Author: W B Hacker Date: To: exim users Subject: Re: [exim] Restricting a user's email destinations?
Stephen Gran wrote: > On Fri, Jul 14, 2006 at 07:09:51AM +0800, W B Hacker said:
>
>>Mike Cardwell wrote:
>>
>>>iptables -t nat -A OUTPUT -p tcp --dport 25 -d ! 127.0.0.1 -m owner ! --uid-owner exim -j DNAT --to-destination 127.0.0.1
>>>
>>>Someone might find that useful...
>>
>>The intent is good, but that specific rule is not necessary on Unix, nor will it
>>block outbound traffic.
>
>
> I think you are misreading what that line does. It redirects outbound
> traffic destined to port 25 to localhost port 25. It does not address
> what port the query comes from.
I understand what it *attempts* to accomplish.
Server security would be required to also prevent disabling the rule, either by
deletion, insertion of a pass or workaround earlier in the ruleset, or killing
the process that runs the firewall.
Better if it were on an external firewall.
It also does not block pointing to a far-end submission port, nor can we be
certain that a distant server will not accept local delivery without auth on
such a port.