Author: W B Hacker Date: To: exim users Subject: Re: [exim] Prevent generation of bounces when
deny-inginacl_not_smtp
exim@??? wrote: > On Fri, Jan 16, 2009 at 07:08:58AM +0000, W B Hacker wrote:
>> platform and IP:
>>
>> - do not permit any services 'other than' an all-virtual-user MTA on one
>> 'server' (no local accounts).
>>
>> - permit NO mail services on another 'server' - say one with web sites.
>>
>> The webish one (or external fw) should block any outbound traffic
>> destined for port 25.
>>
>> It *could* permit logging-in to its sibling on port 587 for controlled
>> smarthost use. At that point, cron jobs aside, there are no longer any
>> 'non-smtp' sessions, so the normal AUTH and smtp session acl's apply.
>>
>> Use of virtualized 'servers' means you do not necessarily need two
>> physical boxen - though I'd still recommend it.
>
> You're completely correct of course and I must say your suggestions have
> given me a few ideas on where to move to in the future. One of my problems
> is that these are live boxes with lots of happy customers and the boxes are
> all running non-Xen kernels and they're not new enough for KVM. I can't
> really use VirtualBox/VMWare as I refuse to put GUI's on the boxes because
> they're servers.
Qemu is F/OSS and can be run from/as text-mode/CLI only, (w/o a 'GUI').
AFAIK, so too the others.
Most Linuxen of course, are not quite as CLI-centric as *BSD'ers so may
not be aware of that.
>
> However there's a distinct possibility that I could run up some older box
> to behave as an outgoing mail server so as to centralize the filtering. I
> already filter outbound traffic for regular users (and the web server user
> more so for all the lame PHP scripts) so port 25 traffic isn't a problem.
> But an outbound mail server like this would help with this issue because
> most comment/419 spammers (my biggest problem) hop around different sites on
> different web servers. In this case it would all be logged centrally so it
> would be much easier to pull blocking stats from.
>
Even a single box, if run with no mail service to the shell-account ID's
nor 'Luser' permissions on 'mail' ish executables would help by making
everything 'smtp' and letting you enforce AUTH.
EX: A shell login account UID:Shell to control web pages - but Exim
configured w/o shell delivery routers or user verification.
The 'owner' of account 'Shell' - IF and only IF, they also need/(pay
for) email, gets one or more differently-named UID's that are virtual
only, AND NOT shell accounts.
Compared to a simple two-box rig, that makes it a bit more complex to
allow outbound targeted on far-end port 25 to Exim AND NOT any other
script, app, or daemon.
But it can be done.
> Thanks for your suggestions I'll see what I can come up with.
>
> Regards,
> Colin.
>
