Re: [exim] Restricting a user's email destinations?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Stephen Gran at <-
MMGraeme Fowler at ->
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Restricting a user's email destinations?
Stephen Gran wrote:
> On Fri, Jul 14, 2006 at 07:09:51AM +0800, W B Hacker said:
>
>>Mike Cardwell wrote:
>>
>>>iptables -t nat -A OUTPUT -p tcp --dport 25 -d ! 127.0.0.1 -m owner ! --uid-owner exim -j DNAT --to-destination 127.0.0.1
>>>
>>>Someone might find that useful...
>>
>>The intent is good, but that specific rule is not necessary on Unix, nor will it
>>block outbound traffic.
>
>
> I think you are misreading what that line does. It redirects outbound
> traffic destined to port 25 to localhost port 25. It does not address
> what port the query comes from.

I understand what it *attempts* to accomplish.

Server security would be required to also prevent disabling the rule, either by
deletion, insertion of a pass or workaround earlier in the ruleset, or killing
the process that runs the firewall.

Better if it were on an external firewall.

It also does not block pointing to a far-end submission port, nor can we be
certain that a distant server will not accept local delivery without auth on
such a port.

Bill



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] sender verify and greylistingRe: [exim] sender verify and greylisting->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)