Re: [exim] Restricting a user's email destinations?

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: exim-users
Subject: Re: [exim] Restricting a user's email destinations?
* on the Thu, Jul 13, 2006 at 10:28:45AM +0800, W B Hacker wrote:

> Even 'ordinary' shell-account holders can usually drop their own smtp code into
> place. Essentially all of the interpreted languages have several available.
>
> and - at the end of the day, anyone who needs to do so can telnet to a distant
> server and manually send a message. It isn't hard to do.


You can get around such problems by building a tight firewall. I get around this
particular problem on one of my systems by redirecting all outgoing connections
on port 25 to localhost unless they're initiated by the exim user. I do this
using iptables:

iptables -t nat -A OUTPUT -p tcp --dport 25 -d ! 127.0.0.1 -m owner ! --uid-owner exim -j DNAT --to-destination 127.0.0.1

Someone might find that useful...

As for limiting which addresses can be emailed by certain users, you
should be able to do this in the acl's. There are two ways they could
send the email, either by calling the exim binary directly, or by making
a local connection to port 25. There are different ways to identify the
sending user in both circumstances.

If the sending is being done by calling the exim binary directly, you
can access the users uid inside $caller_uid.

If the sending is being done by the user connecting to port 25 locally,
you should install an identd server and use $sender_ident

Mike