Re: [exim] Block local submission

Top Pagina
Delete this message
Reply to this message
Auteur: GD
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] Block local submission
Thanks @ndy. I learned a lot from your ACLs and from your setup. But I
think It's definitely too complex for my case, because I don't need any
authenticated user list able to send mail from the system. Only exim,
root and some other few system account (cron jobs).
Regards
g

On 19/07/2015 17:57, Andy Bennett wrote:
> Hi,
>
>> On a shared web hosting server with exim4 as mail server I would like to
>> prevent php applications from sending mail without authentication via
>> SMTP on localhost.
>> This is a piece of war against bugged php script suffering code-injection.
>>
>> So, because I run suPHP, each web application is run as the user
>> belonging the application and the I had to block mail submission from
>> every local system user.
>>
>> In Postfix I acheived this result adding the rule
>> "authorized_submit_users = root, !static:all"
>> What I did with Postfix was to deny any chance to send mail via local
>> submission of any system user, except to the ones I trust in (root).
>>
>> Within Exim I tried using "trusted_users = root" in main configuration,
>> but the effect is not what I need as I read in chapter 14
>> (http://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html)
>> and in chapter 5.2 of Exim documentation.
>>
>> Can anyone point me in the right direction to achieve the same with exim4?
> Here's the ACL I use to restrict which local accounts can send mail (via
> the sendmail binary) and which addresses they can send mail from without
> a Sender: header being added:
>
> -----
> deliver_drop_privilege = true
> never_users = root
>
>
> LOCAL_SENDERS = ${lookup{$sender_ident}lsearch{/etc/exim4/local_senders}}
>
> # Envelope for local users:
> # Where lookup succeeds, senders can be set that match any pattern in
> the list
> untrusted_set_sender = LOCAL_SENDERS
>
> # Message headers for local users:
> local_sender_retain = false
> local_from_check = false
>
>
>
> acl_not_smtp = acl_local_localhost
>
> acl_local_localhost:
>    #warn
> #       log_message = acl_local_localhost: sender_address:
> $sender_address, $sender_ident, LOCAL_SENDERS.

>
>    # untrusted_set_sender ensures that accounts listed in the
> LOCAL_SENDERS file
>    # send from the addresses listed for them or else we add a Sender:
> header for
>    # them.
>    # Here we check that the sender appears in the file in order to restrict
>    # whether they are allowed to send mail at all.
>    require
>            message = "Your account is not allowed to send mail on this
> host ($primary_hostname)!"
>            condition = ${if !eq {LOCAL_SENDERS}{}}

>
>    require
>            verify = sender
>            acl = aux_verify_sender

>
>
>    # Ensure that anyone who is permitted to send mail is always able to
> to send
>    # bounce messages. This should be the default but we don't want the next
>    # clause (that might add a Sender: header) to mess anything up.
>    accept
>            senders = :

>
>    # Add a Sender: header if the From address isn't on the user's list of
>    # allowed From: addresses
>    warn
>            condition = ${if
> !match_address{${address:$h_From:}}{LOCAL_SENDERS}}
>            log_message = acl_local_localhost: adding Sender: $sender_address
>            add_header = Sender: $sender_ident@$qualify_domain

>
>    accept

>
>
>
> # Auxilary ACLs that are called by the others
>
> aux_verify_sender:
>    require
>            verify = sender/callout=CALLTIME,defer_ok

>
>    accept
> -----

>
>
> On non relay hosts, exim runs to allow local mail to get to the
> smarthost but we make sure we don't offer an SMTP service:
>
> -----
> acl_smtp_rcpt = acl_rcpt_localhost
>
> acl_rcpt_localhost:
>    # Be secure in case of config errors.
>    require
>            message = "No SMTP service for unauthorized users"
>            hosts   = : @[] :

>
>    deny
>            message = "No SMTP service for anyone!"
> -----

>
>
> In /etc/exim4/local_senders I have something like:
>
> -----
> $ more /etc/exim4/local_senders
> Debian-exim: :
> app-server: *@appmail.example.com
> root: root@???
> andyjpb: andyjpb@???
> -----
>
> The "Debian-exim: :" line ensures that exim can send whatever messages
> it needs to.
>
> The app-server account can send mail from any address in the
> appmail.example.com domain. This is handy for VERP stuff.
>
> It's handy to let root send mail so that its crontab entries can send
> reports.
>
> Then the list of regular users follows. For a shared server you can
> configure the sender address to something in a domain that they own
> otherwise "Sender: <username>@<qualify_domain>" is stamped on the message.
>
>
>
>
>
> Regards,
> @ndy
>