Re: [exim] Restricting a user's email destinations?

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Restricting a user's email destinations?
thane wrote:

> Hello all,
> I am setting up a server that will mostly be used by people logging on via
> ssh and performing tasks on the local machine. I would like to restrict
> certain users to only sending email to other users on the same host.
>
> How would I most easily accomplish this?


Best is to not *have* shell accounts, other than, say 3 admin folks.

Anyone who can su to 'root' can undo whatever you have done.

Even 'ordinary' shell-account holders can usually drop their own smtp code into
place. Essentially all of the interpreted languages have several available.

and - at the end of the day, anyone who needs to do so can telnet to a distant
server and manually send a message. It isn't hard to do.

OTOH, if it is only 'accident's' you wish to reduce:

Remove, change perms, or repoint calls to the applicable MTA binaries.

Use 'wall' or a local-only message handling service instead of a full-blown MTA.

'Gross case' could be an instance of (for example) Exim that they *could* call,
but one whose user DB included only the accounts in question, was not bound to
an external port, had only the system/local router & transport (no remote smtp).

Simple case would be to use an editor to create a message, save it to common
storage, grant the addressee read privileges.

> Would this be better performed by
> forcing some settings on the email client (mutt)?
>


Beetle-tracking. Far less likely to be able to retain control of those than an
MTA/substitute, and neither approach is bullet-proof.

Anyone with the means to ssh-in to the server also has, by implication, the
hardware to support either webmail (borrowed gear) or his own
workstation-resident MUA-of-choice.

Ergo, we don't use system accounts for mail at all - even between and among
themselves. Instead, we put what we need into the virtual user DB like anyone
else, and/or use unrelated mail services entirely.

HTH,

Bill