Security

This application is intended to be run in a secured environment. Unauthenticated user's can't make changes or view individual messages, but they can view the log and the queue list.

To perform administrative actions on messages, you need to log in to Exim Webapp. The user/password file location is specified in the web.xml file. Juse enter usernames/passwords like

         myusername|mypassword
     

Suggestions

Restrict Access

Either use a firewall or the Tomcat Admin Tool to restrict users to permissible source IP addresses. To do this with Tomcat 5, use the Admin Tool and create a Remote Address Valve. I made mine at the Tomcat Server / Service /Host level, but you can probably add them at other scopes.

Secure your user/password file

Make sure to set the user/password file to be unreadable to users other than the Tomcat user and application administrators!!

Lock down the Tomcat account

Be aware that it is sometimes convenient to be able to su to the Tomcat account for troubleshooting. If you need to do this after locking down the account, just enable the account for login temporarily when you need to troubleshoot.

If you don't use a command shell as the Tomcat user, you should disable logins to that account. Two common ways to do this are

              usermod -L tomcat
          
          and
          
              usermod -s /bin/false tomcat
          

(With *BSD the shell can be changed with pw usermod tomcat -s /bin/false. I'm sure there's also an easy way to Lock an account on *BSD... shoot me an email if you know how.)

It is possible that with some weird Unix or old variant, locking down the account may break a su... -c... command in an init script. In any case, test things by stopping and starting Tomcat after making these changes.

Evertyhing in this section applies equally to your the Exim, Clamav, and other daemon user accounts.