Restrict connections
Charles Lavin
Could someone please point me to a source that explains how to lock down a
Sendmail 8.13.1 server to only accept SMTP connections from a specific range
(or ranges) of IP addresses? I only want it to accept incoming email from
specific servers and act to the rest of the world as if it didn't exist.
Thanks
CL
Ingo Freund
did you already think about using access-db?
Ciao - Ingo
D. Stussy
news:gBjIm.527$6c2...@newsfe03.iad...
Use a firewall. That's the only way for it "not to exist."
Use of the access database will show as rejected connections - which means
that it does exist.
D. Stussy
news:gBjIm.527$6c2...@newsfe03.iad...
Use a firewall. That's the only way for it "not to exist."
Charles Lavin
understand it so far). I just simply want Sendmail to not service requests
except from a specific group of mail servers. Not domains, not users, not
email addresses -- physical servers. I don't care what it receives, or for
whom it receives it, as long as it's received from one of these allowed
servers.
And I need to do it from Sendmail because that's the only thing I can
configure. I cannot add a firewall to that environment.
This Sendmail box is not supposed to be publicly known. No MX record points
to it. It's intended to only pick up email from these other mail servers.
And yet spammers are still managing to drop mail into it.
Tnx
CL
"D. Stussy" <spam+ne...@bde-arc.ampr.org> wrote in message
news:hcsvg6$ck7$4...@snarked.org...
David F. Skoll
> And I need to do it from Sendmail because that's the only thing I can
> configure. I cannot add a firewall to that environment.
Doesn't the OS on which you're running Sendmail have built-in firewalling?
iptables on Linux, for example?
-- David.
Knute Johnson
You could just DROP all mail from those addresses. I use that for a
throw away address. Any mail that comes in just disappears.
--
Knute Johnson
email s/nospam/knute2009/
--
Posted via NewsDemon.com - Premium Uncensored Newsgroup Service
------->>>>>>http://www.NewsDemon.com<<<<<<------
Unlimited Access, Anonymous Accounts, Uncensored Broadband Access
Charles Lavin
direct access to are the Apache and Sendmail configuration files.
This Sendmail server is one of four mail servers that I have had to lock
down this way. The other three were Microsoft Exchange servers, and the
lockdown on each of them was performed in minutes directly on the SMTP
protocol property sheet from within the Exchange System Manager. I didn't
have to fiddle with other Windows server settings or with any outside
firewalls in those installations. I would imagine that Sendmail should be
able to handle this just as easily ...
But I haven't configured a Sendmail server in over 16 years, and back then I
didn't have to worry about this kind of lockdown. So I'm not sure how to
proceed.
Thanks
CL
"David F. Skoll" <d...@roaringpenguin.com> wrote in message
news:3f559$4af22c36$d1d97a75$20...@PRIMUS.CA...
Charles Lavin
Let's say I want this Sendmail server to process SMTP requests _only_ from
these _servers_:
12.24.36.48
44.55.66.77
127.0.0.1
What would I need to set up?
Thanks
CL
"Knute Johnson" <nos...@rabbitbrush.frazmtn.com> wrote in message
news:4af22e31$0$19266$b9f6...@news.newsdemon.com...
terryc
In access, which goes to access.db I use
CONNECT: IP-number ACCEPT
and the default is reject.
Charles Lavin
But how do I accept connections from the range 12.24.36.32/27? The closest
example of an IP address I've seen in documentation of the access file shows
something like "12.24" as a wildcard, which is not equivalent (nor would
"12.24.36" be equivalent). In the above example, would I need to enter every
IP address from 12.24.36.33 to 12.24.36.62 individually?
Thanks again
CL
"terryc" <newsnine...@woa.com.au> wrote in message
news:hctcgi$9gv$7...@news.eternal-september.org...
Knute Johnson
> OK ...
>
> Let's say I want this Sendmail server to process SMTP requests _only_ from
> these _servers_:
>
> 11.22.33.44/21
>
> 102.103.104.105/29
>
> 12.24.36.48
>
> 44.55.66.77
>
> 127.0.0.1
>
> What would I need to set up?
>
> Thanks
> CL
I thought you were going the other way and wanted to block specific
addresses. To block everybody except the ones above you would need 255+
lines in your access database.
Connect:11.22.33 OK
Connect:12.24.36.48 OK
Connect:1 DISCARD
Connect:2 DISCARD
.
.
.
Connect:255 DISCARD
Unfortunately you can't use addresses such as 127.0.0.1/20.
You can use 'REJECT' with 'Connect' which will reject the connection to
the server.
Charles Lavin
There's no "Default: REJECT" entry? :)
"Knute Johnson" <nos...@rabbitbrush.frazmtn.com> wrote in message
news:4af2394b$0$18231$b9f6...@news.newsdemon.com...
Charles Lavin
To accept connections from six sets of hosts -- four separate IP ranges and
two individual hosts -- and the localhost address, I've had to build an
access file with 437 entries, 255 of which are REJECT lines ...
