On Wed, 8 Oct 1997, Richard Gilbert wrote:
> ...but I thought that I had better read the manual carefully first. In
> section 17.2 (of the 1.62 version of the manual) I came across
> restrict_to_path, but that would seem to prevent standard use of e.g.
> /usr/ucb/vacation.
If you want to permit only a specific set of pipe commands, you can
handle it by using suffixes, but the users have to put the right thing
in their .forward files, of course. Suppose the only pipe you actually
want to allow is /usr/ucb/vacation. You tell the users to put
username, username-vacation
in their .forward files when they want vacation processing. That saves a
copy of the message in the usual way, and also delivers a copy to
"username-vacation". Then set up a transport and director something like
this:
vacation_transport:
driver = pipe;
command = "/usr/ucb/vacation"
vacation_director:
driver = localuser,
suffix = "-vacation",
transport = vacation_transport
making sure the vacation_director precedes the normal localuser
director.
Of course, this does not prevent some outside person mailing directly to
"username-vacation", but I can't think this really matters much.
> (On the other hand, if a local host implicitly allows relaying but sends
> all its mail via a hub running Exim which is configured to prevent
> relaying except for the local network will this prevent the local host
> from being used as a relay?)
No. The local host will accept all the junk mail (maybe clogging it up)
and try to deliver it to the hub. The hub will accept it because it
comes from a machine on the local network. You have to secure *all* the
boundaries of your local network.
> Can any security experts out there comment on this, please.
Disclainer: I am not a security expert.
--
Philip Hazel University Computing Service,
ph10@??? New Museums Site, Cambridge CB2 3QG,
P.Hazel@??? England. Phone: +44 1223 334714
--
* This is sent by the exim-users mailing list. To unsubscribe send a
mail with subject "unsubscribe" to exim-users-request@???
* Exim information can be found at http://www.exim.org/