Marc Perkel wrote:
>
> I'm trying to prevent hackers who might get in from being able to send
> email if they manage to hack me. I want it so that unless they are
> specific users that they have no rights to connect to port 25 or run exim.
Does this machine receive email? If not, then the solution is simple:
1) decide on a smarthost (another machine) to accept mail from this
IP/machine (ie relay). This machine could run Exim in normal mode.
2) configure Apache and Exim sending to use that smarthost, and only
allow root or apache to use Exim. However, I would recommend using
something like 'msmtp' instead of Exim to provide outgoing mail only.
(
http://msmtp.sourceforge.net/) and not listen on port 25, it's not needed.
3) use iptables to block any outgoing SMTP (ports 25, 465, 587) to any
machine other than the smarthost you decided on above. (see
http://oceanpark.com/notes/firewall_example.html)
Of course, if you need to receive mail on this machine then life is that
much more complicated, but still using a smarthost and iptables together
is your best chance at success. However, a hacker would most likely run
the receiving SMTP server on an unusual port, so you might have to use a
more hardcore iptables setup (ie disallow all outbound traffic instead
of what's needed).
hth,
-te
--
Troy Engel | Systems Engineer
Fluid, Inc |
http://www.fluid.com
