|
|
|
|
|
|
| Author |
Message |
Mirna Ramirez-Hennessey
*nix forums beginner
Joined: 18 Jul 2006
Posts: 2
|
 Posted: Tue Jul 18, 2006 2:43 pm Post subject:
Re: exipick
|
|
|
Yes, they are all still in my queue ...if I do a exim -bp I get A LOT of
them ..thanks again for your input, man I got lots to learn 
-----Original Message-----
From: jetmore@wembley.cinergycom.net
[mailto:jetmore@wembley.cinergycom.net] On Behalf Of John Jetmore
Sent: Tuesday, July 18, 2006 10:40 AM
To: Mirna Ramirez-Hennessey
Cc: exim-users@exim.org
Subject: RE: exipick
Are these messages still in your queue? Do they show up in the output
of 'exim -bp'? If not, you'll have to get the information out of the
logs.
If they are still in the queue, you'll have to play around with exipick
yourself to figure out how to identify them. You can capture mail from
the two domains like this:
exipick '$sender_address_domain =~ /^(domain1|domain2)$/'
but that still doesn't single out "failed" or "undeliverable" messages.
--John
On Tue, 18 Jul 2006, Mirna Ramirez-Hennessey wrote:
| Quote: | Thanks John for your input, I am looking for failed messages sent from
two of our domains( as we have many) Sender is not important, nor is
the recipient....however, I do need to know the recipient for logging
purposes.
mrh
-----Original Message-----
From: John Jetmore [mailto:jetmore@cinergycom.com]
Sent: Tuesday, July 18, 2006 10:15 AM
To: Mirna Ramirez-Hennessey
Cc: exim-users@exim.org
Subject: Re: exipick
On Tue, 18 Jul 2006, Mirna Ramirez-Hennessey wrote:
was wondering if you can help me :-0 i am new with exim and i am
trying to get a listing of all undeliverable messages, then pass
them over to a an sql sp, i have looked at the exipick command and
it looks
like I can prob do that through it ..but I am still not sure how I
can
accomplish this, any thoughts?
"Undeliverable" is not a concept exipick understands, it only can test
things that are present in an exim message's queue file. So, can you
identify the messages using that information somehow? Do you only
want messges from a certain sender? To a certain recipient? Older
than a certain age? Perhaps only messages that have had at least one
delivery attempt? Perhaps messages that are frozen? You'll need to
figure out yourself how to identify the messages you need.
You will get better results by asking them on exim-users@exim.org
which has a much deeper pool of knowledge on exim in general and which
I also read. Copying the list with this response.
--John
|
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
 |
John Jetmore
*nix forums beginner
Joined: 12 Apr 2005
Posts: 44
|
| Posted: Tue Jul 18, 2006 2:39 pm Post subject:
Re: exipick
|
|
|
Are these messages still in your queue? Do they show up in the output of
'exim -bp'? If not, you'll have to get the information out of the logs.
If they are still in the queue, you'll have to play around with exipick
yourself to figure out how to identify them. You can capture mail from
the two domains like this:
exipick '$sender_address_domain =~ /^(domain1|domain2)$/'
but that still doesn't single out "failed" or "undeliverable" messages.
--John
On Tue, 18 Jul 2006, Mirna Ramirez-Hennessey wrote:
| Quote: | Thanks John for your input, I am looking for failed messages sent from
two of our domains( as we have many)
Sender is not important, nor is the recipient....however, I do need to
know the recipient for logging purposes.
mrh
-----Original Message-----
From: John Jetmore [mailto:jetmore@cinergycom.com]
Sent: Tuesday, July 18, 2006 10:15 AM
To: Mirna Ramirez-Hennessey
Cc: exim-users@exim.org
Subject: Re: exipick
On Tue, 18 Jul 2006, Mirna Ramirez-Hennessey wrote:
was wondering if you can help me :-0 i am new with exim and i am
trying to get a listing of all undeliverable messages, then pass them
over to a an sql sp, i have looked at the exipick command and it looks
like I can prob do that through it ..but I am still not sure how I can
accomplish this, any thoughts?
"Undeliverable" is not a concept exipick understands, it only can test
things that are present in an exim message's queue file. So, can you
identify the messages using that information somehow? Do you only want
messges from a certain sender? To a certain recipient? Older than a
certain age? Perhaps only messages that have had at least one delivery
attempt? Perhaps messages that are frozen? You'll need to figure out
yourself how to identify the messages you need.
