* on the Tue, Feb 21, 2006 at 12:06:52PM +0800, W B Hacker wrote: >> The environment this is running in sounds very different to yours. >> The machines are actually web servers, not mail servers. Exim >> isn't even running as a daemon. The only reason exim is on there >> is so people can send emails from forms. UIDs on the system are >> mapped to usernames via an ldap connection to the Active >> Directory. When someone runs their (hopefully safe) copy of >> formmail.cgi etc they run under a suexec style system so the >> process runs as their own user. At the normal user level they >> don't have access to query the AD. Is this starting to look more >> clear? > I now understand how. I think I understand what for. > > 'Why Exim' for mere submission of outbound traffic to a foreign > host, and only from a 'known in advance' list/DB of permitted > users, still escapes me. If that is actally the 'what'. > > Unless Exim is *also* (but separately) installed to handle > other-than formmail traffic, the whole exercise strikes me as a > bit like potting rabbits with a 16-inch-fifty. Even with free > ammunition, the cost of positioning and aiming the piece is too > great for the gain. > > One could use a <language of your choice> tool and no 'full > spec' MTA at all. Or do specialized relay through a single > remote Exim you control for many-many webservers.
People commonly call /usr/sbin/sendmail from their scripts. The plan for the entire exercise was to do a "yum install exim" and leave them to it. That's not a lot of work. There was one problem. That being exim refused to send the mail because it couldn't figure out the username. So I had a look for workarounds that wouldn't mean exposing the AD to normal users. Couldn't find one, so emailed the exim mailing list. After some more googling, I found the answer my self. I've probably devoted more time to signing up to the list, emailing it and justifying the method, than I actually spent finding the solution, so it's not overkill at all. By the way Exim on the webheads does immediately shunt the mail to a smarthost already. If there is a more light weight tool, that is faster to install, will take mail from the command line using the same arguments as sendmail and will forward all mail onto a smarhost, than exim. Please let me know and I'll use that instead. > Or (my preference) no mail services of any kind on the box, > write the form output to a quarantined file area, and collect > them if-exist and/or at-intervals by file transfer. Or > interested parties login and read/download them via browser, > wiki/forum style. > Keeps 'em off the public smtp roads entirely. Most form to mail style scripts take advantage of /usr/sbin/sendmail. We would need to support that. We could always have written a script which takes mail from there and then puts it in a quarantined area and then sends it later, but there's no advanrage to that. Mike -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
