Re: [exim] environment variable patch

Top Page
Delete this message
Reply to this message
Author: Marc Sherman
Date:  
To: exim-users
Subject: Re: [exim] environment variable patch
Eli wrote:
>
> Really? How is that exactly? When a CGI script (Perl let's say)
> runs and sends out a piece of email... I have absolutely no "catch"
> I can perform aside from writing a wrapper script for my "sendmail"
> program (but what's to stop them and find out where Exim is installed
> and do a direct call that way) to be able to track what domain it
> came from, what script called it, or anything else for that matter.


So you don't control the scripts that run on the machine? Well, you're
pretty screwed, then -- with the env patch, they could just change the
environment before calling sendmail, if they want to. So a wrapper
script is exactly what I'd suggest in that case; it does the job when
someone is not trying to attack you, and is no less safe than your
existing solution when they are.

You could put a deny in the non-smtp ACL that won't allow any mail to be
sent unless the macros are set, but that still doesn't protect you
against someone explicitly calling the exim binary with -D's faked with
incorrect values.

> As far as I know, the patch I have *is* the only way to truly
> accomplish what you need to 100% track sent email from a local
> webserver.


Unless someone knows how to use setenv(3) in their calling code. :)

> Please provide working examples if you know ways to do this without
> the patch - I don't really like having to maintain/use a patch if
> it's not required.


Um, please provide a signed consulting contract? I think I've given you
plenty to go on.

- Marc