You will get better results by asking them on exim-users@exim.org which
has a much deeper pool of knowledge on exim in general and which I also
read. Copying the list with this response.
--John
|
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Mirna Ramirez-Hennessey
*nix forums beginner
Joined: 18 Jul 2006
Posts: 2
|
| Posted: Tue Jul 18, 2006 2:30 pm Post subject:
Re: exipick
|
|
|
Thanks John for your input, I am looking for failed messages sent from
two of our domains( as we have many)
Sender is not important, nor is the recipient....however, I do need to
know the recipient for logging purposes.
mrh
-----Original Message-----
From: John Jetmore [mailto:jetmore@cinergycom.com]
Sent: Tuesday, July 18, 2006 10:15 AM
To: Mirna Ramirez-Hennessey
Cc: exim-users@exim.org
Subject: Re: exipick
On Tue, 18 Jul 2006, Mirna Ramirez-Hennessey wrote:
| Quote: | was wondering if you can help me :-0 i am new with exim and i am
trying to get a listing of all undeliverable messages, then pass them
over to a an sql sp, i have looked at the exipick command and it looks
like I can prob do that through it ..but I am still not sure how I can
accomplish this, any thoughts?
|
"Undeliverable" is not a concept exipick understands, it only can test
things that are present in an exim message's queue file. So, can you
identify the messages using that information somehow? Do you only want
messges from a certain sender? To a certain recipient? Older than a
certain age? Perhaps only messages that have had at least one delivery
attempt? Perhaps messages that are frozen? You'll need to figure out
yourself how to identify the messages you need.
You will get better results by asking them on exim-users@exim.org which
has a much deeper pool of knowledge on exim in general and which I also
read. Copying the list with this response.
--John
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
John Jetmore
*nix forums beginner
Joined: 12 Apr 2005
Posts: 44
|
| Posted: Tue Jul 18, 2006 2:14 pm Post subject:
Re: exipick
|
|
|
On Tue, 18 Jul 2006, Mirna Ramirez-Hennessey wrote:
| Quote: | was wondering if you can help me :-0 i am new with exim and i am trying
to get a listing of all undeliverable messages, then pass them over to a
an sql sp, i have looked at the exipick command and it looks like I can
prob do that through it ..but I am still not sure how I can accomplish
this, any thoughts?
|
"Undeliverable" is not a concept exipick understands, it only can test
things that are present in an exim message's queue file. So, can you
identify the messages using that information somehow? Do you only want
messges from a certain sender? To a certain recipient? Older than a
certain age? Perhaps only messages that have had at least one delivery
attempt? Perhaps messages that are frozen? You'll need to figure out
yourself how to identify the messages you need.
You will get better results by asking them on exim-users@exim.org which
has a much deeper pool of knowledge on exim in general and which I also
read. Copying the list with this response.
--John
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Mike Cardwell
*nix forums beginner
Joined: 29 Sep 2005
Posts: 17
|
| Posted: Fri Jul 14, 2006 1:49 pm Post subject:
Re: Restricting a user's email destinations?
|
|
|
* on the Fri, Jul 14, 2006 at 09:33:43PM +0800, W B Hacker wrote:
| Quote: | Can you give an example please, because I don't get exactly how you
think this could happen...
'Could happen' ??
We've done it for *years* with a python module as a regular service for a CMS.
Acts like a remote-controlled MUA, not the normal webmail client, as it uses
non-local smtp, pop, imap resources.
Lynx / lynx-ssl text-mode browser is another way - one you can try for yourself
really easily.
lynx http(s)://<your remote webmail account URI
|
Then you're not sending mail from the local server, you're making http
requests from the local server instead. You're actually sending mail
from the remote server... I don't think what you've just described fits
with what thane is/was trying to restrict.
| Quote: | As said, restricting *Exim* as to destinations is not hard.
Preventing general misbehaviour originating on your own server that might get
your IP blacklisted is a little more difficult. IPFW / IPF / iptables can help.
Preventing users from sending mail entirely, or otherwise restricting them to a
sub-set of destinations is a *lot* harder if you need to support a variety of
services on the same box.
|
I don't think it is hard. I've managed it successfully on a large shared
hosting web farm. It just requires some thought and planning.
