Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 08:47:46PM -0800, Rick Moen wrote: Quoting Michael Stone ([EMAIL PROTECTED]): comment out the line in inetd.conf and remove any S20exim links in /etc/rc?.d. Removing the S links is the proper way to keep a service from running in debian; the link removal is preserved across upgrades. Nick didn't sound as if he wanted to prevent Exim from running; he needed it to cease listening to his outside interface's port 25. (Without an MTA of some sort running, strictly local mail might have a bit of a problem, no?) Thus my suggestion of saying in exim.conf that the only interface the daemon should listen on is loopback. The default Debian Exim configuration will still work even if you remove the links and don't start the daemon: local mail submission works via a setuid binary, not over port 25, and if for whatever reason the message can't be handled immediately, the crontab fragment in /etc/cron.d/exim will do a queue run every 15 minutes. -- William Aoki KD7YAF [EMAIL PROTECTED] /\ ASCII Ribbon Campaign \ / No HTML in mail or news! X / \
Re: How To Set Up Mail-out-only System ?
Quoting Will Aoki ([EMAIL PROTECTED]): The default Debian Exim configuration will still work even if you remove the links and don't start the daemon: local mail submission works via a setuid binary, not over port 25, and if for whatever reason the message can't be handled immediately, the crontab fragment in /etc/cron.d/exim will do a queue run every 15 minutes. Good to know; thanks. (I've never needed to run that configuration.) -- Cheers, The cynics among us might say: We laugh, Rick Moen monkeyboys -- Linux IS the mainstream UNIX now! [EMAIL PROTECTED] MuaHaHaHa! but that would be rude. -- Jim Dennis
Re: How To Set Up Mail-out-only System ?
On Wed, 11 Feb 2004 01:41:13 +, I wrote: The idea of removing the -bd switch from the Exim startup line in /etc/init.d/exim is appealing, though I guess I'd have to remember to make that amendment every time a major upgrade occurred ... in that context, I suppose editing exim.conf is more correct, in that upgrades should offer me the chance to keep my customised exim.conf. Both /etc/init.d/exim and /etc/exim/exim.conf are Debian conffiles, which means that they will not be overwritten automatically on package upgrades. When dpkg is asked to install a new version a conffile that was edited manually, the default behavior is, IIRC, to present you with a menu which allows you to view the diff between your and the package maintainer's version, install the new version (and back up yours), not to touch the conffile and install the maintainer's version as FILENAME.dpkg-new, and more. -- alexkon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote: I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? comment out the line in inetd.conf and remove any S20exim links in /etc/rc?.d. Removing the S links is the proper way to keep a service from running in debian; the link removal is preserved across upgrades. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
Quoting Michael Stone ([EMAIL PROTECTED]): comment out the line in inetd.conf and remove any S20exim links in /etc/rc?.d. Removing the S links is the proper way to keep a service from running in debian; the link removal is preserved across upgrades. Nick didn't sound as if he wanted to prevent Exim from running; he needed it to cease listening to his outside interface's port 25. (Without an MTA of some sort running, strictly local mail might have a bit of a problem, no?) Thus my suggestion of saying in exim.conf that the only interface the daemon should listen on is loopback. I think everyone's so used to giving the remove the symlinks answer that they didn't stop to consider better ways, in light of Nick's described situation. -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
Quoting Will Aoki ([EMAIL PROTECTED]): The default Debian Exim configuration will still work even if you remove the links and don't start the daemon: local mail submission works via a setuid binary, not over port 25, and if for whatever reason the message can't be handled immediately, the crontab fragment in /etc/cron.d/exim will do a queue run every 15 minutes. Good to know; thanks. (I've never needed to run that configuration.) -- Cheers, The cynics among us might say: We laugh, Rick Moen monkeyboys -- Linux IS the mainstream UNIX now! [EMAIL PROTECTED] MuaHaHaHa! but that would be rude. -- Jim Dennis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, 11 Feb 2004 01:41:13 +, I wrote: The idea of removing the -bd switch from the Exim startup line in /etc/init.d/exim is appealing, though I guess I'd have to remember to make that amendment every time a major upgrade occurred ... in that context, I suppose editing exim.conf is more correct, in that upgrades should offer me the chance to keep my customised exim.conf. Both /etc/init.d/exim and /etc/exim/exim.conf are Debian conffiles, which means that they will not be overwritten automatically on package upgrades. When dpkg is asked to install a new version a conffile that was edited manually, the default behavior is, IIRC, to present you with a menu which allows you to view the diff between your and the package maintainer's version, install the new version (and back up yours), not to touch the conffile and install the maintainer's version as FILENAME.dpkg-new, and more. -- alexkon
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote: I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? comment out the line in inetd.conf and remove any S20exim links in /etc/rc?.d. Removing the S links is the proper way to keep a service from running in debian; the link removal is preserved across upgrades. Mike Stone
Re: How To Set Up Mail-out-only System ?
