Re: [exim] Block local submission

Top Page
Delete this message
Reply to this message
Author: Andy Bennett
Date:  
To: Giuliano David, exim-users
Subject: Re: [exim] Block local submission
Hi,

> On a shared web hosting server with exim4 as mail server I would like to
> prevent php applications from sending mail without authentication via
> SMTP on localhost.
> This is a piece of war against bugged php script suffering code-injection.
>
> So, because I run suPHP, each web application is run as the user
> belonging the application and the I had to block mail submission from
> every local system user.
>
> In Postfix I acheived this result adding the rule
> "authorized_submit_users = root, !static:all"
> What I did with Postfix was to deny any chance to send mail via local
> submission of any system user, except to the ones I trust in (root).
>
> Within Exim I tried using "trusted_users = root" in main configuration,
> but the effect is not what I need as I read in chapter 14
> (http://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html)
> and in chapter 5.2 of Exim documentation.
>
> Can anyone point me in the right direction to achieve the same with exim4?


Here's the ACL I use to restrict which local accounts can send mail (via
the sendmail binary) and which addresses they can send mail from without
a Sender: header being added:

-----
deliver_drop_privilege = true
never_users = root


LOCAL_SENDERS = ${lookup{$sender_ident}lsearch{/etc/exim4/local_senders}}

# Envelope for local users:
# Where lookup succeeds, senders can be set that match any pattern in
the list
untrusted_set_sender = LOCAL_SENDERS

# Message headers for local users:
local_sender_retain = false
local_from_check = false



acl_not_smtp = acl_local_localhost

acl_local_localhost:
  #warn
#       log_message = acl_local_localhost: sender_address:
$sender_address, $sender_ident, LOCAL_SENDERS.


  # untrusted_set_sender ensures that accounts listed in the
LOCAL_SENDERS file
  # send from the addresses listed for them or else we add a Sender:
header for
  # them.
  # Here we check that the sender appears in the file in order to restrict
  # whether they are allowed to send mail at all.
  require
          message = "Your account is not allowed to send mail on this
host ($primary_hostname)!"
          condition = ${if !eq {LOCAL_SENDERS}{}}


  require
          verify = sender
          acl = aux_verify_sender



  # Ensure that anyone who is permitted to send mail is always able to
to send
  # bounce messages. This should be the default but we don't want the next
  # clause (that might add a Sender: header) to mess anything up.
  accept
          senders = :


  # Add a Sender: header if the From address isn't on the user's list of
  # allowed From: addresses
  warn
          condition = ${if
!match_address{${address:$h_From:}}{LOCAL_SENDERS}}
          log_message = acl_local_localhost: adding Sender: $sender_address
          add_header = Sender: $sender_ident@$qualify_domain


accept



# Auxilary ACLs that are called by the others

aux_verify_sender:
  require
          verify = sender/callout=CALLTIME,defer_ok


accept
-----


On non relay hosts, exim runs to allow local mail to get to the
smarthost but we make sure we don't offer an SMTP service:

-----
acl_smtp_rcpt = acl_rcpt_localhost

acl_rcpt_localhost:
  # Be secure in case of config errors.
  require
          message = "No SMTP service for unauthorized users"
          hosts   = : @[] :


  deny
          message = "No SMTP service for anyone!"
-----



In /etc/exim4/local_senders I have something like:

-----
$ more /etc/exim4/local_senders
Debian-exim: :
app-server: *@appmail.example.com
root: root@???
andyjpb: andyjpb@???
-----

The "Debian-exim: :" line ensures that exim can send whatever messages
it needs to.

The app-server account can send mail from any address in the
appmail.example.com domain. This is handy for VERP stuff.

It's handy to let root send mail so that its crontab entries can send
reports.

Then the list of regular users follows. For a shared server you can
configure the sender address to something in a domain that they own
otherwise "Sender: <username>@<qualify_domain>" is stamped on the message.





Regards,
@ndy

--
andyjpb@???
http://www.ashurst.eu.org/
0290 DA75 E982 7D99 A51F E46A 387A 7695 7EBA 75FF