On 10/08/2013 01:44 AM, Stan Hoeppner wrote: > > Understood. For a more permanent solution to this script problem, you > may want to consider locking down or disabling the pickup service, and > configuring all web applications and MUAs to use the submission service > with auth. This will prevent such scripts from being able to send mail > in the event some crafty soul is able to get one uploaded via something > other than FTP. >
Having mail() as the universal interface is nice while you're developing in PHP, since there's no need to fiddle with the settings when moving between development and production. In case of smart hacker / stupid customer, we set, sendmail_path = /usr/sbin/sendmail -t -i -f postmas...@example.com in php.ini so that any attempts at abuse generate bounces to an administrator (postmaster@) rather than e.g. the From header of the message. You'll need to override it in certain cases, but it's a safe default. An additional layer of defense is to set, mail.log = syslog in php.ini and then use the existing syslog notification mechanisms to alert an admin of anything unusual. Unfortunately this fails in roughly the same cases that the envelope sender override does: if someone is running a massive phplist mailing list, they need their bounces (to remove bad addresses), and I don't want to hear about every message they send.
