Binding sendmail to the loopback interface
The sendmail SMTP server comes with the vast majority of UNIX Operating systems, and is configured to listen for new connections on TCP ports *.25 (SMTP) and *.587 (MSP) by default. For workstation and servers that aren’t responsible for mail delivery, this can cause chaos when a new sendmail exploit is released into the wild. This behavior can be changed by adjusting the “DaemonPortOptions” in the sendmail configuration file (usually /etc/mail/sendmail.cf). The default configuration looks similar to the following:
O DaemonPortOptions=Name=MTA-v4, Family=inet
O DaemonPortOptions=Port=587, Name=MSA, M=E
If we add “Addr=127.0.0.1″ to each entry, sendmail will only listen for new connections on the loopback interface:
O DaemonPortOptions=Addr=127.0.0.1,Port=25,Name=MTA
O DaemonPortOptions=Addr=127.0.0.1,Port=587,Name=MSA, M=E
Once the changes are integrated into the sendmail.cf file ( hand editing the sendmail.cf file or using M4 macros ), sendmail needs to be restarted. Once sendmail is restarted, we can view the new behavior with the netstat command:
$ netstat -an | egrep LISTEN | egrep ‘(25|587)’
127.0.0.1.25 *.* 0 0 49152 0 LISTEN
127.0.0.1.587 *.* 0 0 49152 0 LISTEN
Back in the sendmail 8.10/8.11 days, a smart relay could be used to forward mail, alleviating the need to run sendmail as a daemon. I am still trying to find a way to revert back to the old behavior, but the MSP seems to cause some issues when smart relays are in use. More to come …
bish on June 5th, 2007
Again: do not, do not, do not, modify the sendmail.cf file: you will be forced to re-do your mods, by hand, on each upgrade. This becomes a real challenge vs an easily avoidable nuisance when one gets into custom rules and routing.
We only get one lifetime. That’s too long to spend making our lives more difficult by hacking sendmail’s cf file directly, and seeing as the MC file is right there the whole thing approaches lunacy.