Bug 143033 - sendmail no longer appears to be using tcp_wrappers
sendmail no longer appears to be using tcp_wrappers
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: Documentation (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Don Domingo
Content Services Development
: Documentation
Depends On:
  Show dependency treegraph
Reported: 2004-12-15 16:06 EST by Ian Laurie
Modified: 2009-08-19 23:28 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-19 15:11:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ian Laurie 2004-12-15 16:06:58 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.3)

Description of problem:
The hosts.allow and hosts.deny no longer impact on sendmail connections.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Block hosts using the /etc/hosts.deny file.

Actual Results:  Blocked hosts still get through.

Expected Results:  Blocked hosts shouldn't get through.

Additional info:

Although sendmail doesn't run under xinetd, I thought sendmail was
linked with a tcp_wrappers aware library so that sendmail was
effectively a wrapped service (like vsftpd).  I am 99% sure this used
to be the case.

A major issue is that in tcp_wrappers you can block partial networks
using the ip_address/mask syntax, which you cannot do in sendmail.
Comment 1 Ian Laurie 2004-12-15 18:30:16 EST
On further investigation, I found this in the Red Hat Enterprise Linux
3 Reference Guide, section 16.1:

"Because TCP wrappers are a valuable addition to any server
administrator's arsenal of security tools, most network services
within Red Hat Enterprise Linux are linked against the libwrap.a 
library. Some such applications include /usr/sbin/sshd,
/usr/sbin/sendmail, and /usr/sbin/xinetd."

The suggested test:

strings -f /usr/sbin/sendmail | grep hosts_access

Doesn't find the string.
Comment 2 Thomas Woerner 2004-12-16 05:21:14 EST
the sendmail binary is linked against tcp_wrappers:

ldd /usr/sbin/sendmail.sendmail
        libwrap.so.0 => /usr/lib/libwrap.so.0

Please append your hosts.deny file.
Comment 3 Ian Laurie 2004-12-18 20:53:32 EST
I have found my problem.  The syntax expectations of tcp_wrappers for
the address/mask syntax was not as I expected.

For example, failed to match the host whereas I thought it should match.  It seems the address
component must have zeros in the part of the address for which the
mask part has zeros.  So would match

I thought the address component could be any address inside the range,
whereas it seems it must be the *lowest* address in the range.  Is
this behavior intentional?

Perhaps the tcp_wrappers test in the manual should be changed to the
one used by Thomas, since that method works and the one in the manual
Comment 4 Thomas Woerner 2004-12-20 08:30:08 EST
In which manual?
Comment 5 Ian Laurie 2004-12-20 16:04:19 EST
Manual mentioned in comment #1: "Red Hat Enterprise Linux 3 Reference
Guide", section 16.1, in the blue colored "Notes" box.

Your test for the presence of tcp_wrappers worked, whereas the one in
the manual didn't (at least not for the EL version).
Comment 6 Andrius Benokraitis 2004-12-22 11:13:41 EST
rpm -q --whatrequires tcp_wrappers

should also be added per a dicussion with twoerner... Also need to
investigate the RHEL4-Beta docs as well for this issue.
Comment 7 Ian Laurie 2004-12-22 22:28:43 EST
This is weird..... on the same RHEL3 box:

  server# rpm -q --whatrequires tcp_wrappers
  no package requires tcp_wrappers

On my Fedora Core 3 box:

  zaurak# rpm -q --whatrequires tcp_wrappers
Comment 8 Thomas Woerner 2006-08-01 09:25:31 EDT
Is this solved for you?
Comment 9 Ian Laurie 2006-08-03 07:05:58 EDT
No it isn't.  The error is with the documentation as stated in comment #1.

The manual says to use:

  strings -f <binary_name> | grep hosts_access

But that does not work.  However this works:

  ldd <binary_name> | grep libwrap

as per your comment #2.

BTW the same bug is in RHEL4's reference manual as well.

Comment 10 Thomas Woerner 2007-07-23 08:14:14 EDT
Reassigning to documentation.
Comment 11 RHEL Product and Program Management 2007-10-19 15:11:07 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.