Entries in Life

Often, when setting up email on a server, you want to receive email from local processes (cron jobs, etc) but don't want email accounts to be abused by spammers.

For example, on Ubuntu systems you might have a cron job that runs as www-data that you want to get mail from, but you don't want spammers sending email to www-data@example.com. I just had a client ask me to fix this problem for them, so I thought I'd share the solution I came up with.

Typically, the /etc/aliases file directs mail from all these extra accounts (like www-data, nobody, etc) to root and you're expected to set up an forwarder for root (e.g. mah@example.com).

Instead of directing mail for all these accounts to root, I created a locked out account. The only purpose of this account is to verify that only locally generated email is sent on to the end recipient. No more Viagra spam for www-data@example.com!

To set up the locked out account:

$ sudo /usr/sbin/useradd localmail
$ sudo /usr/sbin/usermod -L -s /dev/null localmail
$ echo '"|exec /usr/bin/procmail"' | sudo -u localmail tee ~localmail/.forward
$ echo <<EOF | sudo -u localmail tee ~localmail/.procmailrc
# replace example.com with whatever domain locally generated email has
:0:
* !^Return-Path: .*example.com
/dev/null

:0:
!root
EOF

This works with postfix, but I haven't tried other MTAs.