[email protected] wrote: > On Fri, Jan 16, 2009 at 07:08:58AM +0000, W B Hacker wrote: >> platform and IP: >> >> - do not permit any services 'other than' an all-virtual-user MTA on one >> 'server' (no local accounts). >> >> - permit NO mail services on another 'server' - say one with web sites. >> >> The webish one (or external fw) should block any outbound traffic >> destined for port 25. >> >> It *could* permit logging-in to its sibling on port 587 for controlled >> smarthost use. At that point, cron jobs aside, there are no longer any >> 'non-smtp' sessions, so the normal AUTH and smtp session acl's apply. >> >> Use of virtualized 'servers' means you do not necessarily need two >> physical boxen - though I'd still recommend it. > > You're completely correct of course and I must say your suggestions have > given me a few ideas on where to move to in the future. One of my problems > is that these are live boxes with lots of happy customers and the boxes are > all running non-Xen kernels and they're not new enough for KVM. I can't > really use VirtualBox/VMWare as I refuse to put GUI's on the boxes because > they're servers.
Qemu is F/OSS and can be run from/as text-mode/CLI only, (w/o a 'GUI'). AFAIK, so too the others. Most Linuxen of course, are not quite as CLI-centric as *BSD'ers so may not be aware of that. > > However there's a distinct possibility that I could run up some older box > to behave as an outgoing mail server so as to centralize the filtering. I > already filter outbound traffic for regular users (and the web server user > more so for all the lame PHP scripts) so port 25 traffic isn't a problem. > But an outbound mail server like this would help with this issue because > most comment/419 spammers (my biggest problem) hop around different sites on > different web servers. In this case it would all be logged centrally so it > would be much easier to pull blocking stats from. > Even a single box, if run with no mail service to the shell-account ID's nor 'Luser' permissions on 'mail' ish executables would help by making everything 'smtp' and letting you enforce AUTH. EX: A shell login account UID:Shell to control web pages - but Exim configured w/o shell delivery routers or user verification. The 'owner' of account 'Shell' - IF and only IF, they also need/(pay for) email, gets one or more differently-named UID's that are virtual only, AND NOT shell accounts. Compared to a simple two-box rig, that makes it a bit more complex to allow outbound targeted on far-end port 25 to Exim AND NOT any other script, app, or daemon. But it can be done. > Thanks for your suggestions I'll see what I can come up with. > > Regards, > Colin. > -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