Mike
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Bill Hacker
*nix forums Guru
Joined: 27 Jan 2005
Posts: 427
|
| Posted: Fri Jul 14, 2006 1:33 pm Post subject:
Re: Restricting a user's email destinations?
|
|
|
Mike Cardwell wrote:
| Quote: |
Can you give an example please, because I don't get exactly how you
think this could happen...
|
'Could happen' ??
We've done it for *years* with a python module as a regular service for a CMS.
Acts like a remote-controlled MUA, not the normal webmail client, as it uses
non-local smtp, pop, imap resources.
Lynx / lynx-ssl text-mode browser is another way - one you can try for yourself
really easily.
lynx http(s)://<your remote webmail account URI>
There are others.
As said, restricting *Exim* as to destinations is not hard.
Preventing general misbehaviour originating on your own server that might get
your IP blacklisted is a little more difficult. IPFW / IPF / iptables can help.
Preventing users from sending mail entirely, or otherwise restricting them to a
sub-set of destinations is a *lot* harder if you need to support a variety of
services on the same box.
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Mike Cardwell
*nix forums beginner
Joined: 29 Sep 2005
Posts: 17
|
| Posted: Fri Jul 14, 2006 1:00 pm Post subject:
Re: Restricting a user's email destinations?
|
|
|
* on the Fri, Jul 14, 2006 at 08:42:45PM +0800, W B Hacker wrote:
| Quote: | At least? We've already determined that exim is the only user that can
now make outgoing port 25 connections. So surely the only way you can
invoke exim to send an email is by connecting to it via a tcp
connection, or running the exim binary... What's the third method of
sending an email using exim...
If the object of the exercise is to prevent shell users from sending *only* via
Exim, that can be done entirely within Exim.
Your rule is far more useful, thank you.
But do not presume that by itself it is enough to *categorically* prevent a
shell account holder, or even a Zope/Plone/other feature-rich CMS user *without*
shell privileges, from transmitting a message from the server.
You have to close every port above 1024 and/or not already bound to by a
privileged daemon, and when you do *that* one wonders how happy your own MTA is
going to be when it tries to send to another MTA.
|
Can you give an example please, because I don't get exactly how you
think this could happen...
| Quote: | *snip* (identd)
and usually brings more headache than relief.
It does? It's one of the simplest services you can have installed. It
just works...
..and has a nasty history of server exploits. Enough so that attempts continue,
even if they have been fixed.
Log or tcpdump activity on your identd port sometime and see how much garbage
load your link (and stack, and CPU, and other resources) now have to deal with.
|
I was talking about an identd server that would be queried locally. This
would of course be firewalled out of remote access. You could even
prevent any local user from talking to it other than exim, using a
similar iptables rule to the one I specified earlier... Now that's goint
to be secure for most.
| Quote: | At the end of the day, Exim rulesets can restrict 'proper' users to specific
destinations and/or prohibit specific destinations.
But the 'challenge' remains that a shell account holder who has either the
ability to install and use executables or even to simply acess telnet, can
connect to a destination server without ever touching Exim.
Nope. That's what my iptables rule prevents.
OK. I can top that.
"I believe you."
And that IS a bigger lie...
|
Like I said earlier "man iptables"
Mike
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Bill Hacker
*nix forums Guru
Joined: 27 Jan 2005
Posts: 427
|
| Posted: Fri Jul 14, 2006 12:42 pm Post subject:
Re: Restricting a user's email destinations?
|
|
|
Mike Cardwell wrote:
| Quote: | * on the Fri, Jul 14, 2006 at 07:09:51AM +0800, W B Hacker wrote:
*snip*
There are
at least
At least? We've already determined that exim is the only user that can
now make outgoing port 25 connections. So surely the only way you can
invoke exim to send an email is by connecting to it via a tcp
connection, or running the exim binary... What's the third method of
sending an email using exim...
|
If the object of the exercise is to prevent shell users from sending *only* via
Exim, that can be done entirely within Exim.
Your rule is far more useful, thank you.
But do not presume that by itself it is enough to *categorically* prevent a
shell account holder, or even a Zope/Plone/other feature-rich CMS user *without*
shell privileges, from transmitting a message from the server.
