Re: [tlug] ipchains settings to allow sendmail from localhost

[Jonathan Q <jq@example.com>]

s4565@example.com (s4565@example.com) wrote:

> -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT

= Port 25 is not filtered at all.


> which to me looks a bit of a worry...I am not sure I like the "any-> smtp" part, does this mean at the moment anyone
> can use my machine to send email?

No, unless you have it configured as an open relay, which it is not
by default.  If you haven't changed this, then it will not relay.

The fact that port 25 is not firewalled means that anyone can 
try to connect to port 25.  If your machine was functioning
as an MX, this would be desired.  Since it's not, there's
no point in allowing anyone to even make a run at it. To achieve
that, use this rule:

-A input -s 0/0 -d 0/0 22 -p tcp -y -j REJECT

If you are connecting via an ISP's dial-up, cable, or DSL network,
I recommend that you use their outgoing SMTP server as a smarthost,
because a (growing) number of domains have their MXes configured to
refuse direct mail connections from those sources, because most such
connections are spam.  To do this, edit /etc/sendmail.cf and find
these line:

# "Smart" relay host (may be null)
DS

Immediately after the S (no space) put the name of your ISP's 
outgoing mail server.

You might further want to configure your system to not run sendmail
in daemon mode, but only to do queue runs.  This way, even if
port 25 is not firewalled, it won't accept connections anyway.
To do that, edit /etc/sysconfig/sendmail and make it took like this:

DAEMON=no
QUEUE=5m

This will do a queue run eery 5 minutes.  If you want the queue run
to be more or less frequent, change that line accordingly.

Jonathan