Author: W B Hacker Date: To: exim users Subject: Re: [exim] Prevent generation of bounces when deny-ing in
acl_not_smtp
Colin Keith wrote: > Hi,
>
> Like lots of people I've having a hard time with spammers misusing my
> customer's sites and services....
*snip*
>
> Does any one have any suggestions?
Keeping in mind that once you have tamed/armored Exim, you still have to
get control over smtp-outbound capable executables and such within in
your clients' other apps. These do not even need to get near Exim, nor
require privileged ports or UID:GID either....
Ergo, life will be much simpler if you segregate the services by
platform and IP:
- do not permit any services 'other than' an all-virtual-user MTA on one
'server' (no local accounts).
- permit NO mail services on another 'server' - say one with web sites.
The webish one (or external fw) should block any outbound traffic
destined for port 25.
It *could* permit logging-in to its sibling on port 587 for controlled
smarthost use. At that point, cron jobs aside, there are no longer any
'non-smtp' sessions, so the normal AUTH and smtp session acl's apply.
Use of virtualized 'servers' means you do not necessarily need two
physical boxen - though I'd still recommend it.
Anything else gets MORE complex, and harder to debug, protect, and stay
abreast of, as you are just beginning to detail.