Sendmail question


Limp Gawd
Feb 22, 2001
Is there any way to turn off all incoming connections to sendmail on a freeBSD server? I want to only allow connections from one outside source that is cleaning our email of spam.
Now that I know the answer is yes. How? :) I am at a loss and having a hard time finding how. Can either of you point me in the right direction?

Thanks ahead of time.
Honestly, I'd block off access to sendmail using tcpwrappers instead of trying to do things with sendmail...Or some other firewall. What exactly are you trying to do? It might help if we had a better picture of the whole setup.
Basically we have a Freebsd server running sendmail, apache, mysql etc. It is our primary mail server. We purchased an internet appliance that filters our email for spam and virii then forwards it on to our sendmail server. What is happening, even after changing our MX records to point to the new appliance is the spammers are using our external IP to get spam in. We do not want the sendmail server accepting any messages except from our spam filter. I would just put it behind our router/firewall and give it an internal IP address, however it hosts websites etc..

And of course, me the complete n00b at Freebsd gets to tackle the project. :)
I'd firewall it off using ipf/ipfw and only allow access from the IP you want. Why can't you put it behind a firewall? You should be able to pass port 80 through...
Sendmail can't really be told to only respond to specific addresses. It can be configured to only relay for certain domains, or not accept mail from certain domains, or the like, but tcp wrappers or the firewall would be the best way to do this.

This should be simple but for some reason your external hosts are not firewalled. I guess you have your external hosts and a NAT appliance connected to your service provider. I guess that works but you might consider software firewalls on all external machines and seperate interfaces to connect your external machines to your internal network. Then sendmail could simply bind to only the internal interface.

This is sucks compared to a real DMZ because if your web/mail server gets rooted the attacker can use it to bypass your real firewall, but it requires almost no additional hardware.
Thanks for the tips guys. I am currently the NT admin but I am working on moving over and becoming a Freebsd admin here at work as well. Two different worlds imo. Luckily all of my NT stuff is behind the firewall and not hosting websites, mail etc. That is all Freebsd. Wish me luck.