Re: [exim] Quick Question - Prohibiting users from sending e…

Top Page
Delete this message
Reply to this message
Author: L. Jason Godsey
Date:  
To: exim-users
Subject: Re: [exim] Quick Question - Prohibiting users from sending email

Mistake below:

instead of chown exim:exim_senders /usr/sbin/exim*, it should be chgrp
exim_Senders /usr/sbin/exim*

Sorry

--- "L. Jason Godsey" <lannygodsey@???> wrote:

>
> Use netfilter (for linux or pf on OpenBSD etc..) to lock port 25 to
> those users.
>
> Then use something like selinux to lock access to the exim binaries,
> or
> if you don't want to use selinux.. use ACL.
>
> for example:
> chmod og= /usr/sbin/exim*
>
> setfacl -m user:rx:www /usr/sbin/exim*
> setfacl -m user:rx:exim /usr/sbin/exim* (may be redundant, not sure.)
>
> or, add users who are able to send email to exim_senders group
> chown exim:exim_senders /usr/sbin/exim*
>
> I'm sure there are more ways, but really, why would you have any
> accounts on your system in the first place?
>
> I think your time would be better spent using proper firewalls and
> public key authentication to lock down access to your machine.
>
> Also, maybe look into Linux w/ Xen, FreeBSD Jails, or even Solaris
> Zones.
>
> --- Marc Perkel <marc@???> wrote:
>
> >
> >
> > Tony Finch wrote:
> > > On Tue, 13 Jun 2006, Marc Perkel wrote:
> > >
> > >> Thanks but I don't think that's going to work as the localpart
> can
> > be
> > >> anything, and not related to the user ID. What I'm looking for
> is
> > to
> > >> prohibit local users from sending email.
> > >>
> > >
> > > It's checking $authenticated_id not $local_part. The
> > match_local_part
> > > clause is a red herring. In any case, if your users have shell
> > access they
> > > can use software other than Exim to send email, so this check is
> > probably
> > > pointless.
> > >
> > > Tony.
> > >
> >
> > I'm trying to prevent hackers who might get in from being able to
> > send
> > email if they manage to hack me. I want it so that unless they are
> > specific users that they have no rights to connect to port 25 or
> run
> > exim.
> >
> > --
> > ## List details at http://www.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list -
> http://www.exim.org/eximwiki/
> >
>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>