----- Original Message -----
From: "Philip Hazel" <ph10@???>
> On Tue, 16 Dec 2003, Wakko Warner wrote:
>
> > exim -bs
> >
> > This accepts a message speaking smtp on stdin/stdout. The host is null in
this
> > case. ACLs do run:
> > # exim -bs
> > 220 veg.animx.eu.org ESMTP Exim 4.24 Tue, 16 Dec 2003 19:06:48 -0500
> > EHLO x
> > 550 HELO doesn't look like a hostname
> > #
>
> However, for
>
> exim user@domain </some/message
>
> the SMTP ACLs do not run (they can't - there's no SMTP!); only the
> non-SMTP ACL runs. And exim -bS is also not SMTP (it just uses SMTP
> constructs to pass the envelope, but is not interactive).
>
>
> --
> Philip Hazel University of Cambridge Computing Service,
> ph10@??? Cambridge, England. Phone: +44 1223 334714.
> Get the Exim 4 book: http://www.uit.co.uk/exim-book
So, how do I prevent local users from using that construct? I'm asking for
recommended "best practice" for this. Do I have to try to make the "exim"
command unavailable to users via O/S security settings, or is there a way to
do it in exim.conf?
(*** goes and reads Exim Spec ***)
(Aha! As I suspected, you can do it cleanly in Exim! :)
acl_not_smtp
Type: string, expanded
Default: unset
This option defines the ACL that is run when a non-SMTP message is on the
point of being accepted. See chapter 38 for further details.
From chapter 38:
The non-SMTP ACL applies to all non-interactive incoming messages, that is, it
applies to batch SMTP as well as to non-SMTP messages. (Batch SMTP is not
really SMTP.) This ACL is run just before the local_scan() function. Any kind
of rejection is treated as permanent, because there is no way of sending a
temporary error for these kinds of message. Many of the ACL conditions (for
example, host tests, and tests on the state of the SMTP connection such as
encryption and authentication) are not relevant and are forbidden in this ACL.
<snip>
For acl_not_smtp, ..., the default action is "accept".
Therefore in order to block non-SMTP messages, I would have to specifically
add something like:
acl_not_smtp = check_non_smtp
...
begin acl
check_non_smtp:
# do not accept non-SMTP messages
# (e.g. command line injection by users)
# except from specific system accounts
accept senders = root : cron : myself
deny message = please use SMTP to inject messages to this server
log_message = non-SMTP attempt by $originator_uid as $sender_address
Now, if you also need to support Apache (for example, emailing customer's
website forms data to customers with PHP, or whatever), then you might need to
add some rather more complicated tests to the ACL, or you might just need to
let your users know to use SMTP-based scripts, in their web pages, to inject
their messages.
As I learn more, I will share.
Oh, one question... I just noticed the "applies to all non-interactive"
bit... Does this mean someone could still get past this non-SMTP ACL by
sitting at a terminal and typing away? And if so, could not a script be
written to emulate someone sitting at a terminal and typing, and would this
not then represent a security hole, exploitable by a user (or a cracked user
account) to send spam? Oh dear...
Is there an ACL for *interactive* non-SMTP incoming messages? I did not see
one...
Regards,
Jim Roberts
Punster Productions, Inc.