[CentOS] restrict postfix to only certain users getting incoming mail [solved?]

Tue Mar 6 07:43:47 UTC 2012
Bob Hoffman <bob at bobhoffman.com>

Micolas Kowalski wrote
/Tue Mar 6 01:39:49 EST 2012


On Mon, Mar 05, 2012 at 11:50:21PM -0500, Bob Hoffman wrote:
>/  What I would like is to just tell postfix to only allow incoming mail
/>/  for user1 and user2 and reject all...but only from external sources, not
/>/  locally sent mail.
You may use local_recipient_maps. On my home server, I have this in the
postfix main.cf file:

mydestination = $myhostname, localhost
local_recipient_maps = hash:/etc/postfix/local_recipients, $alias_maps

/etc/postfix/local_recipients contains the list of the users allowed to
get mail from the external, one by line:

user1	OK
user2	OK

Fill it with the values needed, then run "postmap /etc/postfix/local_recipients",
and reload/restart postfix.

For anyone reading and wanting to know, this is for centos 6, stock install
of postfix. This appears to be the winning solution.

I was looking at that but could not see how to make it work. However, I think with your note
on local_rec I had a working example to play with.

My server is internet facing so this example had to be modified.
I will be testing for a few days, but here is what I did, and it seems to work.

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
(I had to add all 4 or mail had issues or were completely rebuffed)

added two users,
user1 OK
user2 OK
(have to put something after each user..a space then 'something'. Postfix ignores the right side.)

Adding @domain caused all to be rejected or all to be allowed, depending on the things I tried.
putting just the local user down without the @ worked good.

postmap /etc/postfix/myusers
service postfix restart

Here is the thing that made it work...getting rid of $alias_maps in the
local_recipient_maps = hash:/etc/postfix/myusers, $alias_maps

by adding alias_maps, it will accept anything listed in there, which includes all the
unix users like apache, root, etc.

ran newaliases....

seems to work.


Seems like all incoming mail bounce correctly, adding 'unknown user'.
I was able to command line from my root account, sending a mail to my root account
and received it.

I thought the local maps file was needed as is to allow proper authentication to send/receive mail
obviously not...

perfect solution so far Nicolas

Now my question is.... why is the default to allow all these mails?