You have to close every port above 1024 and/or not already bound to by a
privileged daemon, and when you do *that* one wonders how happy your own MTA is
going to be when it tries to send to another MTA.
*snip* (identd)
| Quote: |
and usually brings more headache than relief.
It does? It's one of the simplest services you can have installed. It
just works...
|
...and has a nasty history of server exploits. Enough so that attempts continue,
even if they have been fixed.
Log or tcpdump activity on your identd port sometime and see how much garbage
load your link (and stack, and CPU, and other resources) now have to deal with.
| Quote: |
- properly configured, authentication should be required for any traffic not
destined for on-host users. Non-authenticated smtp traffic addressed to off-host
destinations should be treated as unauthorized relay attempts.
Sounds just like my suggestion. Except yours requires each email client
to use authenticated smtp.
|
MUA's on 587 and such, yes. As RFC and good practice recommends.
Peer MTA's incoming on 25, not (necesarily).
| Quote: |
At the end of the day, Exim rulesets can restrict 'proper' users to specific
destinations and/or prohibit specific destinations.
But the 'challenge' remains that a shell account holder who has either the
ability to install and use executables or even to simply acess telnet, can
connect to a destination server without ever touching Exim.
Nope. That's what my iptables rule prevents.
|
OK. I can top that.
"I believe you."
And that IS a bigger lie...
;-)
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Mike Cardwell
*nix forums beginner
Joined: 29 Sep 2005
Posts: 17
|
| Posted: Fri Jul 14, 2006 12:19 pm Post subject:
Re: Restricting a user's email destinations?
|
|
|
* on the Fri, Jul 14, 2006 at 07:55:11PM +0800, W B Hacker wrote:
| Quote: | The OP seeks to block users from sending to external destinations.
More things have to be done to accomplishing that than the rule shown.
|
True I suppose. If someone decides to run their mail server on port
1234, then the user will be able to connect to it and send mail to it.
I'll leave it up to the original poster to decide whether that's even an
issue.
Mike
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Mike Cardwell
*nix forums beginner
Joined: 29 Sep 2005
Posts: 17
|
| Posted: Fri Jul 14, 2006 12:10 pm Post subject:
Re: Restricting a user's email destinations?
|
|
|
* on the Fri, Jul 14, 2006 at 07:09:51AM +0800, W B Hacker wrote:
| Quote: | iptables -t nat -A OUTPUT -p tcp --dport 25 -d ! 127.0.0.1 -m owner ! --uid-owner exim -j DNAT --to-destination 127.0.0.1
Someone might find that useful...
The intent is good, but that specific rule is not necessary on Unix, nor will it
block outbound traffic.
- ports below 1024 are reserved to 'root' anyway.
- an(y) MTA running as a daemon will have been given that port (by initial
invocation as root).
- once a daemon has bound to port 25, the next entity (even root) that attempts
to bind to it will be denied. Demo this by manually attempting to onvoke Exm a
second time, and tailing /var/log/messages /var/log/maillog,
/var/log/exim/paniclog (wherever you are logging).
But perhaps most of all - an MTA ordinarily *listens* on port 25, and initiates
outbound smtp on ports above 1024.
And w/r user-installed mailing code - any port that they can get the use of
will do.
I'll presume you have a rule eleswhere that blocks that.
|
What you've just described there doesn't bare any resemblance to what
the iptables rule I wrote does. "man iptables" should help.
| Quote: | As for limiting which addresses can be emailed by certain users, you
should be able to do this in the acl's.
- and routers
|
Routers would probably be better actually yes. That way you don't have
to deal with multiple recipients in the non smtp acl.
| Quote: | There are
at least
|
At least? We've already determined that exim is the only user that can
now make outgoing port 25 connections. So surely the only way you can
invoke exim to send an email is by connecting to it via a tcp
connection, or running the exim binary... What's the third method of
sending an email using exim...
| Quote: | two ways they could
send the email, either by calling the exim binary directly, or by making
a local connection to port 25. There are different ways to identify the
sending user in both circumstances.
Careful crafting of the exim setup can prevent 'smtp incoming' from other ports
on your own IP, and control non-smtp as well - long before acl's come into play.
Careful crafting of routers, with or without acl aid, can add to that control.
|
Yes it could I suppose. But I don't get how that's a response to my
text, or how it's related to the problem in question...
| Quote: | If the sending is being done by calling the exim binary directly, you
can access the users uid inside $caller_uid.
