of John Summerfield
    Sent: Sunday, January 14, 2007 7:19 PM
    To: CentOS mailing list
    Subject: Re: [CentOS] Firewalling SMTP

    Ross S. W. Walker wrote:
    If you have interfaces on the public Internet, then by all means
    firewall them, if you need to allow SMTP traffic over those public
    interfaces then allow port 25 from any host to localhost and use

    Ok, Ok, Ok, when I said localhost I didn't mean 127.0.0.1, I meant the
    local IP for that interface. I just didn't feel like typing the local IP
    for that interface, so yes I am guilty of laziness, I always say
    loopback when I refer to 127.0.0.1, as localhost is really just some
    name somebody made up a while ago so there'd be an entry in hosts.
    Nomachine except yourself can talk to _your_ localhost
    because (almost)
    everyone has their own localhost interface, and any attempt
    to talk to
    localhost on another machine will fail, even if you set up
    your own to
    do without localhost, because everyone's routing tables won't
    send the
    traffic anywhere useful.

    If you don't mean the interface (lo on linux) with ip address
    127.0.0.1
    (and hostname localhost), then don't use the name localhost.
    sendmail's access controls (/etc/mail/access) to determine
    who can send
    mail locally, relay mail etc. It's easier to control SMTP
    access within
    SMTP application then through firewall which handles
    traffic at a lower
    level.
    years ago when I used sendmail, I found myself perpetually confused
    about the sendmail access rules (and mail in general) and could never
    get rules that worked. Possibly, part of the problem then was I'd not
    learned to not trust any information provided by those trying to send
    mail to me. For example:

    I've just had a mishap with my mail service, I ran out of
    disk space and
    caused lots of mail errors. Some of the mail I couldn't
    accept came from
    hosts that introduced themselves:
    ehlo friend

    or
    ehlo mail.home.intern

    Obviously lies, so I tightened my postfix rules to reject incomplete
    hostnames (friend) and unknown hosts (mail.home.intern).

    When I was fiddling with sendmail's access rules, I was looking at
    blocking email addresses, "from" domains, subjects & such. Absolutely
    useless, of course, on my small scale.
    Of course IP addresses are the preferred method to securely identify a
    host or block of hosts. Hostnames are always forged these days.

    -Ross

    ______________________________________________________________________
    This e-mail, and any attachments thereto, is intended only for use by
    the addressee(s) named herein and may contain legally privileged
    and/or confidential information. If you are not the intended recipient
    of this e-mail, you are hereby notified that any dissemination,
    distribution or copying of this e-mail, and any attachments thereto,
    is strictly prohibited. If you have received this e-mail in error,
    please immediately notify the sender and permanently delete the
    original and any copy or printout thereof.
  • Shawn K. O'Shea at Jan 16, 2007 at 5:14 pm

    sending mail is not a standard POP feature, and it's not what sendmail
    uses.

    Your choices for limiting access to sendmail include:
    1. Limiting the addresses it listens to. You don't want it listening
    to public IP addresses.
    2. Using /etc/hosts.{allow,deny} to control what addresses sendmail
    accepts connexions from.
    3. Using an external firewall to control who can connect to your mail
    server. This is appropriate, for example, when you use ADSL and have a
    "hardware" router manage your internet connexion. You can also choose
    to use a PC in this role (I do it with an HP Vectra Pentium II running
    Debian and Shorewall).
    4. Using netfilter on your mail server as above. See www.netfilter.org
    and "man iptables."
    5. Sendmail (probably) has its own additional means of controlling who
    can connect: I use Postfix, and for certain and sure Postfix has.
    I'd like to add another idea to the list. You can use DRAC (Dynamic
    Relay Authorization Control) to dynamically update your SMTP relay
    rules. We used to use this at one of my previous employers. You're users
    must make a POP or IMAP email check, and then DRAC will dynamically add
    a rule to your relay access filters for them.

    http://mail.cc.umanitoba.ca/drac/

    -Shawn
  • Denis at Jan 16, 2007 at 5:21 pm

    sending mail is not a standard POP feature, and it's not what sendmail
    uses.

    Your choices for limiting access to sendmail include:
    1. Limiting the addresses it listens to. You don't want it listening
    to public IP addresses.
    2. Using /etc/hosts.{allow,deny} to control what addresses sendmail
    accepts connexions from.
    3. Using an external firewall to control who can connect to your mail
    server. This is appropriate, for example, when you use ADSL and have a
    "hardware" router manage your internet connexion. You can also choose
    to use a PC in this role (I do it with an HP Vectra Pentium II running
    Debian and Shorewall).
    4. Using netfilter on your mail server as above. See www.netfilter.org
    and "man iptables."
    5. Sendmail (probably) has its own additional means of controlling who
    can connect: I use Postfix, and for certain and sure Postfix has.
    I'd like to add another idea to the list. You can use DRAC (Dynamic
    Relay Authorization Control) to dynamically update your SMTP relay
    rules. We used to use this at one of my previous employers. You're users
    must make a POP or IMAP email check, and then DRAC will dynamically add
    a rule to your relay access filters for them.

    http://mail.cc.umanitoba.ca/drac/

    -Shawn
    Hi Shawn

    Thanks that looks like the perfect solution, I will give it a try.

    Regards

    Denis

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedJan 14, '07 at 9:28a
activeJan 16, '07 at 5:21p
posts9
users6
websitecentos.org
irc#centos

People

Translate

site design / logo © 2021 Grokbase