The acl_not_smtp seems to do the job
Here my acl:
<--- snips --->
acl_not_smtp = acl_local_users
<--- snips --->
begin acl
acl_local_users:
accept condition = ${if eq{$originator_uid}{0}}
drop message = Local users can't send mail
<--- snips --->
root (UID 0) can send mails, but here below the exim's log when trying
to send from user "www-data":
2015-07-20 16:56:38 1ZHCUd-0000zs-Kq F=<[email protected]>
rejected by non-SMTP ACL: Local users can't send mail
2015-07-20 16:56:38 1ZHCUg-0000zu-IA F=<> rejected by non-SMTP ACL:
Local users can't send mail
2015-07-20 16:56:38 1ZHCUg-0000zu-IA Error while reading message with no
usable sender address (R=1ZHCUd-0000zs-Kq): rejected by non-SMTP ACL:
Local users can't send mail
2015-07-20 16:56:38 1ZHCUd-0000zs-Kq Child mail process returned status 1
I suspect there is a more elegant way to do the job, avoiding the last 2
lines of the log I don't like so much (or are them normal in exim log?)
... But It works :)
Any other suggestion is appreciated
Thanks!
g
On 20/07/2015 10:09, GD wrote:
Yes, acl_not_smtp seems to be the right way. Nice suggestion, thanks!
Of course it can't block SMTP connection, but my exim accepts only
authenticated user on SMTP, so it is difficult to have code injection
so sophisticated to use SMTP with auth.
Why did you state that PHP script accessing to local submission via
socket could hack the MTA? Doesn't the acl_non_smtp also deals about
that kind of connections? This is very important to me ...
I'll try the acl_non_smtp method and read more about it to understand
if it's enough in my case.
Thanks for any other clue will you like to share.
g
On 19/07/2015 06:47, Jasen Betts wrote:
On 2015-07-17, Giuliano David <[email protected]> wrote:
Hi everbody.
Within Exim I tried using "trusted_users = root" in main configuration,
but the effect is not what I need as I read in chapter 14
(http://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html)
and in chapter 5.2 of Exim documentation.
on *nix PHP's mail() function sends email via local
submission ( /var/lib/sendmail )
Can anyone point me in the right direction to achieve the same with
exim4?
Exim's default config is to accept all local senders, but that's
easily fixed.
# in the main section:
acl_not_smtp = acl_local
# in the ACL section:
# order of ACLs is not significant, just insert this at the head of
# that section.
acl_local:
accept
authenticated = root:exim
# the list here should include the username exim runs under, else
# bounce messages won't be generated successfully, and failed emails
@ will be retried indefinately..
deny
# that's all the configuration needed/
if the rogue PHP is instead opening a socket to localhost:smtp or
localhost:submission
do also as suggested previously by others.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
