[CentOS] restrict postfix to only certain users getting incoming mail

Tue Mar 6 05:30:04 UTC 2012
Bob Hoffman <bob at bobhoffman.com>

John Pierce wrote:

>>>On 03/05/12 8:50 PM, Bob Hoffman wrote:
>/>>>  I have 2 books on postfix here and spent many days online but I do not
/>>>>/  see the solution short of /dev/null or reject of all mail, local or
/>/>>>  external, of root.
>shouldn't be hard to cook up a procmail recipe for that.

I was working on that. However, when the local mail is sent to a local recipient, postfix gets it first
and appends the domain name on it..so it is going to 'root at example.com' instead of root at localhost.
So that failed for me.

The source emails seem to have this (or something like it) when root sends a mail
(Postfix, from userid 0)
And that could be good...for root to root.

I was thinking maybe a script that looks for 'from userid' but not a number. I get the inkling
that local mail sending has that.

However, for postfix to be that completely wide open as a mail server is about enough to
send me back to sendmail which never had such issues.

Seems odd that postfix itself has no mechanism to prevent mail to any user listed in the
alias or passwd file. And no way to prevent root from being spammed to high heaven.

/dev/null-ing root seems to kill security even more since you cannot get important information
should a service freak out.

Gonna try playing with procmail on this, but just about ready to uninstall postfix and go back to sendmail.

Everyone kept hooting up postfix as easier than sendmail and good too...however this one issue
makes it light years behind sendmail for me.

Strange that postfix can very easily be made to only allow certain users to send mail out of the box
but forcibly allows any user in the system to get mail sent to it... with no way to stop it.

If I come up with a solution that works, will post