Eli wrote: > > Really? How is that exactly? When a CGI script (Perl let's say) > runs and sends out a piece of email... I have absolutely no "catch" > I can perform aside from writing a wrapper script for my "sendmail" > program (but what's to stop them and find out where Exim is installed > and do a direct call that way) to be able to track what domain it > came from, what script called it, or anything else for that matter.
So you don't control the scripts that run on the machine? Well, you're pretty screwed, then -- with the env patch, they could just change the environment before calling sendmail, if they want to. So a wrapper script is exactly what I'd suggest in that case; it does the job when someone is not trying to attack you, and is no less safe than your existing solution when they are. You could put a deny in the non-smtp ACL that won't allow any mail to be sent unless the macros are set, but that still doesn't protect you against someone explicitly calling the exim binary with -D's faked with incorrect values. > As far as I know, the patch I have *is* the only way to truly > accomplish what you need to 100% track sent email from a local > webserver. Unless someone knows how to use setenv(3) in their calling code. :) > Please provide working examples if you know ways to do this without > the patch - I don't really like having to maintain/use a patch if > it's not required. Um, please provide a signed consulting contract? I think I've given you plenty to go on. - Marc -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
