Re: [exim] Restricting a user's email destinations?

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Restricting a user's email destinations?
Mike Cardwell wrote:

> * on the Fri, Jul 14, 2006 at 07:09:51AM +0800, W B Hacker wrote:
>

*snip*
>>>There are


>>at least
>
>
> At least? We've already determined that exim is the only user that can
> now make outgoing port 25 connections. So surely the only way you can
> invoke exim to send an email is by connecting to it via a tcp
> connection, or running the exim binary... What's the third method of
> sending an email using exim...


If the object of the exercise is to prevent shell users from sending *only* via
Exim, that can be done entirely within Exim.

Your rule is far more useful, thank you.

But do not presume that by itself it is enough to *categorically* prevent a
shell account holder, or even a Zope/Plone/other feature-rich CMS user *without*
shell privileges, from transmitting a message from the server.

You have to close every port above 1024 and/or not already bound to by a
privileged daemon, and when you do *that* one wonders how happy your own MTA is
going to be when it tries to send to another MTA.

*snip* (identd)
>
>>and usually brings more headache than relief.
>
>
> It does? It's one of the simplest services you can have installed. It
> just works...
>


..and has a nasty history of server exploits. Enough so that attempts continue,
even if they have been fixed.

Log or tcpdump activity on your identd port sometime and see how much garbage
load your link (and stack, and CPU, and other resources) now have to deal with.

>
>>- properly configured, authentication should be required for any traffic not
>>destined for on-host users. Non-authenticated smtp traffic addressed to off-host
>>destinations should be treated as unauthorized relay attempts.
>
>
> Sounds just like my suggestion. Except yours requires each email client
> to use authenticated smtp.
>


MUA's on 587 and such, yes. As RFC and good practice recommends.

Peer MTA's incoming on 25, not (necesarily).

>
>>At the end of the day, Exim rulesets can restrict 'proper' users to specific
>>destinations and/or prohibit specific destinations.
>>
>>But the 'challenge' remains that a shell account holder who has either the
>>ability to install and use executables or even to simply acess telnet, can
>>connect to a destination server without ever touching Exim.
>
>
> Nope. That's what my iptables rule prevents.
>


OK. I can top that.

"I believe you."

And that IS a bigger lie...

;-)

Bill