Re: [exim] Quick Question - Prohibiting users from sending e…

Top Page
Delete this message
Reply to this message
Author: Stephen Gran
Date:  
To: exim-users
Subject: Re: [exim] Quick Question - Prohibiting users from sending email
On Wed, Jun 14, 2006 at 02:59:49AM +0800, W B Hacker said:
> Troy Engel wrote:
>
> > Marc Perkel wrote:


[want to block outgoing email in case he's p0wn3d]

> > 3) use iptables to block any outgoing SMTP (ports 25, 465, 587) to any
> > machine other than the smarthost you decided on above. (see
> > http://oceanpark.com/notes/firewall_example.html)
> >
>
> Not 100% useful. MTA's *listen* (for other mx) on port 25. They
> ordinarily *send* on random ports well above 1024.


netfilter has a uid match module that allows you to write rules like:

iptables -t filter -A OUTPUT -m owner --uid-owner 0 -m state --state NEW --dport 25 -j ACCEPT

So, actually, rather useful for this sort of thing. Not precisely how I
owuld go about it (I would start by deciding what can make outbound
traffic and stop all other traffic, but YMMV). If it is a root
compromise, of course, you're screwed anyway, but a simple push over of
a php script running as a non-privileged httpd user may not kill you in
this case.

> Further, it is generally a safe assumption that any entity
> clever/patient enough to crack a shell account, can and will,
> escalate privileges, eventually to 'root'..


This is of course true, and good advice. If you are hacked, the least
of your worries is the spam coming from your machine.
--
--------------------------------------------------------------------------
|  Stephen Gran                  | War is much too serious a matter to be  |
|  steve@???             | entrusted to the military.   --         |
|  http://www.lobefin.net/~steve | Clemenceau                              |

--------------------------------------------------------------------------