On 12 November 2001, Rick Byers said:
> I'm trying to figure out a way to configure exim such that a certain user
> id can only send mail which is delivered locally. Specifically, I'm
> seeing a lot of abuse of CGI scripts to send spam. I'd like to prevent
> the userid that CGI scripts run as from sending mail that will leave my
> network.
>
> Any suggestions on how I could implement this?
You could add a condition to all of your routers that checks the UID of
the user calling exim. Something like this, perhaps, assuming your CGI
scripts all run as UID 123:
lookuphost:
driver = lookuphost
transport = remote_smtp
condition = ${if eq {$caller_uid}{123} {yes}{no}}
Obviously, RTFM on the "condition" option, string expansion, and the
$caller_uid variable. This is completely untested and I've never done
anything like this.
Caveats:
* this will only affect people who run
exim sucker@??? < spam.txt
(or moral equivalent) from their CGI scripts. Nothing
is stopping them from connecting to localhost:25 and sending
the spam that way, or directly to victim.com's MX, or to some
convenient third-party open relay
* so, the other half of the solution is a firewall/netfilter:
you'll have to block your CGI scripts from connecting to
any TCP port 25 in the universe (including your own!), or they'll
just send their spam that way. This most likely means blocking
*all* processes on your web server from connecting to any
port 25, unless you have a really fancy firewall that can
talk to an identd server. (Do such things even exist?)
Would love to hear the real experts pick holes in this...
Greg
--
Greg Ward - software developer gward@???
MEMS Exchange http://www.mems-exchange.org