If the sending is being done by the user connecting to port 25 locally,
you should install an identd server and use $sender_ident
An identd is not required,
|
Er... I suppose you could force the use of asmtp. Installing an identd
daemon seems the easiest way though.
| Quote: | and usually brings more headache than relief.
|
It does? It's one of the simplest services you can have installed. It
just works...
| Quote: | - properly configured, authentication should be required for any traffic not
destined for on-host users. Non-authenticated smtp traffic addressed to off-host
destinations should be treated as unauthorized relay attempts.
|
Sounds just like my suggestion. Except yours requires each email client
to use authenticated smtp.
| Quote: | At the end of the day, Exim rulesets can restrict 'proper' users to specific
destinations and/or prohibit specific destinations.
But the 'challenge' remains that a shell account holder who has either the
ability to install and use executables or even to simply acess telnet, can
connect to a destination server without ever touching Exim.
|
Nope. That's what my iptables rule prevents.
Mike
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Bill Hacker
*nix forums Guru
Joined: 27 Jan 2005
Posts: 427
|
| Posted: Fri Jul 14, 2006 11:55 am Post subject:
Re: Restricting a user's email destinations?
|
|
|
Mike Cardwell wrote:
| Quote: | * on the Fri, Jul 14, 2006 at 09:39:56AM +0800, W B Hacker wrote:
iptables -t nat -A OUTPUT -p tcp --dport 25 -d ! 127.0.0.1 -m owner ! --uid-owner exim -j DNAT --to-destination 127.0.0.1
Someone might find that useful...
The intent is good, but that specific rule is not necessary on Unix, nor will it
block outbound traffic.
I think you are misreading what that line does. It redirects outbound
traffic destined to port 25 to localhost port 25. It does not address
what port the query comes from.
I understand what it *attempts* to accomplish.
Attempts and succeeds...
|
...in preventing a user from reaching port 25 on a remote host, yes.
In preventing a user from sending mail, no, not by itself, it doesn't.
*snip*
| Quote: | ... How is this related to the
initial requirements stated at the beginning of this thread?
Mike
|
The OP seeks to block users from sending to external destinations.
More things have to be done to accomplishing that than the rule shown.
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Mike Cardwell
*nix forums beginner
Joined: 29 Sep 2005
Posts: 17
|
| Posted: Fri Jul 14, 2006 11:42 am Post subject:
Re: Restricting a user's email destinations?
|
|
|
* on the Fri, Jul 14, 2006 at 09:39:56AM +0800, W B Hacker wrote:
| Quote: | iptables -t nat -A OUTPUT -p tcp --dport 25 -d ! 127.0.0.1 -m owner ! --uid-owner exim -j DNAT --to-destination 127.0.0.1
Someone might find that useful...
The intent is good, but that specific rule is not necessary on Unix, nor will it
block outbound traffic.
I think you are misreading what that line does. It redirects outbound
traffic destined to port 25 to localhost port 25. It does not address
what port the query comes from.
I understand what it *attempts* to accomplish.
|
Attempts and succeeds...
| Quote: | Server security would be required to also prevent disabling the rule, either by
deletion, insertion of a pass or workaround earlier in the ruleset, or killing
the process that runs the firewall.
|
Erm. The people he's trying to block from emailing remote accounts are
only normal system users as far as I understand... They don't have
root... "Server security would be required" - That's a given isn't it? A
normal user can't modify iptables rules...
| Quote: | Better if it were on an external firewall.
|
Probably yes. But also, probably not necessary.
| Quote: | It also does not block pointing to a far-end submission port,
|
So add a similar rule for port 587...
| Quote: | nor can we be certain that a distant server will not accept local delivery without
auth on such a port.
|
No idea what you're talking about here. How is this related to the
initial requirements stated at the beginning of this thread?
