Often, when setting up email on a server, you want to receive email from local processes (cron jobs, etc) but don’t want email accounts to be abused by spammers. For example, on Ubuntu systems you might have a cron job that runs as www-data that you want to get mail from, but you don’t want spammers sending email to firstname.lastname@example.org. I just had a client ask me to fix this problem for them, so I thought I’d share the solution I came up with. Typically, the /etc/aliases file directs mail from all these extra accounts (like www-data, nobody, etc) to root and you’re expected to set up an forwarder for root (e.g. email@example.com). Instead of directing mail for all these accounts to root, I created a locked out account. The only purpose of this account is to verify that only locally generated email is sent on to the end recipient. No more Viagra spam for firstname.lastname@example.org! To set up the locked out account:
$ sudo /usr/sbin/useradd localmail $ sudo /usr/sbin/usermod -L -s /dev/null localmail $ echo '"|exec /usr/bin/procmail"' | sudo -u localmail tee ~localmail/.forward $ echo <<EOF | sudo -u localmail tee ~localmail/.procmailrc # replace example.com with whatever domain locally generated email has :0: * !^Return-Path: .*example.com /dev/null :0: !root EOF
This works with postfix, but I haven’t tried other MTAs.