On Mon, 12 Nov 2001, Greg Ward wrote:
> On 12 November 2001, Rick Byers said:
> > I'm trying to figure out a way to configure exim such that a certain user
> > id can only send mail which is delivered locally. Specifically, I'm
> > seeing a lot of abuse of CGI scripts to send spam. I'd like to prevent
> > the userid that CGI scripts run as from sending mail that will leave my
> > network.
> >
> > Any suggestions on how I could implement this?
>
> You could add a condition to all of your routers that checks the UID of
> the user calling exim. Something like this, perhaps, assuming your CGI
> scripts all run as UID 123:
>
> lookuphost:
> driver = lookuphost
> transport = remote_smtp
> condition = ${if eq {$caller_uid}{123} {yes}{no}}
>
> Obviously, RTFM on the "condition" option, string expansion, and the
> $caller_uid variable. This is completely untested and I've never done
> anything like this.
>
> Caveats:
> * this will only affect people who run
> exim sucker@??? < spam.txt
> (or moral equivalent) from their CGI scripts. Nothing
> is stopping them from connecting to localhost:25 and sending
> the spam that way, or directly to victim.com's MX, or to some
> convenient third-party open relay
On a webserver, you could either
a. not listen to port 25
b. add an appropriate rejection based on $sender_host = localhost,
assuming no local MTA's were submitting mail that way, OR, if they were,
ensuring identd was running properly, and blocking the webserver ident
as well..
>
> * so, the other half of the solution is a firewall/netfilter:
> you'll have to block your CGI scripts from connecting to
> any TCP port 25 in the universe (including your own!), or they'll
> just send their spam that way. This most likely means blocking
> *all* processes on your web server from connecting to any
> port 25, unless you have a really fancy firewall that can
> talk to an identd server. (Do such things even exist?)
>
> Would love to hear the real experts pick holes in this...
>
> Greg
>
--