Mike
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Graeme Fowler
*nix forums beginner
Joined: 29 Jul 2005
Posts: 43
|
| Posted: Fri Jul 14, 2006 8:28 am Post subject:
Re: Restricting a user's email destinations?
|
|
|
On 14/07/2006 02:39, W B Hacker wrote:
| Quote: | I understand what it *attempts* to accomplish.
|
....but by quibbling over it you're demonstrating that the obverse may be
true (from an understanding perspective). I've seen it in use, and it
*does* accomplish what it sets out to do, namely it prevents any user on
that system except the Exim user make outbound calls to port 25 on a
remote host. On a fairly generic web hosting platform it covers a
multitude of possible user sins by allowing very fine-grained control of
outbound mail; the system in question has been subject to an awful lot
of spam mastiness in the past because users insist on uploading scripts
(Perl, PHP) which don't sanitise input properly (or have many other
variant possibilities) and end up being abused by spammers.
| Quote: | Server security would be required to also prevent disabling the rule, either by
deletion, insertion of a pass or workaround earlier in the ruleset, or killing
the process that runs the firewall.
|
All three options require root on the system (or privilege escalation).
In that case, all bets are off anyway - it would be relatively trivial
at that point to reconfigure almost any part of the system, Exim
included, to push email out. And killing "the process that runs the
firewall" would result in instant system death, being as iptables is
simply a userland interface to the kernel's netfilter functionality
(this being a Linux system). I suppose on other OSes things may be
different, but the same rule applies that if someone's "got root" you
might aswell either pack up and go home, or turn the machine off.
| Quote: | Better if it were on an external firewall.
|
That I can agree with to a point, however where would you then run the
receiving MTA? Certainly not on the external firewall as it would then
become a bottleneck; also running another service on an external
firewall is loose, if not bad, design. In my opinion, obviously; other
opinions are available, and no doubt will be!
| Quote: | It also does not block pointing to a far-end submission port, nor can we be
certain that a distant server will not accept local delivery without auth on
such a port.
|
I think Mike was simply pointing out the "default" case. Stating that it
doesn't do something it isn't designed to do is a rather fallacious
argument, IMO. It's easy to extend it to cover other ports (465,587).
Graeme
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Bill Hacker
*nix forums Guru
Joined: 27 Jan 2005
Posts: 427
|
| Posted: Fri Jul 14, 2006 1:39 am Post subject:
Re: Restricting a user's email destinations?
|
|
|
Stephen Gran wrote:
| Quote: | On Fri, Jul 14, 2006 at 07:09:51AM +0800, W B Hacker said:
Mike Cardwell wrote:
iptables -t nat -A OUTPUT -p tcp --dport 25 -d ! 127.0.0.1 -m owner ! --uid-owner exim -j DNAT --to-destination 127.0.0.1
Someone might find that useful...
The intent is good, but that specific rule is not necessary on Unix, nor will it
block outbound traffic.
I think you are misreading what that line does. It redirects outbound
traffic destined to port 25 to localhost port 25. It does not address
what port the query comes from.
|
I understand what it *attempts* to accomplish.
Server security would be required to also prevent disabling the rule, either by
deletion, insertion of a pass or workaround earlier in the ruleset, or killing
the process that runs the firewall.
Better if it were on an external firewall.
It also does not block pointing to a far-end submission port, nor can we be
certain that a distant server will not accept local delivery without auth on
such a port.
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Stephen Gran
*nix forums Guru Wannabe
Joined: 27 Feb 2005
Posts: 223
|
| Posted: Thu Jul 13, 2006 11:28 pm Post subject:
Re: Restricting a user's email destinations?
|
|
|
On Fri, Jul 14, 2006 at 07:09:51AM +0800, W B Hacker said:
| Quote: | Mike Cardwell wrote:
iptables -t nat -A OUTPUT -p tcp --dport 25 -d ! 127.0.0.1 -m owner ! --uid-owner exim -j DNAT --to-destination 127.0.0.1
Someone might find that useful...
The intent is good, but that specific rule is not necessary on Unix, nor will it
block outbound traffic.
|
I think you are misreading what that line does. It redirects outbound
traffic destined to port 25 to localhost port 25. It does not address
what port the query comes from.
--
--------------------------------------------------------------------------
| Stephen Gran | "Survey says..." -- Richard Dawson, |
| steve@lobefin.net | weenie, on "Family Feud" |
| http://www.lobefin.net/~steve | |
--------------------------------------------------------------------------
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/ |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Tue Dec 02, 2008 5:18 am | All times are GMT
|
|
Credit Card Consolidation | Bad Credit Mortgages | Ringtones | Mortgage | Electricity Suppliers
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
Apps
»
Exim
