sendmail outgoing only without port 25

I have a centos7 kvm server which uses both php and sendmail to send outgoing mail to another mail server.
The problem is that one of the vms on that host is going to become the mail server and need port 25 on the host forwarded to the vm.

How can I still use sendmail to send outgoing mail while not blocking port 25 for in/out mail to the new vm?
projectsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Can you use port 587 or 465 (SSL or TLS)?  This is common now for sending as unsecured Port 25 is used by spammers to take over machines.
projectsAuthor Commented:
I can use any port but the point is that I am wondering if I even need port 25 open for sendmail since it is never meant to receive, only send.
JohnBusiness Consultant (Owner)Commented:
I like to keep port 25 closed except to authorized applications. That keeps it secure. If you wish to regard sendmail as an authorized application, you can do that. The issue is that rogue applications will / may try to use sendmail also.

If you can avoid using port 25, I think you should.
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

projectsAuthor Commented:
I'm sorry but I think you've misunderstood the question.
Please re-read it.
JohnBusiness Consultant (Owner)Commented:
I did read your question. I assumed the mail server was not a common application for rogue clients to use. Exchange may use port 25 for example. So that part was fine with me.

You can use sendmail as well. But I was just suggesting using a different port for sending and leave your main mail server on port 25 (assuming it is secured).
projectsAuthor Commented:
The host happens to have some web sites on it and they use local sendmail to send outgoing email. The sendmail service doesn't receive any email, it only forwards to another mail server.

However, one of the vms on the host is about to become the mail server and port 25 on the host will prevent mail from being sent to the vm.

Therefore, I need to find a way of preventing the sendmail service on the host from using port 25 so that port 25 connections can make it to the vm mail server. Better however if I don't have to mess with changing ports and finding a way of forwarding the email from the host to the new vm mail server.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
what the issue, because Host and Guest have different IP Addresses ?
projectsAuthor Commented:
The host is hosting the VM using NAT so forwards the ports to the mail server.
I could use another public IP but wanted to know if there might be another way first.
JohnBusiness Consultant (Owner)Commented:
Use Bridge Mode for this application and that (a) will be better here and (b) should work.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Seems an odd setup for a Hypervisor. It would appear your Hypervisor is dong different functions than just a Host! (more functions than just a hypervisor!)

Make's things simpler and make the host the Hypervisor, and move other functions into VMs, which are Guests and Hosted.
projectsAuthor Commented:
Its because the host started life as a server and was converted to a host later on. It was meant only to host a few dev servers but its role has/is becoming a little more.

Either way, it's something I have to deal with so have to solve this issue.
Even using another IP, the host still has sendmail using port 25. Sendmail seems to have to run in order for mail to be forwarded to the mail server. I seem to recall not having to do that in the past.
JeffMatthiasCommented:
get rid of sendmail and just setup a exchange edge transport. easy.
projectsAuthor Commented:
Can't, that's too much change. Need to keep things simple. Does sendmail even need to be running to send outgoing? I thought only mailx could do that on its own without running sendmail as a service.
arnoldCommented:
You do not have to have port 25 forwarded to a VM unless that VM is performing/accepting incoming connections on port 25.
The confusion stems from your question that includes references to php and other tools that generate outgoing emails. The manner and location of those in relation to the VM in this case and the mechanism employed to generate/transfer the email message to sendmail to be externally delivered.

If your php.ini Mail function uses /usr/sbin/sendmail rather than SMTP as well as your other tools use that binary as well as being local on the VM, you can configure sendmail without the -bd (to run as a daemon bound to port 25) but only run to process the queue -q30.

The answer sendmail without the -bd option and with the -q30 will run to process the queue if present.

The puzzling thing is within the VM sendmail can be bound to port 25 without presenting an issue to the host nor to other VMs.
I am unclear how it is interfering if at all with what you are intending.


LAN <=> HOST <=> vswitch
vm host1 IP1
vm host2 IP2
You can run sendmail on both without them clashing.
projectsAuthor Commented:
>You do not have to have port 25 forwarded to a VM unless that VM is performing/accepting incoming
>connections on port 25.

I did mention that I'm building a vm to become the mail server and need to forward port 25 to that VM from the host.

>The confusion stems from your question that includes references to php and other tools that generate
>outgoing emails.

I'm not sure why this is confusing, the only reference is my mentioning that there are web sites on the host which send outgoing email via sendmail.

>The puzzling thing is within the VM sendmail can be bound to port 25 without presenting an issue to the host nor
>to other VMs. I am unclear how it is interfering if at all with what you are intending.

Because the host and VM are using the same public IP and port 25 needs to be forwarded to the new vm.

Anyhow, I solved the problem yesterday by using a second public IP on the host so that I can have both using port 25. However, it still doesn't answer my question.

I can see how trying to write this as a question didn't quite work. What I was trying to ask about was related to the fact that sendmail on the host is not receiving email from any external source, only from programs on the host itself. That email is then forwarded to the mail server and from there, goes out to public.

What I wanted was to find a way of preventing public connections via port 25 to the host since it will never receive, it only sends, while making sure that sendmail can still send to the relay mail server.

It's all working now and it is mainly because someone mentioned using another IP which is what I used so I'll accept the solution because it could help someone else.
arnoldCommented:
usually the VM either gets a separate LAN ip through network bridging or it gets a natted ip in which case the host will need to be configured with forwarding rules.
I've not seen a setup where two (VM and host) had the same public ip and worked. This information was not included in your question which lead to the different scenarios/setup/configuration.
projectsAuthor Commented:
Look at the question and re-read it please.

>I have a centos7 kvm server which uses both php and sendmail to send outgoing mail to another mail server.
The problem is that one of the vms on that host is going to become the mail server and need port 25 on the
>host forwarded to the vm. How can I still use sendmail to send outgoing mail while not blocking port 25
>for in/out mail to the new vm?

I did mention that the host has outgoing email only and that a vm will become the mail server.
I didn't want to use a second IP because the host can act as the router but since I wasn't able to get any help on how I might be able to make this work, I've ended up using another IP.
arnoldCommented:
I read and reread your post from before. Nowhere do you say that everything you have is using a single IP. No where do you say that what you are looking for having a single IP how to get x,y,z to handle a,b,c.

And I answered the question covering the various possibilities to achieve what you wanted.
Even with a single IP, depending on how your PHP is generating the outgoing mailings will dictate your options (included in original earlier reply).
PHP can use SMTP transaction to exchange outgoing email, or it can use /usr/sbin/sendmail to directly inject the message into the queue for sendmail to process. In the direct injection, the sendmail does not need to run as a daemon bound to port 25, but it need only be run as a queue processor -q 30 tells it to process the queue every 30 minutes.
projectsAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for projects's comment #a41240908
Assisted answer: 500 points for arnold's comment #a41245305

for the following reason:

A partly correct (for my situation) solution is using another IP.

I didn't want to use another IP for this because I feel there is another way. The problem is temporarily solved by doing this however since I cannot find an answer.
projectsAuthor Commented:
>I read and reread your post from before. Nowhere do you say that everything you have is using a single IP.
>No where do you say that what you are looking for having a single IP how to get x,y,z to handle a,b,c.

I do mention that in a reply but you're right that I don't mention it in the original question. I wrongly assumed that people would know I am talking about one server and one IP based on the question.
arnoldCommented:
One public IP can be assumed WAN, which my reply addressed.
The limitation of the single public ip WAN deals with one aspect that does not impact the internal/LAN.
Similarly in a VM, if you have a single ip on the host that nats the virtual network, the contention only comes into play when "external" access to services on the vms is needed.
Generating outgoing emails does not require sendmail to be bound to port 25, running as a daemon, as long as the php webserver is on the same server as the sendmail processing the outgoing emails by php.ini configuration directing the use of /usr/sbin/sendmail to inject messages directly into the sendmail queue versus via an SMTP session.

Try the following on a system where you gave sendmail
echo "To: recipient_email_address
From: sender_email_address
Subject: test direct injection into queue

This is a direct message injection into mail server
" | /usr/sbin/sendmail -oi -fsender_email_address -t

The above does not go through an SMTP session; therefore, does not need sendmail to be bound to any port (no need to run as daemon -bd)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bevhostCommented:
Use the localhost IP 127.0.0.1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.