Quoting Michael Stone ([EMAIL PROTECTED]): comment out the line in inetd.conf and remove any S20exim links in /etc/rc?.d. Removing the S links is the proper way to keep a service from running in debian; the link removal is preserved across upgrades. Nick didn't sound as if he wanted to prevent Exim from running; he needed it to cease listening to his outside interface's port 25. (Without an MTA of some sort running, strictly local mail might have a bit of a problem, no?) Thus my suggestion of saying in exim.conf that the only interface the daemon should listen on is loopback. I think everyone's so used to giving the remove the symlinks answer that they didn't stop to consider better ways, in light of Nick's described situation. -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED]
How To Set Up Mail-out-only System ?
Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? The default Exim MTA is installed, and I've commented out the SMTP line from inetd.conf, but there is a /etc/init.d/exim startup script that comes with the Exim package, that has this : # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi [...] case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ --exec $DAEMON -- -bd -q30m So one way or the other, Exim gets to listen. In exim.conf, there is # This will cause it to accept mail only from the local interface #local_interfaces = 127.0.0.1 so I could set that option. Would that stop Exim from binding to the ethernet interface ? Should I just remove the S20exim symlink from rc?.d ? That seems a bit of a kludge. If this was NetBSD, I'd set something like exim=no in somewhere like rc.conf ... is there a Debian equivalent to that ? TIA for any advice. Nick Boyce Bristol, UK -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Tue, 2004-02-10 at 20:41, Nick Boyce wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? You might want to check out ssmtp. ...Murray -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
Quoting Murray J. Brown ([EMAIL PROTECTED]): You might want to check out ssmtp. Also nullmailer and smtppush. See: Nullmailers on http://linuxmafia.com/kb/Mail/ -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote: I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. You could firewall incoming port 25 connections... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote: [want a send-only exim] The default Exim MTA is installed, and I've commented out the SMTP line from inetd.conf, but there is a /etc/init.d/exim startup script that comes with the Exim package, that has this : # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi [...] case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ --exec $DAEMON -- -bd -q30m If you remove the '-bd', exim will run as a daemon, but it will only send mail out (processing its queue). It won't bind tcp/25 to receive mail. (Exim will use a different pid file, so the init script has to be modified for that, too. I've attached one with the necessary modifications.) Should I just remove the S20exim symlink from rc?.d ? If you don't want exim to run as a daemon at all, then you should rename those links to K20exim. The crontab fragment in /etc/cron.d/exim will do a queue run four times an hour. That seems a bit of a kludge. If this was NetBSD, I'd set something like exim=no in somewhere like rc.conf ... is there a Debian equivalent to that ? If you don't want to drive it the System V-ish way, you could probably do something like that: add to exim init script: | . /etc/default/exim | if [ $SHOULDIRUN = no ]; then |exit 0; | fi then create /etc/default/exim and add: | SHOULDIRUN=no -- William Aoki KD7YAF [EMAIL PROTECTED] /\ ASCII Ribbon Campaign \ / No HTML in mail or news! X / \ #! /bin/sh # /etc/init.d/exim # # Written by Miquel van Smoorenburg [EMAIL PROTECTED]. # Modified for Debian GNU/Linux by Ian Murdock [EMAIL PROTECTED]. # Modified for exim by Tim Cutts [EMAIL PROTECTED] set -e # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi DAEMON=/usr/sbin/exim NAME=exim test -x $DAEMON || exit 0 case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid-q30m \ --exec $DAEMON -- -q30m echo exim. ;; stop) echo -n Stopping MTA: start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \ --oknodo --retry 30 --exec $DAEMON echo exim. ;; restart) echo -n Restarting MTA: start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \ --oknodo --retry 30 --exec $DAEMON start-stop-daemon --start --pidfile /var/run/exim/exim.pid-q30m \ --exec $DAEMON -- -q30m echo exim. ;; reload|force-reload) echo Reloading $NAME configuration files start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \ --signal 1 --exec $DAEMON ;; *) echo Usage: /etc/init.d/$NAME {start|stop|restart|reload} exit 1 ;; esac exit 0
