On Sun, 2015-06-28 at 13:42 -0700, dealTek wrote: > Hi Ashley - Richard & Curtis, > > > Thanks for the help. I have a vps that is running cpanel and centos > > > The server techs are able to assist with various things, so I would like to find out the best way (secure and prevent spam relay as Ashley mentioned) to set up sending php mail from either forms or from database storage. > > > > On Jun 27, 2015, at 12:08 AM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > > > What do you mean my locking it down? Do you mean to prevent it being used in a spam relay? > > > > > Yes I did mean to prevent it being used in a spam relay. > > > On Jun 27, 2015, at 4:33 AM, Richard <replies-lists-e7x6-php@xxxxxxxxxxxxxxxxxxxxx> wrote: > > > > > > > You also need so provide a sense of how sending mail is handled in > > your current environment. E.g., are you running an MTA on your > > server and sending out directly; are you running an MTA that is > > configured to pass mail to a "smarthost"; do you send mail via a[n > > authenticated] submission port? > > > > Whether authentication is required or not is really an MTA > > configuration issue. If your server is running an MTA and able to > > send mail out directly (or via a smarthost) then you need to manage > > the MTA's configuration in order to control who/what can send. > > > > > Richard, > > the server tech said this... > > The MTA used on the server is Exim. The rest of the questions would have to be answered by you as this will vary from customer to customer on how they have everything set up, but my guess would be no to the rest of the questions. > > > Curtis, > > > > On Jun 27, 2015, at 7:18 AM, Curtis Maurand <curtis@xxxxxxxxxxx> wrote: > > > just for an example, my system connects to a locally running MTA that only accepts mail on 127.0.0.1 and forwards to a smart host. Authentication is handled by the MTA. Make sure you've set up adequate security provisions to keep your system from being exploited by spammers and their ilk. > > > > --Curtis > > I will ask if this is possible on my server. > > > Thanks for your help. > > > > > -- > Thanks, > Dave - DealTek > dealtek@xxxxxxxxx > [db-15] > > >From a code point of view, sanitise everything, every single field that contains even a single letter of content that comes from what a user fills in. One of the routines I tend to run on variables I'm using in a mail() call is this, which strips out email headers that someone might have attempted to add to a field in a contact form, for example: private function remove_headers($string) { $headers = array( "/to\:/i", "/from\:/i", "/bcc\:/i", "/cc\:/i", "/reply-to\:/i", "/Content\-Transfer\-Encoding\:/i", "/Content\-Type\:/i", "/Mime\-Version\:/i" ); return preg_replace($headers, '', $string); } Obviously you will want other sanitisation methods to be run if you're doing anything else with this data (such as storing it in a database, or writing it to a file) but you would need to run only the appropriate level of sanitisation at the right time. It's bad practice to add all sorts of levels of filtering which aren't needed. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php