Re: [Exim] How to restrict certain users to local delivery

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Dave C.
Ημερομηνία:  
Προς: Greg Ward
Υ/ο: Rick Byers, exim-users
Αντικείμενο: Re: [Exim] How to restrict certain users to local delivery
On Mon, 12 Nov 2001, Greg Ward wrote:

> On 12 November 2001, Rick Byers said:
> > I'm trying to figure out a way to configure exim such that a certain user
> > id can only send mail which is delivered locally. Specifically, I'm
> > seeing a lot of abuse of CGI scripts to send spam. I'd like to prevent
> > the userid that CGI scripts run as from sending mail that will leave my
> > network.
> >
> > Any suggestions on how I could implement this?
>
> You could add a condition to all of your routers that checks the UID of
> the user calling exim. Something like this, perhaps, assuming your CGI
> scripts all run as UID 123:
>
> lookuphost:
> driver = lookuphost
> transport = remote_smtp
> condition = ${if eq {$caller_uid}{123} {yes}{no}}
>
> Obviously, RTFM on the "condition" option, string expansion, and the
> $caller_uid variable. This is completely untested and I've never done
> anything like this.
>
> Caveats:
>   * this will only affect people who run
>       exim sucker@??? < spam.txt
>     (or moral equivalent) from their CGI scripts.  Nothing
>     is stopping them from connecting to localhost:25 and sending
>     the spam that way, or directly to victim.com's MX, or to some
>     convenient third-party open relay


On a webserver, you could either

a. not listen to port 25

b. add an appropriate rejection based on $sender_host = localhost,
assuming no local MTA's were submitting mail that way, OR, if they were,
ensuring identd was running properly, and blocking the webserver ident
as well..

>
>   * so, the other half of the solution is a firewall/netfilter:
>     you'll have to block your CGI scripts from connecting to
>     any TCP port 25 in the universe (including your own!), or they'll
>     just send their spam that way.  This most likely means blocking
>     *all* processes on your web server from connecting to any
>     port 25, unless you have a really fancy firewall that can
>     talk to an identd server.  (Do such things even exist?)

>
> Would love to hear the real experts pick holes in this...
>
>         Greg

>


--