Marc Perkel wrote: > > I'm trying to prevent hackers who might get in from being able to send > email if they manage to hack me. I want it so that unless they are > specific users that they have no rights to connect to port 25 or run exim.
Does this machine receive email? If not, then the solution is simple: 1) decide on a smarthost (another machine) to accept mail from this IP/machine (ie relay). This machine could run Exim in normal mode. 2) configure Apache and Exim sending to use that smarthost, and only allow root or apache to use Exim. However, I would recommend using something like 'msmtp' instead of Exim to provide outgoing mail only. (http://msmtp.sourceforge.net/) and not listen on port 25, it's not needed. 3) use iptables to block any outgoing SMTP (ports 25, 465, 587) to any machine other than the smarthost you decided on above. (see http://oceanpark.com/notes/firewall_example.html) Of course, if you need to receive mail on this machine then life is that much more complicated, but still using a smarthost and iptables together is your best chance at success. However, a hacker would most likely run the receiving SMTP server on an unusual port, so you might have to use a more hardcore iptables setup (ie disallow all outbound traffic instead of what's needed). hth, -te -- Troy Engel | Systems Engineer Fluid, Inc | http://www.fluid.com -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
