Re: [exim] Restricting a user's email destinations?

* on the Fri, Jul 14, 2006 at 09:39:56AM +0800, W B Hacker wrote:

>>>> iptables -t nat -A OUTPUT -p tcp --dport 25 -d ! 127.0.0.1 -m owner ! --uid-owner exim -j DNAT --to-destination 127.0.0.1
>>>> Someone might find that useful...
>>> The intent is good, but that specific rule is not necessary on Unix, nor will it
>>> block outbound traffic.
>> I think you are misreading what that line does. It redirects outbound
>> traffic destined to port 25 to localhost port 25. It does not address
>> what port the query comes from.
> I understand what it *attempts* to accomplish.

Attempts and succeeds...

> Server security would be required to also prevent disabling the rule, either by
> deletion, insertion of a pass or workaround earlier in the ruleset, or killing
> the process that runs the firewall.

Erm. The people he's trying to block from emailing remote accounts are
only normal system users as far as I understand... They don't have
root... "Server security would be required" - That's a given isn't it? A
normal user can't modify iptables rules...

> Better if it were on an external firewall.

Probably yes. But also, probably not necessary.

> It also does not block pointing to a far-end submission port,

So add a similar rule for port 587...

> nor can we be certain that a distant server will not accept local delivery without
> auth on such a port.

No idea what you're talking about here. How is this related to the
initial requirements stated at the beginning of this thread?

Mike