"Knute Johnson" <nos...@rabbitbrush.frazmtn.com> wrote in message
news:4af2394b$0$18231$b9f6...@news.newsdemon.com...
Knute Johnson
> So if I understood this correctly ...
>
> To accept connections from six sets of hosts -- four separate IP ranges and
> two individual hosts -- and the localhost address, I've had to build an
> access file with 437 entries, 255 of which are REJECT lines ...
Just accept the /24 and expect there won't be many spammers in the few
addresses you don't block, so it's only 259 lines and you can probably
write a perl program in a minute to create it.
Connect:111.222.333 OK
Connect:222.222.222 OK
Connect:11.11.11 OK
Connect:12.12.12 OK
Connect:1 REJECT
.
.
Connect:255 REJECT
Charles Lavin
I can't do this half-assed. This server needs to accept connections from the
same set(s) of hosts as the other servers, and reject connections from
everyone else. I can't leave "loopholes" lying around in the hope that
nobody will ever spam through them.
I already built the access table, and this is working ... in a way.
The Exchange servers simply do not allow "illegal" hosts to start an SMTP
conversation. To those illegal hosts, the Exchange servers are not even
there.
Sendmail allows anyone to establish an SMTP connection. It's not until the
RCPT TO: line is processed that Sendmail rejects the request with an error
550 if the sending host is in a REJECT range.
This is better than what was happening before, but I would prefer that
Sendmail ignore the connection request from the get-go ...
Thanks for your help
CL
"Knute Johnson" <nos...@rabbitbrush.frazmtn.com> wrote in message
news:4af248b1$0$17276$b9f6...@news.newsdemon.com...
Knute Johnson
> Well ...
>
> I can't do this half-assed. This server needs to accept connections from the
> same set(s) of hosts as the other servers, and reject connections from
> everyone else. I can't leave "loopholes" lying around in the hope that
> nobody will ever spam through them.
>
> I already built the access table, and this is working ... in a way.
>
> The Exchange servers simply do not allow "illegal" hosts to start an SMTP
> conversation. To those illegal hosts, the Exchange servers are not even
> there.
>
> Sendmail allows anyone to establish an SMTP connection. It's not until the
> RCPT TO: line is processed that Sendmail rejects the request with an error
> 550 if the sending host is in a REJECT range.
Not if you put the Connect: in the access db, the transaction is stopped
well before the RCPT TO. No options are sent by the host and the client
can only disconnect.
> This is better than what was happening before, but I would prefer that
> Sendmail ignore the connection request from the get-go ...
It has to allow the client to connect to determine who is calling. I'm
sure there is some protocol requirement that it not just drop the
connection.
Charles Lavin
I tested this from three different servers that were not on the "OK" list.
In all cases, Sendmail accepted the connection. Accepted the HELO. Accepted
the MAIL FROM:. Only after accepting the RCPT TO: did it spit out a 550
error.
When I added these servers to Sendmail's "OK" list, then the same thing
happened, only this time Sendmail accepted the RCPT TO: and the message
itself, and delivered the message.
The access table was built similar to this:
Connect:1.2.3 OK
Connect:1.2.4 OK
Connect:1.2.5 OK
Connect:12.24.36.48 OK
Connect:12.24.36.49 OK
Connect:12.24.36.50 OK
Connect:12.24.36.51 OK
Connect:12.24.36.52 OK
Connect:87.65.43.21 OK
Connect:127.0.0.1 RELAY
Connect:1 REJECT
Connect:2 REJECT
...
Connect:126 REJECT
Connect:128 REJECT
...
Connect:255 REJECT
"Knute Johnson" <nos...@rabbitbrush.frazmtn.com> wrote in message
news:4af26ad6$0$17274$b9f6...@news.newsdemon.com...
Warren Block
> Thanks. This is a start ...
>
> But how do I accept connections from the range 12.24.36.32/27? The closest
> example of an IP address I've seen in documentation of the access file shows
> something like "12.24" as a wildcard, which is not equivalent (nor would
> "12.24.36" be equivalent). In the above example, would I need to enter every
> IP address from 12.24.36.33 to 12.24.36.62 individually?
sendmail includes contrib/cidrexpand. With that, you can create an
access.cidr and then build access from it:
# cidrexpand < access.cidr > access
--
Warren Block * Rapid City, South Dakota * USA
Knute Johnson
> Hi --
>
> I tested this from three different servers that were not on the "OK" list.
>
> In all cases, Sendmail accepted the connection. Accepted the HELO. Accepted
> the MAIL FROM:. Only after accepting the RCPT TO: did it spit out a 550
> error.
I tried it too but I got the 550 error even with the MAIL command. I
wonder if we have something different somewhere else that would change this?
> When I added these servers to Sendmail's "OK" list, then the same thing
> happened, only this time Sendmail accepted the RCPT TO: and the message
> itself, and delivered the message.
That's what you would expect.
