Re: [Exim] My Server as spamming machine !

Top Page
Delete this message
Reply to this message
Author: James P. Roberts
Date:  
To: exim-users
CC: Suresh Ramasubramanian, Rejo Zenger, ankush dawar, Wakko Warner
Subject: Re: [Exim] My Server as spamming machine !
----- Original Message -----
From: "Philip Hazel" <ph10@???>
> On Tue, 16 Dec 2003, Wakko Warner wrote:
>
> > exim -bs
> >
> > This accepts a message speaking smtp on stdin/stdout. The host is null in

this
> > case. ACLs do run:
> > # exim -bs
> > 220 veg.animx.eu.org ESMTP Exim 4.24 Tue, 16 Dec 2003 19:06:48 -0500
> > EHLO x
> > 550 HELO doesn't look like a hostname
> > #
>
> However, for
>
> exim user@domain </some/message
>
> the SMTP ACLs do not run (they can't - there's no SMTP!); only the
> non-SMTP ACL runs. And exim -bS is also not SMTP (it just uses SMTP
> constructs to pass the envelope, but is not interactive).
>
>
> --
> Philip Hazel            University of Cambridge Computing Service,
> ph10@???      Cambridge, England. Phone: +44 1223 334714.
> Get the Exim 4 book:    http://www.uit.co.uk/exim-book


So, how do I prevent local users from using that construct? I'm asking for
recommended "best practice" for this. Do I have to try to make the "exim"
command unavailable to users via O/S security settings, or is there a way to
do it in exim.conf?

(*** goes and reads Exim Spec ***)

(Aha! As I suspected, you can do it cleanly in Exim! :)

acl_not_smtp
Type: string, expanded
Default: unset

This option defines the ACL that is run when a non-SMTP message is on the
point of being accepted. See chapter 38 for further details.


From chapter 38:

The non-SMTP ACL applies to all non-interactive incoming messages, that is, it
applies to batch SMTP as well as to non-SMTP messages. (Batch SMTP is not
really SMTP.) This ACL is run just before the local_scan() function. Any kind
of rejection is treated as permanent, because there is no way of sending a
temporary error for these kinds of message. Many of the ACL conditions (for
example, host tests, and tests on the state of the SMTP connection such as
encryption and authentication) are not relevant and are forbidden in this ACL.

<snip>

For acl_not_smtp, ..., the default action is "accept".


Therefore in order to block non-SMTP messages, I would have to specifically
add something like:

acl_not_smtp = check_non_smtp

...

begin acl

check_non_smtp:
  # do not accept non-SMTP messages
  # (e.g. command line injection by users)
  # except from specific system accounts
  accept  senders = root : cron : myself
  deny    message = please use SMTP to inject messages to this server
          log_message = non-SMTP attempt by $originator_uid as $sender_address


Now, if you also need to support Apache (for example, emailing customer's
website forms data to customers with PHP, or whatever), then you might need to
add some rather more complicated tests to the ACL, or you might just need to
let your users know to use SMTP-based scripts, in their web pages, to inject
their messages.

As I learn more, I will share.

Oh, one question... I just noticed the "applies to all non-interactive"
bit... Does this mean someone could still get past this non-SMTP ACL by
sitting at a terminal and typing away? And if so, could not a script be
written to emulate someone sitting at a terminal and typing, and would this
not then represent a security hole, exploitable by a user (or a cracked user
account) to send spam? Oh dear...

Is there an ACL for *interactive* non-SMTP incoming messages? I did not see
one...

Regards,
Jim Roberts
Punster Productions, Inc.