Use netfilter (for linux or pf on OpenBSD etc..) to lock port 25 to
those users.
Then use something like selinux to lock access to the exim binaries, or
if you don't want to use selinux.. use ACL.
for example:
chmod og= /usr/sbin/exim*
setfacl -m user:rx:www /usr/sbin/exim*
setfacl -m user:rx:exim /usr/sbin/exim* (may be redundant, not sure.)
or, add users who are able to send email to exim_senders group
chown exim:exim_senders /usr/sbin/exim*
I'm sure there are more ways, but really, why would you have any
accounts on your system in the first place?
I think your time would be better spent using proper firewalls and
public key authentication to lock down access to your machine.
Also, maybe look into Linux w/ Xen, FreeBSD Jails, or even Solaris
Zones.
--- Marc Perkel <marc@???> wrote:
>
>
> Tony Finch wrote:
> > On Tue, 13 Jun 2006, Marc Perkel wrote:
> >
> >> Thanks but I don't think that's going to work as the localpart can
> be
> >> anything, and not related to the user ID. What I'm looking for is
> to
> >> prohibit local users from sending email.
> >>
> >
> > It's checking $authenticated_id not $local_part. The
> match_local_part
> > clause is a red herring. In any case, if your users have shell
> access they
> > can use software other than Exim to send email, so this check is
> probably
> > pointless.
> >
> > Tony.
> >
>
> I'm trying to prevent hackers who might get in from being able to
> send
> email if they manage to hack me. I want it so that unless they are
> specific users that they have no rights to connect to port 25 or run
> exim.
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>
