HPE Community
Operating System - HP-UX
1855102 Members
3270 Online
104109 Solutions
New Discussion

Re: Telnet 25 port

 
SOLVED
Go to solution
Carme Torca
Super Advisor

‎09-19-2001 12:28 AM

‎09-19-2001 12:28 AM

Telnet 25 port

Hi,

I want to know if it's possible to deny telnet to the port 25 at one server that works as a sendmail relay.

Thank-you very much!
Carmen.
Users are not too bad ;-)
0 Kudos
Reply
18 REPLIES 18
Stefan Farrelly
Honored Contributor

‎09-19-2001 12:33 AM

‎09-19-2001 12:33 AM

Re: Telnet 25 port


Easily done, either in /etc/inetd.conf on the server you want to disable it comment out the line telnet and then do an inetd -c
OR
setup the /var/adm/inetd.sec file to block telnet only for certain IP adresses. See man on inetd.sec

Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Carme Torca
Super Advisor

‎09-19-2001 12:37 AM

‎09-19-2001 12:37 AM

Re: Telnet 25 port

Yes... oh sorry... I have not explain me corretly. I want to deny the access to the 25 port to anyone, and I want to make it in one server that its working that sendmail relay.
Users are not too bad ;-)
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎09-19-2001 12:48 AM

‎09-19-2001 12:48 AM

Re: Telnet 25 port


To stop sendmail relaying mail thru port 25 you can simply stop sendmail on the server in question; /sbin/init.d/sendmail stop

Or you can add an entry to /var/adm/inetd.sec to block port 25 traffic for any or all IP addresses.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Animesh Chakraborty
Honored Contributor

‎09-19-2001 12:48 AM

‎09-19-2001 12:48 AM

Re: Telnet 25 port

Hi,
Not sure what you want..
Can you block port 25 in firewall ?


Thanks
Animesh
Did you take a backup?
0 Kudos
Reply
Carme Torca
Super Advisor

‎09-19-2001 12:54 AM

‎09-19-2001 12:54 AM

Re: Telnet 25 port

Hi,

No, its not a Firewall, its the mail server.
I can make a telnet to the 25 port and send a mail directly, without connect to the application....and I want to resolve it.

I don't want to deny telnets that use the 23 port, only to the 25 port, that its use the smtp. But I want (at the same time) that all the mail works corretly.

Thank-you
Users are not too bad ;-)
0 Kudos
Reply
Santosh Nair_1
Honored Contributor

‎09-19-2001 01:43 AM

‎09-19-2001 01:43 AM

Re: Telnet 25 port

I don't believe there's a way to disable telneting to port 25 without disabling the ability to receive mail. But if you're looking to secure your mail server, look into using postfix or qmail instead of sendmail.

http://cr.yp.to/qmail.html
http://www.postfix.org

-Santosh
Life is what's happening while you're busy making other plans
0 Kudos
Reply
Marcin Wicinski
Trusted Contributor

‎09-19-2001 02:49 AM

‎09-19-2001 02:49 AM

Re: Telnet 25 port

Hi,

You cannot disable telneting to selected port (25) with standard HPUX procedures. Only by a firewall.

Later,
Marcin Wicinski
0 Kudos
Reply
Joseph C. Denman
Honored Contributor

‎09-19-2001 05:29 AM

‎09-19-2001 05:29 AM

Re: Telnet 25 port

Comment out port 25 of the /etc/services file. Then restart inetd

/usr/sbin/inetd -c

Hope this helps.

...jcd...
If I had only read the instructions first??
0 Kudos
Reply
Marcin Wicinski
Trusted Contributor

‎09-19-2001 06:11 AM

‎09-19-2001 06:11 AM

Re: Telnet 25 port

If you comment port 25 in /etc/servives, smtp protocol wont be available any more.
Marcin Wicinski
0 Kudos
Reply
rick jones
Honored Contributor

‎09-19-2001 08:56 AM

‎09-19-2001 08:56 AM

Re: Telnet 25 port

indeed, it is not possible to distinguish between someone who has telnetted to the smtp port versus a connection from another mail server application.

you can use ipfilter/9000 or inetd.sec or tcpwrappers to preclude connections to port 25 from specific IP addresses, and perhaps even from specific remote port numbers.

however, the port number range that telnet will use for its connectoin(s) is likely indistinguishable from that used by other mail applications
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
Bill Thorsteinson
Honored Contributor

‎09-19-2001 05:17 PM

‎09-19-2001 05:17 PM

Re: Telnet 25 port

You can't deny telnet to port 25 and have the mail
server act properly. The smtp protocol is designed
to all mail to be submitted via telnet or any other
process that can do an interactive conversation on
port 25.

