On Wed, Oct 21, 2009 at 02:14:11PM -0700, Brad Melanson wrote: > Hi there, > > I ran across a scenario on my new exim setup and am hoping someone can point > me in the right direction as I am very new to Exim. > > Currently, I have Exim 4.69 installed on a FreeBSD 6.4 AMD64 machine with > MySQL which is now deployed and running stable. We have disabled relaying and > require users to connect via SSL to authenticate for both sending and > recieving email. > > I have been running some tests and discovered that local authenticated users > are able to send email as any address they wish, including other local users. > This poses a security concern for my clients and was hoping to plug this hole. > > Is there a way of limiting authenticated users to only send email for their > authenticated account?
As long as you can define what "only send email for their authenticated account" means in terms of SMTP, then yes. Obvious possiblities include restricting the MAIL FROM address, and/or restricting the "From" header. For the former, you'd use an ACL in acl_smtp_mail; for the latter, an ACL in acl_data. Either way you'd presumably want to use $authenticated_id as part of the logic. Whether or not it's a good idea, though, is an entirely separate question. It depends what problem you're trying to solve - that your users shouldn't be able to fool the recipients of their email? Or that if they /do/ do that, that they should know that /you/ know that is was them that sent it? -- Dave Evans http://djce.org.uk/ http://djce.org.uk/pgpkey
signature.asc
Description: Digital signature
-- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
