Re: [exim] Prevent generation of bounces when deny-ing in ac…

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Prevent generation of bounces when deny-ing in acl_not_smtp
Colin Keith wrote:
> Hi,
>
> Like lots of people I've having a hard time with spammers misusing my
> customer's sites and services....


*snip*

>
> Does any one have any suggestions?


Keeping in mind that once you have tamed/armored Exim, you still have to
get control over smtp-outbound capable executables and such within in
your clients' other apps. These do not even need to get near Exim, nor
require privileged ports or UID:GID either....

Ergo, life will be much simpler if you segregate the services by
platform and IP:

- do not permit any services 'other than' an all-virtual-user MTA on one
'server' (no local accounts).

- permit NO mail services on another 'server' - say one with web sites.

The webish one (or external fw) should block any outbound traffic
destined for port 25.

It *could* permit logging-in to its sibling on port 587 for controlled
smarthost use. At that point, cron jobs aside, there are no longer any
'non-smtp' sessions, so the normal AUTH and smtp session acl's apply.

Use of virtualized 'servers' means you do not necessarily need two
physical boxen - though I'd still recommend it.

Anything else gets MORE complex, and harder to debug, protect, and stay
abreast of, as you are just beginning to detail.

HTH,

Bill