Re: sendmail problem
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Mon, 13 Mar 2006 13:56:13 -0600
On 12 Mar 2006, in the Usenet newsgroup comp.os.linux.misc, in article
<1142228850.700936.231130@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, danish wrote:
By doing # netstat -apn |grep sendmail...it shows that sendmail is
listening on port 25..
#netstat -apn|grep sendmail
tcp 0 0 127.0.0.1:25 0.0.0.0:*
Yes, but it's port 25 only on localhost. That's the item in the Sendmail-FAQ
I was pointing at. And right out of the RELEASE-NOTES file on the first CD:
sendmail
* By default, the Sendmail mail transport agent (MTA) does not accept
network connections from any host other than the local computer. If
you want to configure Sendmail as a server for other clients, you
must edit /etc/mail/sendmail.mc and change the DAEMON_OPTIONS line to
also listen on network devices (or comment out this option entirely
using the dnl comment delimiter). You must then regenerate
/etc/mail/sendmail.cf by running the following command (as root):
make -C /etc/mail
Note that you must have the sendmail-cf package installed for this to
work.
This change was first put into effect on Red Hat 7.1 in an effort to reduce
the number of open spam relays.
Moe im using fedora3...with sendmail-8.13.1-2...
OK, that's the out-of-box package. I'm not using Fedora, but the last time
I checked the updates site, it had not been updated (although many other
packages had).
I didnt understand ur question...
Do you really need all those ports open?
While your system is only accepting connections to port 25 on localhost, you
have a LOT of other risky ports apparently open to the world. That's generally
not a good idea. I've edited your post here to remove the send and receive
queue data (all zeros, and not relevant to this discussion). By the way, this
list differs from your original post in a number of specific ports that are
open.
# netstat -tupan
Active Internet connections (servers and established)
Proto Local Address Foreign Address State PID/Program name
tcp 0.0.0.0:32769 0.0.0.0:* LISTEN 2100/xfs
tcp 0.0.0.0:32771 0.0.0.0:* LISTEN 2680/X
tcp 0.0.0.0:515 0.0.0.0:* LISTEN 1955/xinetd
tcp 0.0.0.0:3306 0.0.0.0:* LISTEN 1988/mysqld
tcp 0.0.0.0:3050 0.0.0.0:* LISTEN 1955/xinetd
tcp 0.0.0.0:139 0.0.0.0:* LISTEN 2110/smbd
tcp 0.0.0.0:445 0.0.0.0:* LISTEN 2110/smbd
All of these are "open to the world" except as limited by your perimeter
firewall. The third one for example is a printer daemon. I don't know
about you, but I see no reason to let the world print on my printer.
The same is true of mysqld. At the very least, see that all of these
ports are blocked at your perimeter.
tcp 127.0.0.1:5335 0.0.0.0:* LISTEN 1862/mDNSResponder
This one is useless. You have the Multicast DNS responder listening on the
wrong port (should be 5353), but only on the loopback, where is should have
no traffic.
tcp 127.0.0.1:25 0.0.0.0:* LISTEN 2039/sendmail: acce
That's sendmail as noted above.
tcp 192.168.10.240:32785 66.249.87.99:80 TIME_WAIT -
tcp 192.168.10.240:32784 66.249.87.99:80 TIME_WAIT -
That's two connections to google.com that finished earlier and are closing.
tcp :::6000 :::* LISTEN 2680/X
tcp :::80 :::* LISTEN 2070/httpd
tcp :::22 :::* LISTEN 1900/sshd
tcp :::443 :::* LISTEN 2070/httpd
tcp :::7100 :::* LISTEN 2100/xfs
These are IPv6 services. There are only ten IPv6 allocations in India as of
mid-February, but they have the same security implications that IPv4 has.
You should block these at the perimeter even if your upstream doesn't offer
IPv6 routing.
udp 192.168.10.240:137 0.0.0.0:* 2114/nmbd
udp 0.0.0.0:137 0.0.0.0:* 2114/nmbd
udp 192.168.10.240:138 0.0.0.0:* 2114/nmbd
udp 0.0.0.0:138 0.0.0.0:* 2114/nmbd
Block these at the perimeter.
udp 0.0.0.0:68 0.0.0.0:* 1638/dhclient
I don't use DHCP. RFC1918 allocated 19 million IP addresses for private
use, so the original rational for DHCP (and the earlier BOOTP) of allowing
multiple re-use of limited IP addresses by many computers is long gone.
Microsoft adopted the concept to reduce the effort needed to set up a
computer, at the cost of security (which has never been a priority there)
and increased complexity of setting up a DHCP server. Indeed, that's the
reason for a link-local (ZeroConf) setup - when the MCSE has so screwed up
the DHCP server that even windoze won't work.
udp 0.0.0.0:5353 0.0.0.0:* 1862/mDNSResponder
This should also be blocked at the perimeter. This service hasn't been
standardized yet (still in the draft RFC stage), and there is a competing
service from microsoft. Both admit in the draft documents to be substantial
security risks. The purpose of these is to fake a DNS service for the
link-local (ZeroConf) service used when your systems can't reach a DHCP
server.
Old guy
.
- Follow-Ups:
- Re: sendmail problem
- From: danish
- Re: sendmail problem
- References:
- sendmail problem
- From: danish
- Re: sendmail problem
- From: ynotssor
- Re: sendmail problem
- From: danish
- sendmail problem
- Prev by Date: Re: Terminal won't let me write superuser password
- Next by Date: Re: Terminal won't let me write superuser password
- Previous by thread: Re: sendmail problem
- Next by thread: Re: sendmail problem
- Index(es):
Relevant Pages
|
