l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2005 Aug 23 09:11

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] MTA + ... (was: more security questions (DNS & securitythread)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] MTA + ... (was: more security questions (DNS & securitythread)



Hey Cylar,

Glad you got Apache back up.

On Mon, 22 Aug 2005, Cylar Z wrote:
[snip]
> As to sendmail, am I to understand that to run it
> "locally," I'd turn the daemon back on, but close the
> SMTP port on the iptables firewall?

I'm not sure how mail transports work locally.  I *think* you can turn off
that port altogether because of the way mail transports work, but you may
have to open it up locally (127.0.0.1 a.k.a localhost).  Try the former
and see if you can e-mail from a user account to another user account; if
you can't, then open up 127.0.0.1:25

> Assuming your
> answer to that is "yes," do I also safely assume that
> it's the same way with other services that are to be
> run "locally?" I think that's what you said but I want
> to be absolutely sure, before I risk opening any holes
> in my security perimeter that could be exploited.

Well, there's two ways, right?:

   1. Make the daemon listen on 127.0.0.1 only.

   2. Make the daemon listen on 0.0.0.0 (any IP), but block it off
      from non-127.0.0.1 IPs using the firewall.

#1 is more elegant over #2, I think.  But why not combine the best of
both methods:

   3. Make the daemon listen on 127.0.0.1 only, AND block it off
      from non-127.0.0.1 IPs using the firewall.

So do #3 if you can.  To get daemons to listen on 127.0.0.1 only, you'll
need to configure each daemon to listen on 127.0.0.1 only; but some
daemons may not have that option.  And blocking off non-127.0.0.1 IPs is
done through the firewall.

Sendmail is a special case because I don't think it needs to open up ANY
port to transport mails on the same computer; I think it's necessary only
when transporting mails over the network to open up port 25.  But again,
I'm not sure about that so try it out.  (Or maybe someone here knows the
answer?)

> Second, I'm interested in adding a mail server that
> actually can communicate with the outside world. I've
> been hearing that sendmail config is hard and that I
> should use PostFix instead. Your opinion please.

I'm probably not the best person to ask since I haven't done much e-mail
configuring.  From what I've heard at various places it's a good idea to
move away from sendmail.  Postfix is a good alternative.  I personally use
Exim but only because that's the Debian default.  You probably can't go
wrong with either Postfix or Exim, though I've had this impression over
the years that Postfix is a little more configurable and powerful while
Exim is a bit simpler to configure.  But that could be an old idea or even
a complete jibbrish so I wouldn't put much weight on it without others'
input.

-Mark


-- 
Mark K. Kim
AIM: markus kimius
Homepage: http://www.cbreak.org/
Xanga: http://www.xanga.com/vindaci
Friendster: http://www.friendster.com/user.php?uid=13046
PGP key fingerprint: 7324 BACA 53AD E504 A76E  5167 6822 94F0 F298 5DCE
PGP key available on the homepage
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.