Re: [exim] Block local submission

Góra strony
Delete this message
Reply to this message
Autor: GD
Data:  
Dla: exim-users
Temat: Re: [exim] Block local submission
The acl_not_smtp seems to do the job
Here my acl:

<--- snips --->

acl_not_smtp = acl_local_users

<--- snips --->
begin acl

acl_local_users:
   accept  condition     = ${if eq{$originator_uid}{0}}
   drop    message       = Local users can't send mail


<--- snips --->

root (UID 0) can send mails, but here below the exim's log when trying
to send from user "www-data":

2015-07-20 16:56:38 1ZHCUd-0000zs-Kq F=<www-data@???>
rejected by non-SMTP ACL: Local users can't send mail
2015-07-20 16:56:38 1ZHCUg-0000zu-IA F=<> rejected by non-SMTP ACL:
Local users can't send mail
2015-07-20 16:56:38 1ZHCUg-0000zu-IA Error while reading message with no
usable sender address (R=1ZHCUd-0000zs-Kq): rejected by non-SMTP ACL:
Local users can't send mail
2015-07-20 16:56:38 1ZHCUd-0000zs-Kq Child mail process returned status 1

I suspect there is a more elegant way to do the job, avoiding the last 2
lines of the log I don't like so much (or are them normal in exim log?)
... But It works :)
Any other suggestion is appreciated
Thanks!
g


On 20/07/2015 10:09, GD wrote:
> Yes, acl_not_smtp seems to be the right way. Nice suggestion, thanks!
> Of course it can't block SMTP connection, but my exim accepts only
> authenticated user on SMTP, so it is difficult to have code injection
> so sophisticated to use SMTP with auth.
> Why did you state that PHP script accessing to local submission via
> socket could hack the MTA? Doesn't the acl_non_smtp also deals about
> that kind of connections? This is very important to me ...
> I'll try the acl_non_smtp method and read more about it to understand
> if it's enough in my case.
> Thanks for any other clue will you like to share.
> g
>
>
>
> On 19/07/2015 06:47, Jasen Betts wrote:
>> On 2015-07-17, Giuliano David <g.david@???> wrote:
>>> Hi everbody.
>>> Within Exim I tried using "trusted_users = root" in main configuration,
>>> but the effect is not what I need as I read in chapter 14
>>> (http://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html)
>>>
>>> and in chapter 5.2 of Exim documentation.
>> on *nix PHP's mail() function sends email via local
>> submission ( /var/lib/sendmail )
>>
>>> Can anyone point me in the right direction to achieve the same with
>>> exim4?
>> Exim's default config is to accept all local senders, but that's
>> easily fixed.
>>
>> # in the main section:
>>
>>     acl_not_smtp = acl_local

>>
>> # in the ACL section:
>> # order of ACLs is not significant, just insert this at the head of
>> # that section.
>>
>> acl_local:
>>
>> accept
>>    authenticated = root:exim
>> # the list here should include the username exim runs under, else
>> # bounce messages won't be generated successfully, and failed emails
>> @ will be retried indefinately..

>>
>> deny
>>
>>
>> # that's all the configuration needed/
>>
>> if the rogue PHP is instead opening a socket to localhost:smtp or
>> localhost:submission
>> do also as suggested previously by others.
>>
>