I am having trouble figuring out how to do do this. Hopefully someone here can help me figure it out. The problem is email coming from my web server. I use "permit_mynetworks" in all of the restrictions entries but that's a bit too liberal.
In particular I have a web server where many clients are running PHP scripts such as Wordpress, Moodle, Joomla, etc. Because of the way most of these are written there is no way I can run PHP as a CGI so I have to use the Apache plugin. This causes every script to send mail as the web user (nobody) instead of as themselves. So now I have all sorts of users running PHP scripts that are riddled with security holes and sometimes a site is compromised and is used to send spam. However, when it is reported back I can't tell which user actually sent it. My first idea was to simply block nobody but that basically stops them from running a useful site. I tried making a rule that all mail has to come from a legitimate address on the assumption that users aren't spamming on purpose but they can't change the Sender, only the From. So, I need some way to examine the headers on email coming from internal servers, at least the web server, and allow email that has a From or a To of a valid user on my system. I can also allow Senders which are legitimate users since not everyone runs PHP. The theory for each is; - Sender: No matter what the rest looks like I can follow who sent it as long as it is a legitimate user. - From: Ditto. I assume that users aren't purposely using a fellow user's login. - To: If they are sending email to themselves I don't have to worry about spam. I don't want to force them to authenticate from our own web server because that would mean storing their system password on the web server for all to read. So has anyone else had to deal with this issue? -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net
