Re: [exim] restriction on aliases of a webserver

Marten Lehmann wrote:

> Hello,
>
> on a webserver, users are sending mails by calling /usr/sbin/sendmail.
*SNIP*

Not specified, but implied by;

> ... watching all the user-accounts in /home

...that you are speaking of 'shell' account holders.

> ... would like to prevent the whole abuse-possibility.

Which also may require a look at any 'webmail' or web-forms, or perl,
PHP, etc. tools you are almost certainly furnishing...

> ...This webserver is a webserver only, exim is not listening on port 25.

First: if it is intended only as a webserver, could you remove all MTA
functionality entirely?
- chron's log and security reports can be sent to a file, scp'ed to /
pulled-by another box, etc. [1]

Second: Consider restricting access to the SMTP binary to select
users:groups. [2]

Third: Do you really *need* to allow shell access? Could you 'chroot' or
'jail' users, or restrict them to web-enabled virtual access? [2]

HTH

Bill

[1] google for null mailers and such.... Or pull the reports with rsync
onto another box...

[2] Only 'root' can assign ports below 1024 (port 25, for example), as
is needed for incoming.

But:

- an httpd with cgi,

- or PHP, perl, and most any other language, with or without the aid of
an httpd, can be used to run their own SMTP functions, as outbound
messaging can proceed over any available port.

You could firewall that by denying from any to any port 25, (and the
SMTP submission ports), but even that is not 100% bullet-proof.

Basically, if you support mailing of web forms, and/or your users have
access to / rights to install/build and/or use binaries, or any of these
language tools, you do not have enough control to worry about Exim vs
Sendmail. :-(