Re: Blocking web mail
- Le 28/06/2011 12:24, Jerry a écrit :
> On Tue, 28 Jun 2011 01:59:43 +0200we are two ;-)
> mouss articulated:
>> Le 28/06/2011 00:25, Jerry a écrit :
>>> On Mon, 27 Jun 2011 18:06:19 -0400 (EDT)
>>> Wietse Venema articulated:
>>>>> I saw a configuration for blocking web mail from Apache from
>>>>> accessing Postfix. I think it was something like: !www or
>>>>> something like that. I forgot to write it down and now I cannot
>>>>> locate it. Does anyone know what the recipe is. Thanks!
>>>> This was discussed here three postings before your question.
>>> OK, I found it:
>>> authorized_submit_users = !apache,static:all
>>> Since I am running Apache on FreeBSD with user/group ownership of
>>> "www" I assume I would use this instead:
>>> authorized_submit_users = !www, static:all
>>> Would that be correct?
>> that would. but it doesn't prevent users from using the smtp
>> interface. users can even send outbout smtp without using your
>> relay... oh, unless you use different servers for different roles...
> My goal is to insure that if my Apache server were somehow compromised,
> and I have no reason to believe it is or has been, that it could not
> then use Postfix to send mail. Perhaps I am just being paranoid.
what I tried to say is: if you use a single server as an outbound relay
and as another role, then you increase risks. in particular, if you put
a web server on the same box as a postfix relay, then a program running
inside your webserver (cgi, module, ...) can send mail using the smtp
interface. in which case, no sendmail limitation would help. to protect
- the simplest approach is to not run a web server on the postfix relay:
- if not possible, control both the sendmail interface and the smtp
interface. the latter is not easy. the unix model was not designed to
control network traffic. a "local" firewall (pf, iptables) and MAC
(freebsd mac, netbsd systrace, selinux, ...) might help, but they
require some amount of work.