Send in your Unix questions today! |
See additional Unix tips and tricks
Any server that accepts email is at some risk of abuse. Given the relatively large population of dimwits in the world with nothing better to do with their time than send volumes of innocuous email to every email address they can conjure up (including such notables as nobody at various domains), there's good reason to avoid email altogether on servers that aren't intended to be mail servers.
If you would like to generate email on a server, but don't want to put up with email from the outside, you can configure sendmail to do this for you. The "trick" is to set up sendmail such that it listens on port 25 (as it always does), but only for the loopback address. When set up this way, a server will only allow connections on port 25 that are initiated on the local system. No other connections will be established, leaving your server with only its own mail to process.
Here's how to do this:
First, start with the sendmail.mc file that you used to build your current sendmail. Add the lines shown below before the MAILER line.
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Port=587, Name=MSA, M=E')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
|
The bottom of your sendmail.mc file will then look something like this:
divert(0)dnl
VERSIONID(`$Id: generic-solaris.mc,v 8.13 2001/06/27 21:46:30 gshapiro Exp $')
OSTYPE(solaris2)dnl
DOMAIN(generic)dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Port=587, Name=MSA, M=E')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
MAILER(local)dnl
MAILER(smtp)dnl
|
Use the "sh Build sendmail.cf" command to create a new sendmail.cf file. Copy your current /etc/mail/sendmail.cf file to a safe place just in case you need it, such as /etc/mail/sendmail.cf.prev and then put your new sendmail.cf file into place. In addition to creating your new sendmail.cf file, this command will add the lines from your mc file as comments to the bottom of the new file. This ensures that you will not lose track of how your sendmail.cf file was configured and built and can save you a lot of trouble if you wipe out your sendmail source directory after you build a new release of the software and then want to recreate it.
Next, do the same basic thing for the submit.cf file -- use the "sh Build submit.cf" command to generate a new submit.cf file, back up your current file and put the new one in place.
To view how sendmail is accepting connections before you restart it, use the netstat command shown below. The string "*.25" means that it is listening for connections on port 25 for any IP address associated with the system -- generally the public IP address and the loopback.
netstat -an | grep 25
*.25 *.* 0 0 49152 0 LISTEN
|
At this point, you are ready to restart sendmail. You can then use the netstat command again to verify that sendmail is only listening on the loopback address:
# netstat -an | grep 25
127.0.0.1.25 *.* 0 0 49152 0 LISTEN
|
Here, we can see that port 25 is now only responsive to the loopback address. Any system now attempting to send mail to the server will fail with an error like that shown below.
# telnet nomail.mysite.com 25
Trying 205.244.233.22...
telnet: Unable to connect to remote host: Connection refused
|
