Re: [exim] Exim filters in virtual hosting environments

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Ian FREISLICH
Datum:  
To: Brian Candler
CC: exim-users
Betreff: Re: [exim] Exim filters in virtual hosting environments
Brian Candler wrote:
> Hello,
>
> I wondered if anyone has any thoughts about the safety, or otherwise, of
> allowing Exim filters in a virtual hosting environment (that is, where all
> the mailboxes are owned by the same uid).
>
> The options I'm considering are:
>
> 1. Allow people to upload their own filter scripts, and turn on
> forbid_pipe/file/include and all forbid_filter_* options.
>
> I'm uncomfortable with that, as there may be unforeseen security holes.
> Currently there's no way to block out ${stat}, for example. Also, the
> functionality available is limited: you can only accept, drop or forward a
> message.


Maybe I'm way too relaxed about this at my site[1]. The only things
I haven't enabled for user filter processing is freeze/fail/defer.
That's because the no_verify option is set on the router and I don't
want users to generate bounces (colateral spam) and fill up my queue
with defered or frozen messages. I've toyed with disallowing reply.

I allow fail and defer in their aliases file though because that
is routed at SMTP time.

I tried to restrict includes to a particular directory, but that
option is not expanded and is pretty much useless for me since a
domain has one local user. Also, I've been unable to get $home to
expand correctly in the filter files. I think it's related, but
I'm not sure.

> 2. Write a web interface which lets people add rules of a predetermined
> format using preset conditions only. Probably secure but not very flexible,
> and parsing back the existing filter set could be awkward.


I've toyed with a web interface, not for security and limiting
generated filters, but to help the less adept users.

> 4. Set up my filter router with directory_transport pointing to a dedicated
> router, which refuses to deliver if the directory contains .. or is not
> underneath $home. That would allow me to remove forbid_file and enable the
> 'save' operation, but still has the problem of unforeseen holes as in (1)


My filter router uses it's own private transports for pipe, file,
reply and directory.

Ian

--
Ian Freislich

1.  It's a fairly large site: about 100000 domains on several hundred
    servers.