Thanks for the suggestion to read about tcpwrappers. I have also
read the Security Quick-start howto and found it useful.
One problem I am still coming to grips with is email. I am running
qmail out of xinetd and using tcp-env for the smtp service. I tried
putting the qmail daemons into hosts.allow (ie: qmail-smtpd: ALL), and
then ALL:ALL in hosts.deny, but it denied access to all incoming
emails. At the moment, I have ALL: PARANOID set in hosts.deny, but this
won't allow some incoming emails and gives an error on the line where I
have the line .domain.com.au set in hosts.allow, where ns.domain.com.au
is our nameserver.
Anyone know how I let all emails to our domain through, whether or not I
can do a lookup on them? I know that our DNS works fine as I get the
same error using a machine at home from a different ISP and different
DNS server. I am assuming that hosts that fall into the
PARANOID category must not have their DNS files setup right, or they may
not be legitimate users.
I suppose the other option is to try and run qmail using daemontools and
uspci as the qmail manuals and life with qmail suggests.