Author: W B Hacker Date: To: exim users Subject: Re: [exim] Restricting a user's email destinations?
thane wrote:
> Hello all,
> I am setting up a server that will mostly be used by people logging on via
> ssh and performing tasks on the local machine. I would like to restrict
> certain users to only sending email to other users on the same host.
>
> How would I most easily accomplish this?
Best is to not *have* shell accounts, other than, say 3 admin folks.
Anyone who can su to 'root' can undo whatever you have done.
Even 'ordinary' shell-account holders can usually drop their own smtp code into
place. Essentially all of the interpreted languages have several available.
and - at the end of the day, anyone who needs to do so can telnet to a distant
server and manually send a message. It isn't hard to do.
OTOH, if it is only 'accident's' you wish to reduce:
Remove, change perms, or repoint calls to the applicable MTA binaries.
Use 'wall' or a local-only message handling service instead of a full-blown MTA.
'Gross case' could be an instance of (for example) Exim that they *could* call,
but one whose user DB included only the accounts in question, was not bound to
an external port, had only the system/local router & transport (no remote smtp).
Simple case would be to use an editor to create a message, save it to common
storage, grant the addressee read privileges.
> Would this be better performed by
> forcing some settings on the email client (mutt)?
>
Beetle-tracking. Far less likely to be able to retain control of those than an
MTA/substitute, and neither approach is bullet-proof.
Anyone with the means to ssh-in to the server also has, by implication, the
hardware to support either webmail (borrowed gear) or his own
workstation-resident MUA-of-choice.
Ergo, we don't use system accounts for mail at all - even between and among
themselves. Instead, we put what we need into the virtual user DB like anyone
else, and/or use unrelated mail services entirely.