You can limit how mail is relayed through the
mail server. Check the documentation on relay
rules. You don't want messages received from
outside your network relayed anywhere outside
your network.

Security is a little easier if you have separate incoming
and outgoing servers. The incoming server only
accepts mail destined for your network. The
outgoing server does not accept any mail connections
from outside your network.
0 Kudos
Reply
Robin Wakefield
Honored Contributor

‎09-19-2001 11:12 PM

‎09-19-2001 11:12 PM

Solution

Re: Telnet 25 port

Hi Carme,

You could make it "difficult" for someone to telnet by moving the smtp entry in /etc/services to, say, 5000, and set the daemonportoptions=port=5000 option in sendmail.cf

However, this will only work if you have control of the machines sending mails to this server, as you will also have to add the port number to the delivery agent line in their sendmail.cf, e.g.

Msmtp, P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990,
T=DNS/RFC822/SMTP,
A=IPC $h 5000

Rgds, Robin.
Reply
Carme Torca
Super Advisor

‎09-20-2001 01:49 AM

‎09-20-2001 01:49 AM

Re: Telnet 25 port

OK. I am going to watch if I can change all the applications thant works with 25 port and change it to the 5000.
Thank-you very much!
Users are not too bad ;-)
0 Kudos
Reply
Volker Borowski
Honored Contributor

‎09-20-2001 02:26 AM

‎09-20-2001 02:26 AM

Re: Telnet 25 port

Carmen,

sorry to contradict, but to "hide" the service on another port is no real help.

A portscanner will surely detect your mailservice on the diffrent port within minutes.

Esp. for mail, you might not be able to receive any mail from elsewhere, because nobody would expect he needs to connect to a diffrent port.

Even then, somebody could do "telnet hostname 5000" to connect to your service.

If you need protection, you need a mailproxy. This service is included in several firewall products.

Do not know if this helps
Volker
0 Kudos
Reply
Carme Torca
Super Advisor

‎09-20-2001 02:34 AM

‎09-20-2001 02:34 AM

Re: Telnet 25 port

OK. You are right... I will look some information about mailproxy.

Thank-you
Users are not too bad ;-)
0 Kudos
Reply
Robin Wakefield
Honored Contributor

‎09-20-2001 05:03 AM

‎09-20-2001 05:03 AM

Re: Telnet 25 port

Hi Carme,

Yes, Volker is correct, my suggestion was not particularly secure, but would deter a 'casual' attempt to break in.

Rgds, Robin.
0 Kudos
Reply
Ralf Hildebrandt
Valued Contributor

‎09-20-2001 09:50 AM

‎09-20-2001 09:50 AM

Re: Telnet 25 port

I haven't seen so many bullshit answers in a while.

a) What exactly do you want to do?

You have several options:

* You can allow use of the mailserver, port 25 for certain hosts/IP's only (e.g. for localhost or ip.of.application.server)

* You can turn off listening to Port 25 altogether, simply by stopping sendmail and restarting it as "sendmail -q30m" instead of "sendmail -db -q30m"

* Or you can tweak rules in sendmail.cf that certain senders are allowed from certain IP's only. It's a pain with sendmail, but possible.

You might want to consider switching to www.postfix.org, which is easier to configure and much more secure. Besides, it's faster.
Postfix/BIND/Security/IDS/Scanner, you name it...
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎09-20-2001 01:49 PM

‎09-20-2001 01:49 PM

Re: Telnet 25 port

Ralf is right -
There's a big diff between limiting access to a port (ipfilter or firewall)
and
making sure only one host can use you as a relay.

The latter is trivial in modern sendmail.
See RelayTo, DeniedIP, LocalIP to implement application level access control.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.