Thanks @ndy. I learned a lot from your ACLs and from your setup. But I
think It's definitely too complex for my case, because I don't need any
authenticated user list able to send mail from the system. Only exim,
root and some other few system account (cron jobs).
Regards
g
On 19/07/2015 17:57, Andy Bennett wrote:
> Hi,
>
>> On a shared web hosting server with exim4 as mail server I would like to
>> prevent php applications from sending mail without authentication via
>> SMTP on localhost.
>> This is a piece of war against bugged php script suffering code-injection.
>>
>> So, because I run suPHP, each web application is run as the user
>> belonging the application and the I had to block mail submission from
>> every local system user.
>>
>> In Postfix I acheived this result adding the rule
>> "authorized_submit_users = root, !static:all"
>> What I did with Postfix was to deny any chance to send mail via local
>> submission of any system user, except to the ones I trust in (root).
>>
>> Within Exim I tried using "trusted_users = root" in main configuration,
>> but the effect is not what I need as I read in chapter 14
>> (http://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html)
>> and in chapter 5.2 of Exim documentation.
>>
>> Can anyone point me in the right direction to achieve the same with exim4?
> Here's the ACL I use to restrict which local accounts can send mail (via
> the sendmail binary) and which addresses they can send mail from without
> a Sender: header being added:
>
> -----
> deliver_drop_privilege = true
> never_users = root
>
>
> LOCAL_SENDERS = ${lookup{$sender_ident}lsearch{/etc/exim4/local_senders}}
>
> # Envelope for local users:
> # Where lookup succeeds, senders can be set that match any pattern in
> the list
> untrusted_set_sender = LOCAL_SENDERS
>
> # Message headers for local users:
> local_sender_retain = false
> local_from_check = false
>
>
>
> acl_not_smtp = acl_local_localhost
>
> acl_local_localhost:
> #warn
> # log_message = acl_local_localhost: sender_address:
> $sender_address, $sender_ident, LOCAL_SENDERS.
>
> # untrusted_set_sender ensures that accounts listed in the
> LOCAL_SENDERS file
> # send from the addresses listed for them or else we add a Sender:
> header for
> # them.
> # Here we check that the sender appears in the file in order to restrict
> # whether they are allowed to send mail at all.
> require
> message = "Your account is not allowed to send mail on this
> host ($primary_hostname)!"
> condition = ${if !eq {LOCAL_SENDERS}{}}
>
> require
> verify = sender
> acl = aux_verify_sender
>
>
> # Ensure that anyone who is permitted to send mail is always able to
> to send
> # bounce messages. This should be the default but we don't want the next
> # clause (that might add a Sender: header) to mess anything up.
> accept
> senders = :
>
> # Add a Sender: header if the From address isn't on the user's list of
> # allowed From: addresses
> warn
> condition = ${if
> !match_address{${address:$h_From:}}{LOCAL_SENDERS}}
> log_message = acl_local_localhost: adding Sender: $sender_address
> add_header = Sender: $sender_ident@$qualify_domain
>
> accept
>
>
>
> # Auxilary ACLs that are called by the others
>
> aux_verify_sender:
> require
> verify = sender/callout=CALLTIME,defer_ok
>
> accept
> -----
>
>
> On non relay hosts, exim runs to allow local mail to get to the
> smarthost but we make sure we don't offer an SMTP service:
>
> -----
> acl_smtp_rcpt = acl_rcpt_localhost
>
> acl_rcpt_localhost:
> # Be secure in case of config errors.
> require
> message = "No SMTP service for unauthorized users"
> hosts = : @[] :
>
> deny
> message = "No SMTP service for anyone!"
> -----
>
>
> In /etc/exim4/local_senders I have something like:
>
> -----
> $ more /etc/exim4/local_senders
> Debian-exim: :
> app-server: *@appmail.example.com
> root: root@???
> andyjpb: andyjpb@???
> -----
>
> The "Debian-exim: :" line ensures that exim can send whatever messages
> it needs to.
>
> The app-server account can send mail from any address in the
> appmail.example.com domain. This is handy for VERP stuff.
>
> It's handy to let root send mail so that its crontab entries can send
> reports.
>
> Then the list of regular users follows. For a shared server you can
> configure the sender address to something in a domain that they own
> otherwise "Sender: <username>@<qualify_domain>" is stamped on the message.
>
>
>
>
>
> Regards,
> @ndy
>
