Auteur: Mike Cardwell Date: À: exim-users Sujet: Re: [exim] Restricting a user's email destinations?
* on the Fri, Jul 14, 2006 at 08:42:45PM +0800, W B Hacker wrote:
>> At least? We've already determined that exim is the only user that can
>> now make outgoing port 25 connections. So surely the only way you can
>> invoke exim to send an email is by connecting to it via a tcp
>> connection, or running the exim binary... What's the third method of
>> sending an email using exim...
> If the object of the exercise is to prevent shell users from sending *only* via
> Exim, that can be done entirely within Exim.
>
> Your rule is far more useful, thank you.
>
> But do not presume that by itself it is enough to *categorically* prevent a
> shell account holder, or even a Zope/Plone/other feature-rich CMS user *without*
> shell privileges, from transmitting a message from the server.
>
> You have to close every port above 1024 and/or not already bound to by a
> privileged daemon, and when you do *that* one wonders how happy your own MTA is
> going to be when it tries to send to another MTA.
Can you give an example please, because I don't get exactly how you
think this could happen...
> *snip* (identd)
>>> and usually brings more headache than relief.
>> It does? It's one of the simplest services you can have installed. It
>> just works...
> ..and has a nasty history of server exploits. Enough so that attempts continue,
> even if they have been fixed.
> Log or tcpdump activity on your identd port sometime and see how much garbage
> load your link (and stack, and CPU, and other resources) now have to deal with.
I was talking about an identd server that would be queried locally. This
would of course be firewalled out of remote access. You could even
prevent any local user from talking to it other than exim, using a
similar iptables rule to the one I specified earlier... Now that's goint
to be secure for most.
>>> At the end of the day, Exim rulesets can restrict 'proper' users to specific
>>> destinations and/or prohibit specific destinations.
>>> But the 'challenge' remains that a shell account holder who has either the
>>> ability to install and use executables or even to simply acess telnet, can
>>> connect to a destination server without ever touching Exim.
>> Nope. That's what my iptables rule prevents.
> OK. I can top that.
> "I believe you."
> And that IS a bigger lie...