On 10/8/2013 3:08 PM, li...@sbt.net.au wrote: > On Tue, October 8, 2013 4:44 pm, Stan Hoeppner wrote: ... >> Understood. For a more permanent solution to this script problem, you >> may want to consider locking down or disabling the pickup service, and >> configuring all web applications and MUAs to use the submission service >> with auth. This will prevent such scripts from being able to send mail in >> the event some crafty soul is able to get one uploaded via something other >> than FTP. > > how do I lock it or disable ? > there are several Joomla CMSs, I'll check and see about changing to > 587/smtp-auth
Others responded with some good ideas here, mostly locking down PHP itself so it can't use the sendmail binary. But it sounds like this is a generic web hosting server for your customers. Which means they may be using all manner of languages other than PHP, such as Perl, Java, etc. In this case, the most thorough way to lock this down, other than disabling the pickup service in master.cf, is to restrict execute permissions on the sendmail binary to root. This prevents all web applications from using the pickup service. Then instruct all of your users to use the submission service on TCP 587 for sending mail. Disabling pickup is the easiest and quickest way to stop this spamming permanently. But it will likely break management functions that need to send mail via pickup, such as logwatch, pflogsumm, etc. Thus restricting which users can execute the sendmail binary is a better solution. -- Stan
