Re: MTA for firewalls, etc. ?
On Fri, 16 Jan 1998, Christian Schwarz wrote:
> 1. Some Debian packages require a MTA, i.e., they depend on
> mail-transport-agent. However, we've not documented anywhere what this
> exactly means. I've checked out a few packages now and it looks like a
> `mail-transport-agent' is a package which provides /usr/lib/sendmail.
> Is this correct? If so, we should state it in the Policy Manual.
>
> 2. One some hosts (i.e., software routers or firewalls) one does
> not want to run large (and insecure) mailer daemons as sendmail,
> etc. However, since some important packages like "cron" depend
> on mail-transport-agent, one has to satisfy this dependency
> somehow. (Overriding dpkg does not help in the case of "cron", since
> cron sends possible error messages via mail, and these messages should
> not be thrown away.)
my solution to problems like this is to just install sendmail and edit
the /etc/init.d/sendmail script so that sendmail doesn't get started
as a daemon. sendmail is extremely easy to configure in debian - the
sendmailconfig script is wonderful!
in /etc/mail/sendmail.mc, don't enable the SMTP mailer. i.e. only
include a 'MAILER(local)dnl' line.
if i'm feeling especially paranoid, i might use ipfwadm to block
incoming and outgoing packets for port 25. if you're only concerned
about security you only need to block incoming smtp packets.
e.g. for a single-homed host:
LOCALIP=$(hostname -i)
ipfwadm -I -a reject -P tcp -S 0.0.0.0 -D $LOCALIP 25
ipfwadm -O -a reject -P tcp -S $LOCALIP -D 0.0.0.0 25
for a multi-homed host:
# this currently works for ethernet only, but is trivial to modify
# to support token ring and other types of interfaces too.
INTERFACES=$(grep 'eth' /proc/net/dev | sed -e 's/: .*//')
MY_IP=$(for i in $INTERFACES ; do
ifconfig $i | \
sed -n -e 's/\(.*inet addr:\)\([0-9.]*\) *\(Bcast.*\)/\2/p'
done)
for LOCALIP in $MY_IP ; do
ipfwadm -I -a reject -P tcp -S 0.0.0.0 -D $LOCALIP 25
ipfwadm -O -a reject -P tcp -S $LOCALIP -D 0.0.0.0 25
done
(the INTERFACES and MY_IP stuff above is taken from my version
of the spoof_protect function in recent netbase packages - i
wanted spoof_protect as a separate script not as a function inside
/etc/init.d/netbase so that i can call it whenever i need to after i
flush all the current rules)
Personally, i would prefer to leave outbound smtp enabled so that the
firewall could send me mail if it ever needed to - e.g. a script which
hunts through the logs for suspicious activity....i want to know about
that NOW, not sometime next week when i've got enough time to log in and
check the log files.
if the machine's mailer is properly configured, it is NOT going to spew
out mail to random machines on the local net.
> So, provided that #1 is correct (i.e., packages depending on
> mail-transport-agent just call /usr/lib/sendmail), I'm looking for a
> _very_ simple package which provides mail-transport-agent, and installs a
> short /usr/lib/sendmail which does nothing except saving all mails in some
> central mail box or in different files in /var/spool/mail. I don't need
> SMTP for sending nor receiving mails, nor do I need .forward files,
> aliases, etc.
>
>
> Having written this, I think a solution would be to just write a little
> shell script /usr/lib/sendmail, which contains
> cat >> /var/log/mails
> to just add all text from stdin to a log file.
i think you'll run into file-locking problems with that - if two or more
daemons send mail at the same time, the log file will get corrupted.
if you install sendmail, you can use sendmail's virtusertable feature to
make sure that all mail to any user on the local host gets delivered to
one mailbox. or you can do that with procmail's global /etc/procmailrc.
craig
--
craig sanders
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: