Prevent local delivery for unix accounts

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Msd
Reply | Threaded
Open this post in threaded view
|

Prevent local delivery for unix accounts

Msd
Hello,

Is it possible to prevent local delivery for unix accounts below 1000
(system accounts)?

I have read http://www.postfix.org/LOCAL_RECIPIENT_README.html and
http://www.postfix.org/postconf.5.html#local_recipient_maps without success.

My problem is that spammers trie to deliver mails to system accounts
like "www-data" with a usurped sender envelope and postfix bounces to
the usurped address : the mailbox directory cannot be created.

Regards,


Msd
Reply | Threaded
Open this post in threaded view
|

Re: Prevent local delivery for unix accounts

Benny Pedersen-2
Msd skrev den 2017-09-14 17:52:

> Is it possible to prevent local delivery for unix accounts below 1000
> (system accounts)?

yes, remove non desired system accounts from local_recipient_maps, or
remove public domains from mydestination, if you still want some public
domains to recive mail to system accounts use virtual_alias maps to
system account mailbox

> My problem is that spammers trie to deliver mails to system accounts
> like "www-data" with a usurped sender envelope and postfix bounces to
> the usurped address : the mailbox directory cannot be created.

why do you possible accept non fqdn emails ?

are you sure its not localhost ip as sender ?

logs
Reply | Threaded
Open this post in threaded view
|

Re: Prevent local delivery for unix accounts

Matthew McGehrin
In reply to this post by Msd
Just have your /etc/aliases default to /dev/null for system accounts.

MAILER-DAEMON:  /dev/null
postmaster:     /dev/null
hostmaster:     /dev/null
www:            /dev/null
nobody:         /dev/null
info:           /dev/null
spam-trap:      /dev/null
uucp:           /dev/null
postfix:        /dev/null

-- Matthew


Msd wrote:
> Hello,
> Is it possible to prevent local delivery for unix accounts below 1000
> (system accounts)?
> I have read http://www.postfix.org/LOCAL_RECIPIENT_README.html and
> http://www.postfix.org/postconf.5.html#local_recipient_maps without
> success.
>
>
Msd
Reply | Threaded
Open this post in threaded view
|

Re: Prevent local delivery for unix accounts

Msd
In reply to this post by Benny Pedersen-2
Le 14/09/2017 à 18:08, Benny Pedersen a écrit :

 > remove non desired system accounts from local_recipient_maps

My local_recipient_maps has the default value :
"proxy:unix:passwd.byname $alias_maps".
http://www.postfix.org/postconf.5.html#local_recipient_maps

And I don't realy want to create a "normal user" whitelist or a "system
user" blacklist because the list will probably change if I install a new
software or I create a new user.

 > remove public domains from mydestination

I need to receive emails for my users with emails like
"user@mydestination" but not like "system_account@mydestination".

 > why do you possible accept non fqdn emails ?

I think no, why do you say that ?

 > are you sure its not localhost ip as sender ?
 > logs

Sep 14 17:52:16 XXXXXX postfix/smtpd[1906]: XXXXXXXXXX:
client=unknown[211.161.XX.XX]
Sep 14 17:52:18 XXXXXX postfix/cleanup[1908]: XXXXXXXXXX:
message-id=<[hidden email]>
Sep 14 17:52:31 XXXXXX postfix/qmgr[952]: XXXXXXXXXX:
from=<[hidden email]>, size=128893, nrcpt=1 (queue active)
Sep 14 17:52:31 XXXXXX postfix/local[1909]: XXXXXXXXXX:
to=<www-data@MYDESTINATION>, relay=local, delay=16, delays=16/0/0/0,
dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file
/var/www/Maildir/tmp/XXXXXXXXXXXXXXXXXXXX: Permission denied)
Sep 14 17:52:31 XXXXXX postfix/bounce[1910]: XXXXXXXXXX: sender
non-delivery notification: YYYYYYYYYY
Sep 14 17:52:31 XXXXXX postfix/qmgr[952]: XXXXXXXXXX: removed

Sep 14 17:52:31 XXXXXX postfix/cleanup[1908]: YYYYYYYYYY:
message-id=<20170914155231.YYYYYYYYYY@MYDESTINATION>
Sep 14 17:52:31 XXXXXX postfix/qmgr[952]: YYYYYYYYYY: from=<>,
size=2507, nrcpt=1 (queue active)
Sep 14 17:52:31 XXXXXX postfix/smtp[1913]: YYYYYYYYYY: host
mx1.free.fr[212.27.48.7] said: 451 too many errors detected from your IP
(X.X.X.X), please visit http://postmaster.free.fr/ (in reply to DATA
command)
Sep 14 17:52:31 XXXXXX postfix/smtp[1913]: YYYYYYYYYY:
to=<[hidden email]>, relay=mx1.free.fr[212.27.48.6]:25, delay=0.2,
delays=0/0/0.19/0, dsn=4.0.0, status=deferred (host
mx1.free.fr[212.27.48.6] said: 451 too many errors detected from your IP
(X.X.X.X), please visit http://postmaster.free.fr/ (in reply to DATA
command))


Is it possible to prevent local delivery for unix system accounts (id
below 1000) ?


Msd
Reply | Threaded
Open this post in threaded view
|

Re: Prevent local delivery for unix accounts

Ralph Seichter
On 14.09.2017 18:59, Msd wrote:

> I don't realy want to create a "normal user" whitelist or a "system
> user" blacklist because the list will probably change if I install a
> new software or I create a new user.

Well, that's the nature of things, given that you wrote you don't want
to accept mail for all accounts. Either you maintain a list of addresses
for which you are willing to accept mail (recommended), or a list of
addresses for which you want reject mail. You need one or the other.

One method would be to generate a whitelist by parsing your /etc/passwd,
including only entries with UIDs >= 1000. A simple script can do that.

> Is it possible to prevent local delivery for unix system accounts (id
> below 1000) ?

It is better to not accept mail for these accounts to begin with than
trying to prevent local delivery after having accepted mail.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Prevent local delivery for unix accounts

Benny Pedersen-2
In reply to this post by Matthew McGehrin
Matthew McGehrin skrev den 2017-09-14 18:57:
> Just have your /etc/aliases default to /dev/null for system accounts.

this is completely incorrect way of solving it

> MAILER-DAEMON:  /dev/null
> postmaster:     /dev/null
> hostmaster:     /dev/null
> www:            /dev/null
> nobody:         /dev/null
> info:           /dev/null
> spam-trap:      /dev/null
> uucp:           /dev/null
> postfix:        /dev/null

correct way is to comment users in this file, not polite but atleast if
not want to recieve mails to them its should not be converted to a
dropbox mode

perfect way is to define what users should recieve emails in
local_recipient_maps, the default allow all system users, this can be
changed to who wants it
Reply | Threaded
Open this post in threaded view
|

Re: Prevent local delivery for unix accounts

Benny Pedersen-2
In reply to this post by Msd
Msd skrev den 2017-09-14 18:59:
>> remove non desired system accounts from local_recipient_maps
>
> My local_recipient_maps has the default value :
> "proxy:unix:passwd.byname $alias_maps".
> http://www.postfix.org/postconf.5.html#local_recipient_maps

this line accept all system users, and all alias, if you want to limit
who to allow change content of that map

touch /etc/postfix/local_user_map

add to this file all system users that like to get mail

and use this as replacement for system default maps, problem solved

maybe more simple to make virtual_Alias, and virtual_domain have a list
of system users wanting mails if you as i suggested remove all public
domain names from mydestination ?

i just say it :=)
Reply | Threaded
Open this post in threaded view
|

Re: Prevent local delivery for unix accounts

Phil Stracchino
In reply to this post by Msd
On 09/14/17 11:52, Msd wrote:

> Hello,
>
> Is it possible to prevent local delivery for unix accounts below 1000
> (system accounts)?
>
> I have read http://www.postfix.org/LOCAL_RECIPIENT_README.html and
> http://www.postfix.org/postconf.5.html#local_recipient_maps without success.
>
> My problem is that spammers trie to deliver mails to system accounts
> like "www-data" with a usurped sender envelope and postfix bounces to
> the usurped address : the mailbox directory cannot be created.


I have an /etc/postfix/recipient_access file that looks like this:

babcom.com 554 Bad spammer!  You didn't use the MX record!
@babcom.com 554 Bad spammer!  You didn't use the MX record!
[hidden email] 554 This user does not accept mail
[hidden email] 554 This user does not accept mail
[hidden email] 554 This user does not accept mail
[hidden email] 554 This user does not accept mail
...


However, although I know I *USED* to use this to deny mail to system
users, there is no longer any configuration rule in my main.cf to invoke
it, and I don't remember what it was.  I'm guessing I used to have it in
smtpd_recipient_restrictions.  Why it's no longer there, I have no idea.
 Perhaps at some point I simply *accidentally deleted* the rule.

Anyone care to weigh in?



--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Prevent local delivery for unix accounts

Phil Stracchino
On 09/14/17 22:06, Phil Stracchino wrote:

> On 09/14/17 11:52, Msd wrote:
>> Hello,
>>
>> Is it possible to prevent local delivery for unix accounts below 1000
>> (system accounts)?
>>
>> I have read http://www.postfix.org/LOCAL_RECIPIENT_README.html and
>> http://www.postfix.org/postconf.5.html#local_recipient_maps without success.
>>
>> My problem is that spammers trie to deliver mails to system accounts
>> like "www-data" with a usurped sender envelope and postfix bounces to
>> the usurped address : the mailbox directory cannot be created.
>
>
> I have an /etc/postfix/recipient_access file that looks like this:
>
> babcom.com 554 Bad spammer!  You didn't use the MX record!
> @babcom.com 554 Bad spammer!  You didn't use the MX record!
> [hidden email] 554 This user does not accept mail
> [hidden email] 554 This user does not accept mail
> [hidden email] 554 This user does not accept mail
> [hidden email] 554 This user does not accept mail
> ...
>
>
> However, although I know I *USED* to use this to deny mail to system
> users, there is no longer any configuration rule in my main.cf to invoke
> it, and I don't remember what it was.  I'm guessing I used to have it in
> smtpd_recipient_restrictions.  Why it's no longer there, I have no idea.
>  Perhaps at some point I simply *accidentally deleted* the rule.


And looking at it again when I'm more awake, it is of course:


smtpd_recipient_restrictions = ...
...
check_recipient_access [hashtype]:/etc/postfix/recipient-access


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958