Server setup: forwarding only local email

Often, when setting up email on a server, you want to receive email from local processes (cron jobs, etc) but don’t want email accounts to be abused by spammers. For example, on Ubuntu systems you might have a cron job that runs as www-data that you want to get mail from, but you don’t want spammers sending email to www-data@example.com. I just had a client ask me to fix this problem for them, so I thought I’d share the solution I came up with. Typically, the /etc/aliases file directs mail from all these extra accounts (like www-data, nobody, etc) to root and you’re expected to set up an forwarder for root (e.g. mah@example.com). Instead of directing mail for all these accounts to root, I created a locked out account. The only purpose of this account is to verify that only locally generated email is sent on to the end recipient. No more Viagra spam for www-data@example.com! To set up the locked out account:

$ sudo /usr/sbin/useradd localmail  $ sudo /usr/sbin/usermod -L -s /dev/null localmail  $ echo '"|exec /usr/bin/procmail"' | sudo -u localmail tee ~localmail/.forward  $ echo <<EOF | sudo -u localmail tee ~localmail/.procmailrc  # replace example.com with whatever domain locally generated email has  :0:  * !^Return-Path: .*example.com  /dev/null    :0:  !root  EOF

This works with postfix, but I haven’t tried other MTAs.