Re: How To Set Up Mail-out-only System ?
Quoting Dale Amon ([EMAIL PROTECTED]): You could firewall incoming port 25 connections... Smarter to just edit /etc/exim/exim.con to set local_interfaces = 127.0.0.1 in the main section, and then just HUP Exim. See also: http://slashdot.org/comments.pl?sid=92798cid=7980769 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=227981 -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, 11 Feb 2004 11:53:38 +1000, Clayton Russell wrote: On Wed, 2004-02-11 at 11:41, Nick Boyce wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. If you would like to use postfix you can comment out the smtp inet n - n - - smtpd line in /etc/postfix/master.cf, which stops the daemon listening on port 25, but does not affect sending mail. Thanks Clayton - that's very useful - I was planning to look at Postfix in due course - it seems to have the best security pedigree of any of the popular MTAs. [Without wanting to start anything religious here :-)] Much obliged Nick -- Bother, said Pooh, as he struggled with sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 11 Feb 2004 02:40:07 +0100, Nick Boyce [EMAIL PROTECTED] wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? The default Exim MTA is installed, and I've commented out the SMTP line from inetd.conf, but there is a /etc/init.d/exim startup script that comes with the Exim package, that has this : # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi [...] case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ --exec $DAEMON -- -bd -q30m So one way or the other, Exim gets to listen. In exim.conf, there is # This will cause it to accept mail only from the local interface #local_interfaces = 127.0.0.1 so I could set that option. Would that stop Exim from binding to the ethernet interface ? Should I just remove the S20exim symlink from rc?.d ? That seems a bit of a kludge. If this was NetBSD, I'd set something like exim=no in somewhere like rc.conf ... is there a Debian equivalent to that ? TIA for any advice. Nick Boyce Bristol, UK Just firewall off port 25 from the network. Leave it visible internally on the loopback, so you can still use it for a local MTA. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAKZC5d90bcYOAWPYRAtGyAJ9i9GnQhUa9RxtPuerpGbktsZzLtQCgmOGW KVwsJnoPAF7pfFBNWbUPG8M= =w2SY -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock We have to go forth and crush every world view that doesn't believe in tolerance and free speech, - David Brin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, 11 Feb 2004 01:41:13 +, I wrote: I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? Thanks for all the great advice, people. The idea of removing the -bd switch from the Exim startup line in /etc/init.d/exim is appealing, though I guess I'd have to remember to make that amendment every time a major upgrade occurred ... in that context, I suppose editing exim.conf is more correct, in that upgrades should offer me the chance to keep my customised exim.conf. I'd rather stay with a mainstream MTA than switch to a smaller dedicated null mailer, on the premise that mainstream MTAs will stay better maintained - though the smaller attack surface of the dedicated mailers is a Good Thing I suppose. I may need timely notifications from this box (ok, it's an IDS), so I don't want to rely on periodic cron-initiated mailer runs. Again, many thanks for all the help. Nick Boyce Bristol, Uk -- We did a risk management review. We concluded that there was no risk of any management. -- Hugo Mills [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
How To Set Up Mail-out-only System ?
Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? The default Exim MTA is installed, and I've commented out the SMTP line from inetd.conf, but there is a /etc/init.d/exim startup script that comes with the Exim package, that has this : # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi [...] case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ --exec $DAEMON -- -bd -q30m So one way or the other, Exim gets to listen. In exim.conf, there is # This will cause it to accept mail only from the local interface #local_interfaces = 127.0.0.1 so I could set that option. Would that stop Exim from binding to the ethernet interface ? Should I just remove the S20exim symlink from rc?.d ? That seems a bit of a kludge. If this was NetBSD, I'd set something like exim=no in somewhere like rc.conf ... is there a Debian equivalent to that ? TIA for any advice. Nick Boyce Bristol, UK
Re: How To Set Up Mail-out-only System ?
On Tue, 2004-02-10 at 20:41, Nick Boyce wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? You might want to check out ssmtp. ...Murray
Re: How To Set Up Mail-out-only System ?
Quoting Murray J. Brown ([EMAIL PROTECTED]): You might want to check out ssmtp. Also nullmailer and smtppush. See: Nullmailers on http://linuxmafia.com/kb/Mail/ -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote: I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. You could firewall incoming port 25 connections... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel --
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote: [want a send-only exim] The default Exim MTA is installed, and I've commented out the SMTP line from inetd.conf, but there is a /etc/init.d/exim startup script that comes with the Exim package, that has this : # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi [...] case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ --exec $DAEMON -- -bd -q30m If you remove the '-bd', exim will run as a daemon, but it will only send mail out (processing its queue). It won't bind tcp/25 to receive mail. (Exim will use a different pid file, so the init script has to be modified for that, too. I've attached one with the necessary modifications.) Should I just remove the S20exim symlink from rc?.d ? If you don't want exim to run as a daemon at all, then you should rename those links to K20exim. The crontab fragment in /etc/cron.d/exim will do a queue run four times an hour. That seems a bit of a kludge. If this was NetBSD, I'd set something like exim=no in somewhere like rc.conf ... is there a Debian equivalent to that ? If you don't want to drive it the System V-ish way, you could probably do something like that: add to exim init script: | . /etc/default/exim | if [ $SHOULDIRUN = no ]; then |exit 0; | fi then create /etc/default/exim and add: | SHOULDIRUN=no -- William Aoki KD7YAF [EMAIL PROTECTED] /\ ASCII Ribbon Campaign \ / No HTML in mail or news! X / \ #! /bin/sh # /etc/init.d/exim # # Written by Miquel van Smoorenburg [EMAIL PROTECTED]. # Modified for Debian GNU/Linux by Ian Murdock [EMAIL PROTECTED]. # Modified for exim by Tim Cutts [EMAIL PROTECTED] set -e # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi DAEMON=/usr/sbin/exim NAME=exim test -x $DAEMON || exit 0 case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid-q30m \ --exec $DAEMON -- -q30m echo exim. ;; stop) echo -n Stopping MTA: start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \ --oknodo --retry 30 --exec $DAEMON echo exim. ;; restart) echo -n Restarting MTA: start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \ --oknodo --retry 30 --exec $DAEMON start-stop-daemon --start --pidfile /var/run/exim/exim.pid-q30m \ --exec $DAEMON -- -q30m echo exim. ;; reload|force-reload) echo Reloading $NAME configuration files start-stop-daemon --stop --pidfile /var/run/exim/exim.pid-q30m \ --signal 1 --exec $DAEMON ;; *) echo Usage: /etc/init.d/$NAME {start|stop|restart|reload} exit 1 ;; esac exit 0
Re: How To Set Up Mail-out-only System ?