Here is the telnet session if I 'Connect' REJECT my desktop;
220 rabbitbrush.frazmtn.com ESMTP Sendmail 8.14.3/8.14.3/Debian-6; Thu,
5 Nov 20
09 11:01:52 -0800; (No UCE/UBE) logging access from:
ljr-int-wan.frazmtn.com(OK)
-ljr-int-wan.frazmtn.com [216.240.58.138]
helo frazmtn.com
250 rabbitbrush.frazmtn.com Hello ljr-int-wan.frazmtn.com
[216.240.58.138], pleased to meet you
MAIL From:kn...@frazmtn.com
550 5.7.1 Access denied
QUIT
221 2.0.0 rabbitbrush.frazmtn.com closing connection
Connection to host lost.
I actually prefer using DISCARD to have it take the mail and drop it
into the bit bucket.
Andrzej Adam Filip
> Charles Lavin wrote:
>> I tested this from three different servers that were not on the "OK" list.
>>
>> In all cases, Sendmail accepted the connection. Accepted the
>> HELO. Accepted the MAIL FROM:. Only after accepting the RCPT TO: did
>> it spit out a 550 error.
>
> I tried it too but I got the 550 error even with the MAIL command. I
> wonder if we have something different somewhere else that would change
> this?
FEATURE(`delay_checks') "moves" rejections to reply to "RCPT TO".
http://www.sendmail.org/m4/anti_spam.html#delay_check
The feature is routinely recommended to exclude authenticated users
(SMTP AUTH) from DNSBL checks.
> [...]
--
[pl>en Andrew] Andrzej Adam Filip : an...@onet.eu : Andrze...@gmail.com
Open-Sendmail: http://open-sendmail.sourceforge.net/
Hell is empty and all the devils are here.
-- Wm. Shakespeare, "The Tempest"
Knute Johnson
> Knute Johnson <nos...@rabbitbrush.frazmtn.com> wrote:
>> Charles Lavin wrote:
>>> I tested this from three different servers that were not on the "OK" list.
>>>
>>> In all cases, Sendmail accepted the connection. Accepted the
>>> HELO. Accepted the MAIL FROM:. Only after accepting the RCPT TO: did
>>> it spit out a 550 error.
>> I tried it too but I got the 550 error even with the MAIL command. I
>> wonder if we have something different somewhere else that would change
>> this?
>
> FEATURE(`delay_checks') "moves" rejections to reply to "RCPT TO".
> http://www.sendmail.org/m4/anti_spam.html#delay_check
>
> The feature is routinely recommended to exclude authenticated users
> (SMTP AUTH) from DNSBL checks.
>
>> [...]
>
There you go, I don't have FEATURE(`delay_checks').
David F. Skoll
> This is a virtualized server 2,500 miles away, and the only things I have
> direct access to are the Apache and Sendmail configuration files.
OK; then you're stuck with either using access map or (if Sendmail
was compiled with tcpwrappers) /etc/hosts.allow and /etc/hosts.deny.
You can tell if Sendmail was compiled with tcpwrappers like this:
sendmail -bt -d0 < /dev/null | grep TCPWRAPPERS
If you get output, you can use hosts.allow and hosts.deny to control
access. Use the "sendmail" facility in the hosts access files.
If the server is set up properly, "man hosts_access" might shed light.
Regards,
David.
Knute Johnson
I'm curious about this because I haven't been able to get hosts to
control access to sendmail.
knute@rabbitbrush:/etc$ /usr/sbin/sendmail -bt -d0 < /dev/null | grep
TCPWRAPPERS
TCPWRAPPERS USERDB USE_LDAP_INIT XDEBUG
I get output but is that what one would expect or need to have hosts work?
I'm running sendmail on a 9.04 server box.
Thanks,
Charles Lavin
can drop mail in here; "illegal" ones can't. Since this is a secondary
(backup) server and sees little traffic, and messing with it is a royal
pain, I think I'll leave this the way it is. The only reason this became an
issue is that spammers were finding the server (which is not registered as
an MX host anywhere) and dumping spam directly into it. Not using it as a
relay -- it's been locked down for relaying forever -- but just leaving spam
for the domain that ultimately would wind up at the primary server.
Thanks all
CL
"Knute Johnson" <nos...@rabbitbrush.frazmtn.com> wrote in message
news:4af3269b$0$10093$b9f6...@news.newsdemon.com...
Knute Johnson
> This isn't working as I hoped it to, but it _is_ working. "Legal" servers
> can drop mail in here; "illegal" ones can't. Since this is a secondary
> (backup) server and sees little traffic, and messing with it is a royal
> pain, I think I'll leave this the way it is. The only reason this became an
> issue is that spammers were finding the server (which is not registered as
> an MX host anywhere) and dumping spam directly into it. Not using it as a
> relay -- it's been locked down for relaying forever -- but just leaving spam
> for the domain that ultimately would wind up at the primary server.
>
> Thanks all
>
> CL
I've found using the DNSBLs has really reduced that considerably. I
just use two, spamcop and spamhaus.