Colin Keith wrote: > Hi, > > Like lots of people I've having a hard time with spammers misusing my > customer's sites and services....
*snip* > > Does any one have any suggestions? Keeping in mind that once you have tamed/armored Exim, you still have to get control over smtp-outbound capable executables and such within in your clients' other apps. These do not even need to get near Exim, nor require privileged ports or UID:GID either.... Ergo, life will be much simpler if you segregate the services by platform and IP: - do not permit any services 'other than' an all-virtual-user MTA on one 'server' (no local accounts). - permit NO mail services on another 'server' - say one with web sites. The webish one (or external fw) should block any outbound traffic destined for port 25. It *could* permit logging-in to its sibling on port 587 for controlled smarthost use. At that point, cron jobs aside, there are no longer any 'non-smtp' sessions, so the normal AUTH and smtp session acl's apply. Use of virtualized 'servers' means you do not necessarily need two physical boxen - though I'd still recommend it. Anything else gets MORE complex, and harder to debug, protect, and stay abreast of, as you are just beginning to detail. HTH, Bill -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
