How to make sendmail accept connections from localhost only
Solution 1
The following line in your m4 config generation file will cause sendmail to listen to port 25 only on 127.0.0.1
:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
Solution 2
I decided to do it in another way. Instead of trying to tune the the sendmail-mta itself (which I did not succeed in) or recompiling it with the built-in options, I used a simple iptables rule:
iptables -A INPUT -i eth0 -p tcp --dport 25 -j DROP
This rule blocks all incoming connections on eth0 interface. The connections to the lo interface remain untouched. Of course, this is not a solution by means of the sendmail-mta, but it turned out to be much more simple to solve this particular problem this way.
Related videos on Youtube
v_2e
Updated on September 18, 2022Comments
-
v_2e almost 2 years
I need to secure the server by making sendmail-mta accept only local connections (from localhost), so that any external (potential spam) connections are denied.
I use Debian 7.0 currently.
-
Michael Hampton over 10 yearsYou're kidding, right?
-
v_2e over 10 years@MichaelHampton: No, not at all. This is really the way I decided to solve my problem. But is it wrong?
-
Michael Hampton over 10 yearsIt's kind of pointless, since the solution already given is so trivial. And, if your firewall gets dropped for some reason, you're back to being a potential spam relay.
-
v_2e over 10 years@MichaelHampton: Hm... Yes, you are right. If for some reason the firewall rule is not applied or flushed, it is pointless. I did not think of that. But as far as I understood from the previous answer, it requires recompiling the sendmail-mta daemon, doesn't it? But recompiling is not an easy way in my case. So is it the only real way to secure the mail-server? Thanks!
-
Michael Hampton over 10 yearsNo, you just edit the
sendmail.mc
file and rebuild that (withm4
). This is basic Sendmail. -
v_2e over 10 years@MichaelHampton: Oh, sorry. I misunderstood all these from the very beginning. I just have never met such way of configuration before. Now I see that indeed my "self-answer" is completely pointless. I will mark the previous as "accepted" instead, since now I use this way. Thank you!