On 10/8/2013 3:08 PM, li...@sbt.net.au wrote:
> On Tue, October 8, 2013 4:44 pm, Stan Hoeppner wrote:
...
>> Understood.  For a more permanent solution to this script problem, you
>> may want to consider locking down or disabling the pickup service, and
>> configuring all web applications and MUAs to use the submission service
>> with auth.  This will prevent such scripts from being able to send mail in
>> the event some crafty soul is able to get one uploaded via something other
>> than FTP.
> 
> how do I lock it or disable ?
> there are several Joomla CMSs, I'll check and see about changing to
> 587/smtp-auth

Others responded with some good ideas here, mostly locking down PHP
itself so it can't use the sendmail binary.  But it sounds like this is
a generic web hosting server for your customers.  Which means they may
be using all manner of languages other than PHP, such as Perl, Java, etc.

In this case, the most thorough way to lock this down, other than
disabling the pickup service in master.cf, is to restrict execute
permissions on the sendmail binary to root.  This prevents all web
applications from using the pickup service.  Then instruct all of your
users to use the submission service on TCP 587 for sending mail.

Disabling pickup is the easiest and quickest way to stop this spamming
permanently.  But it will likely break management functions that need to
send mail via pickup, such as logwatch, pflogsumm, etc.  Thus
restricting which users can execute the sendmail binary is a better
solution.

-- 
Stan


Reply via email to