4

I need to secure the server by making sendmail-mta accept only local connections (from localhost), so that any external (potential spam) connections are denied.

I use Debian 7.0 currently.

v_2e
  • 329
  • 3
  • 11

2 Answers2

8

The following line in your m4 config generation file will cause sendmail to listen to port 25 only on 127.0.0.1:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
MadHatter
  • 79,770
  • 20
  • 184
  • 232
1

I decided to do it in another way. Instead of trying to tune the the sendmail-mta itself (which I did not succeed in) or recompiling it with the built-in options, I used a simple iptables rule:

iptables -A INPUT -i eth0 -p tcp --dport 25 -j DROP

This rule blocks all incoming connections on eth0 interface. The connections to the lo interface remain untouched. Of course, this is not a solution by means of the sendmail-mta, but it turned out to be much more simple to solve this particular problem this way.

v_2e
  • 329
  • 3
  • 11
  • You're kidding, right? – Michael Hampton Sep 29 '13 at 16:07
  • @MichaelHampton: No, not at all. This is really the way I decided to solve my problem. But is it wrong? – v_2e Sep 29 '13 at 16:35
  • 1
    It's kind of pointless, since the solution already given is so trivial. And, if your firewall gets dropped for some reason, you're back to being a potential spam relay. – Michael Hampton Sep 29 '13 at 16:37
  • @MichaelHampton: Hm... Yes, you are right. If for some reason the firewall rule is not applied or flushed, it is pointless. I did not think of that. But as far as I understood from the previous answer, it requires recompiling the sendmail-mta daemon, doesn't it? But recompiling is not an easy way in my case. So is it the only *real* way to secure the mail-server? Thanks! – v_2e Sep 29 '13 at 16:42
  • 2
    No, you just edit the `sendmail.mc` file and rebuild that (with `m4`). This is basic Sendmail. – Michael Hampton Sep 29 '13 at 16:52
  • @MichaelHampton: Oh, sorry. I misunderstood all these from the very beginning. I just have never met such way of configuration before. Now I see that indeed my "self-answer" is completely pointless. I will mark the previous as "accepted" instead, since now I use this way. Thank you! – v_2e Sep 29 '13 at 17:15