On 10/01/2016 12:47 PM, D'Arcy J.M. Cain wrote: > I am having trouble figuring out how to do do this. Hopefully someone > here can help me figure it out. The problem is email coming from my > web server. I use "permit_mynetworks" in all of the restrictions > entries but that's a bit too liberal. > > [...] > > I don't want to force them to authenticate from our own web server > because that would mean storing their system password on the web server > for all to read. > > So has anyone else had to deal with this issue? > I can't speak from hosting experience, but forcing authenticated smtp connections and rate limiting them with a policy service (like policyd or postfwd) would be my solution if I had to do this. That would have the advantages of being able to identify and shut down users that are abusing or being abused and in the meantime limiting the damage. If the smtp accounts can use a different set of credentials to the hosting login, storing them on the web server could be an acceptable solution over not having any authentication. Some php software may rely on being able to send from localhost via sendmail, but more popular php software will generally allow this kind of configuration.
Some other possibilities: - configure the sendmail command in a per user php.ini to add the -f parameter with the user's email account that should override the nobody envelope sender - configure php.ini to add the X-PHP-Originating-Script header (parameter mail.add_x_header). That will help you track down the uid of the script owner and the script name if you ever get your hands on an example email - configure the php.ini mail.log parameter. That logs every call to the mail function in php providing quite a lot of detailed information (including the full path to the script) - make a wrapper around the sendmail command (you could configure sendmail_path in php.ini to call that instead of sendmail). The wrapper could do the checks you mentioned before passing the mail on to the real sendmail or providing an error back to php. John
