Vadim Zhukov wrote:
Do your clients have ability to connect to external hosts? If yes then
you should not even bother logging PHP mail() calls or such.
If outgoing connections are closed then you should have different system
users (i.e., different UIDs) for each client; otherwise it'll be easy
possible for hacker to spoof sender: nothing stops him from modifying
other client's scripts or just implementing SMTP server entire in PHP.
Exactly. That's what I, that's what everyone has who hosts web sites of
users.
If someone can hack into it, she can write some basic SMTP easily.
But when you have 200+ users, and 10+ run some php code, and your
postfix spews spam to world and sundry, a filter 'From:' - before
reaching postfix, because 'root' does not send from chrooted Apache, can
conveniently block all mails with illegal senders' addresses.
And only if both requirements passed then you can improve your antispam
scurity either by 1) modifying mini_sendmail, or 2) writing a simple
Perl wrapper that parses input data (bundled and/or in-ports Perl
modules should make it very easy) and then passes data to real
mini_sendmail.
IMHO, it's much easier to make mini_sendmail log mail, or add a specific
header to each letter that may help you in debugging. In the latter case
you may even put some limits for mail based on your header knowledge in
your "real" MTA, which mini_sendmail will forward letters to. You do not
need big programming skills to do that, just some basic C knowledge. If
you do not know C at all, ask some your friend to do this work for beer
(or mineral water, if he doesn't like alcohol ;) ).
I don't mind paying a drink, I even don't mind gobbling up something
myself. But maybe something likewise existed, and then I could simply
save my time. I guess I'm not the only one who runs official CMSes on a
server, that need to send mail, and want to block everyone else's
website hosted there as well, from sending mail.
Thanks,
Uwe
