sendmail mystery
Jonathan Hutchins
hutchins at opus1.com
Sun Jun 30 03:50:02 CDT 2002
> -----Original Message-----
> From: Mark Hutchings [mailto:desynergy at onebox.com]
> The release notes state: By default, sendmail does not accept network
> connections from any host other than the local computer.
> To fix this problem:
> Edit the file: /etc/mail/sendmail.mc
> Change the local address defined in the DAEMON_OPTIONS
> line(127.0.0.1)to 0.0.0.0 so that it accepts from all IPs.
Or just comment it out with "dnl "
> You will then need to regenerate /etc/sendmail.cf by running:
> m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
You will also need to restart sendmail by running:
/etc/init.d/sendmail restart
But that didn't work. Any of it. There are a lot of other .mc files that
contribute to the final .cf file, and I'm rusty on my sendmail.cf macros. I
kept weeding through, trying to find stuff, turning the port on and off,
setting different addresses, etc. Nothing worked.
I finally shut down sendmail and configured Apache to listen to port 25 -
and I still couldn't connect to port 25 except from localhost. So I knew it
wasn't sendmail. I started just browsing through the file system, using mc
and starting at /. Fortunately, the system's pretty stripped down, I have
uninstalled anything I know we're not using, so there was less to look at
than your average "I've always wanted to mess with that" install.
Finally, in /proc modules, I found that ipchains was loaded. I had checked
earlier to see if it was a firewall issue by using iptables -L, which gave
me messages about modules not being loaded, leading me to falsely assume
that there was no firewalling configured (I had not set anything up).
Turns out that the default server load (done by someone at the remote site)
set up an ipchains rule that refuses connections on 25. Turning off
ipchains allowed me to connect.
I still need to study whatever is setting up ipchains and what the rule is,
then decide whether to remove all ipchains stuff since the machine is
already behind a firewall, or just tune the firewall. For now, though, it's
working.
More information about the Kclug
mailing list