Binding sendmail to the loopback interface

The sendmail SMTP server comes with the vast majority of UNIX Operating systems, and is configured to listen for new connections on TCP ports *.25 (SMTP) and *.587 (MSP) by default. For workstation and servers that aren’t responsible for mail delivery, this can cause chaos when a new sendmail exploit is released into the wild. This behavior can be changed by adjusting the “DaemonPortOptions” in the sendmail configuration file (usually /etc/mail/sendmail.cf). The default configuration looks similar to the following:

O DaemonPortOptions=Name=MTA-v4, Family=inet
O DaemonPortOptions=Port=587, Name=MSA, M=E

If we add “Addr=127.0.0.1” to each entry, sendmail will only listen for new connections on the loopback interface:

O DaemonPortOptions=Addr=127.0.0.1,Port=25,Name=MTA
O DaemonPortOptions=Addr=127.0.0.1,Port=587,Name=MSA, M=E

Once the changes are integrated into the sendmail.cf file ( hand editing the sendmail.cf file or using M4 macros ), sendmail needs to be restarted. Once sendmail is restarted, we can view the new behavior with the netstat command:

$ netstat -an | egrep LISTEN | egrep ‘(25|587)’
127.0.0.1.25 *.* 0 0 49152 0 LISTEN
127.0.0.1.587 *.* 0 0 49152 0 LISTEN

Back in the sendmail 8.10/8.11 days, a smart relay could be used to forward mail, alleviating the need to run sendmail as a daemon. I am still trying to find a way to revert back to the old behavior, but the MSP seems to cause some issues when smart relays are in use. More to come …

2 thoughts on “Binding sendmail to the loopback interface”

  1. Again: do not, do not, do not, modify the sendmail.cf file: you will be forced to re-do your mods, by hand, on each upgrade. This becomes a real challenge vs an easily avoidable nuisance when one gets into custom rules and routing.

    We only get one lifetime. That’s too long to spend making our lives more difficult by hacking sendmail’s cf file directly, and seeing as the MC file is right there the whole thing approaches lunacy.

  2. Hi Bish,

    I agree that you shouldn’t modify the sendmail.cf directly, and that building from an .mc is the right route to take. For my blog posts, I prefer to quote the directives from the sendmail.cf configuration file, since that is what eventually gets created.

    – Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *