Re: [Exim] How to restrict certain users to local delivery

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Greg Ward
Ημερομηνία:  
Προς: Rick Byers
Υ/ο: exim-users
Αντικείμενο: Re: [Exim] How to restrict certain users to local delivery
On 12 November 2001, Rick Byers said:
> I'm trying to figure out a way to configure exim such that a certain user
> id can only send mail which is delivered locally. Specifically, I'm
> seeing a lot of abuse of CGI scripts to send spam. I'd like to prevent
> the userid that CGI scripts run as from sending mail that will leave my
> network.
>
> Any suggestions on how I could implement this?


You could add a condition to all of your routers that checks the UID of
the user calling exim. Something like this, perhaps, assuming your CGI
scripts all run as UID 123:

lookuphost:
driver = lookuphost
transport = remote_smtp
condition = ${if eq {$caller_uid}{123} {yes}{no}}

Obviously, RTFM on the "condition" option, string expansion, and the
$caller_uid variable. This is completely untested and I've never done
anything like this.

Caveats:
  * this will only affect people who run
      exim sucker@??? < spam.txt
    (or moral equivalent) from their CGI scripts.  Nothing
    is stopping them from connecting to localhost:25 and sending
    the spam that way, or directly to victim.com's MX, or to some
    convenient third-party open relay


  * so, the other half of the solution is a firewall/netfilter:
    you'll have to block your CGI scripts from connecting to
    any TCP port 25 in the universe (including your own!), or they'll
    just send their spam that way.  This most likely means blocking
    *all* processes on your web server from connecting to any
    port 25, unless you have a really fancy firewall that can
    talk to an identd server.  (Do such things even exist?)


Would love to hear the real experts pick holes in this...

        Greg
-- 
Greg Ward - software developer                gward@???
MEMS Exchange                            http://www.mems-exchange.org