--
On 2001-12-12 at 14:30 -0900, Gary Peltola wrote:
> Currently when a local host sends an email from our network (running exim 1.33) the headers are more
> or less empty with basic information
>
> How would i go about adding the following (and changing) the following
>
> 1. add maybe the script or file that is using exim (IE: Script Name : formmail.pl
> 2. add maybe the scripts owner or back to #1, the path of the script
> 3. change the UID / GID to something other then 99 /99 (see below)
>
> Problem: Many customers are starting to use our localhost exim as a spam relay, sending thousands of
> emails an hour, and when we get a spam complaint, we have no where to look because the headers are
> worthless and the exim main log doest tell you anything but if the email was sent or not
Enable 'auth' (aka 'ident' aka RFC 1413), at least for connections from
localhost or a local IP address. Ensure that Exim is configured to
perform these checks (option rfc1413_hosts). This will then go into the
headers.
You can optionally not reveal the account-names by making identd return
a token, which can be looked up in the logs, in the event of a
complaint. See the manual-page for identd (or in.identd) on your
system.
I'm not sure what you mean by option 2. Option 1 could perhaps be done,
in a highly OS dependent manner, but not portably. Whether or not it
would work for scripts instead of just saying 'perl' is another matter.
If the script is invoking sendmail/exim directly, instead of talking to
127.0.0.1/smtp, then this information should already be in the headers.
Hrm, I see:
Received: from nobody by wolf.thehideout.net with local (Exim 3.33 #1)
id 16Dc6X-0008Is-00; Mon, 10 Dec 2001 17:53:09 -0800
You're running web-site scripts as 'nobody'. Perhaps you need to
explore suexec and the associated options. But this isn't an Exim
issue. It's a basic site security issue.
So, to recap:
(1) If invoked locally, Exim reports the userid of the invoking user
(2) If talked to via SMTP, Exim can log the userid of the invoking user
if you set up RFC 1413 service.
(3) If you run all scripts, for all sites, as one user then you have
some serious security issues, much more serious than simply spam.
--
You never really learn to swear until you become a sysadmin.
--
[ Content of type application/pgp-signature deleted ]
--