Often, when setting up email on a server, you want to receive email from local processes (cron jobs, etc) but don’t want email accounts to be abused by spammers. For example, on Ubuntu systems you might have a cron job that runs as www-data that you want to get mail from, but you don’t want spammers sending email to www-data@example.com. I just had a client ask me to fix this problem for them, so I thought I’d share the solution I came up with. Typically, the /etc/aliases file directs mail from all these extra accounts (like www-data, nobody, etc) to root and you’re expected to set up an forwarder for root (e.g. mah@example.com). Instead of directing mail for all these accounts to root, I created a locked out account. The only purpose of this account is to verify that only locally generated email is sent on to the end recipient. No more Viagra spam for www-data@example.com! To set up the locked out account:
$ sudo /usr/sbin/useradd localmail $ sudo /usr/sbin/usermod -L -s /dev/null localmail $ echo '"|exec /usr/bin/procmail"' | sudo -u localmail tee ~localmail/.forward $ echo <<EOF | sudo -u localmail tee ~localmail/.procmailrc # replace example.com with whatever domain locally generated email has :0: * !^Return-Path: .*example.com /dev/null :0: !root EOF
This works with postfix, but I haven’t tried other MTAs.
Or you could just change the postfix configuration to only listen on localhost?
you could, but then you wouldn’t be able to receive any email on that domain