Quoting Dale Amon ([EMAIL PROTECTED]): You could firewall incoming port 25 connections... Smarter to just edit /etc/exim/exim.con to set local_interfaces = 127.0.0.1 in the main section, and then just HUP Exim. See also: http://slashdot.org/comments.pl?sid=92798cid=7980769 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=227981 -- Cheers,There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, 11 Feb 2004 11:53:38 +1000, Clayton Russell wrote: On Wed, 2004-02-11 at 11:41, Nick Boyce wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. If you would like to use postfix you can comment out the smtp inet n - n - - smtpd line in /etc/postfix/master.cf, which stops the daemon listening on port 25, but does not affect sending mail. Thanks Clayton - that's very useful - I was planning to look at Postfix in due course - it seems to have the best security pedigree of any of the popular MTAs. [Without wanting to start anything religious here :-)] Much obliged Nick -- Bother, said Pooh, as he struggled with sendmail.cf, it never does quite what I want. I wish Christopher Robin was here.
Re: How To Set Up Mail-out-only System ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 11 Feb 2004 02:40:07 +0100, Nick Boyce [EMAIL PROTECTED] wrote: Sorry if this is a dumb question ... I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? The default Exim MTA is installed, and I've commented out the SMTP line from inetd.conf, but there is a /etc/init.d/exim startup script that comes with the Exim package, that has this : # Exit if exim runs from /etc/inetd.conf if [ -f /etc/inetd.conf ] grep -q ^ *smtp /etc/inetd.conf; then exit 0 fi [...] case $1 in start) echo -n Starting MTA: start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ --exec $DAEMON -- -bd -q30m So one way or the other, Exim gets to listen. In exim.conf, there is # This will cause it to accept mail only from the local interface #local_interfaces = 127.0.0.1 so I could set that option. Would that stop Exim from binding to the ethernet interface ? Should I just remove the S20exim symlink from rc?.d ? That seems a bit of a kludge. If this was NetBSD, I'd set something like exim=no in somewhere like rc.conf ... is there a Debian equivalent to that ? TIA for any advice. Nick Boyce Bristol, UK Just firewall off port 25 from the network. Leave it visible internally on the loopback, so you can still use it for a local MTA. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAKZC5d90bcYOAWPYRAtGyAJ9i9GnQhUa9RxtPuerpGbktsZzLtQCgmOGW KVwsJnoPAF7pfFBNWbUPG8M= =w2SY -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock We have to go forth and crush every world view that doesn't believe in tolerance and free speech, - David Brin
Re: How To Set Up Mail-out-only System ?
On Wed, 11 Feb 2004 01:41:13 +, I wrote: I've just set up a secure (you know .. more than usual) Debian system, and want to arrange things so that it can send mail out when necessary (in case anything happens that it thinks I should know about) but is *not* constantly listening for incoming mail. Is there a best way of doing this ? Thanks for all the great advice, people. The idea of removing the -bd switch from the Exim startup line in /etc/init.d/exim is appealing, though I guess I'd have to remember to make that amendment every time a major upgrade occurred ... in that context, I suppose editing exim.conf is more correct, in that upgrades should offer me the chance to keep my customised exim.conf. I'd rather stay with a mainstream MTA than switch to a smaller dedicated null mailer, on the premise that mainstream MTAs will stay better maintained - though the smaller attack surface of the dedicated mailers is a Good Thing I suppose. I may need timely notifications from this box (ok, it's an IDS), so I don't want to rely on periodic cron-initiated mailer runs. Again, many thanks for all the help. Nick Boyce Bristol, Uk -- We did a risk management review. We concluded that there was no risk of any management. -- Hugo Mills [EMAIL PROTECTED]