So just learned something I don’t like about Postfix; it’s the fact that its default configuration is to accept email for local system accounts, even if virtual domains and aliases are defined. How many people actually send unix to unix email these days using just usernames and/or users at IP addresses? Outside of academia probably next to none.
I happened across a Plesk-based server running Postfix that was having a serious disk space issue. Turns out all the space was consumed by Mbox-format mail spool files found in /var/spool/mail/ that were being filled with spam resulting from spammers sending emails to username@[IP_Address] with various IP addresses on the server. The system usernames (i.e. website FTP/SSH users) on this server were generic enough that the spammers were able to successfully guess a number of them, being sending email and those emails just build up indefinitely since no one’s actually logging in as any of those users to read email.
There is no way to turn this functionality off. Additionally, this functionality being enabled may cause you to fail PCI scans because it allows a remote attacker to enumerate local users.
Why it happens is due to the default value of the local_recipient_maps configuration variable; by default, it’s the same as having set the following in your /etc/postfix/main.cf:
local_recipient_map = proxy:unix:passwd.byname $alias_maps
This causes Postfix to expand incoming messages sent to a valid username on the local system if the domain (part after the @) is a match for data in any of the following variables:
- $mydestination (which on plesk defaults to localhost.$mydomain, localhost, localhost.localdomain)
- IP addresses in $inet_interfaces
- IP addresses in $proxy_interfaces
So this means if a remote attacker knows any IP address on your system, which of course they do or they wouldn’t be able to connect to it to begin with, then they can start testing emails to username@[IP] to see what Postfix says.
I thought perhaps I can just set local_recipient_map = <nothing> to disable that functionality, but that had a different effect. Setting it like that tells Postfix to accept any email and then just bounce it back if it’s undeliverable to a local recipient.
Finally I found a solution. Add the following line to your /etc/postfix/main.cf
local_recipient_maps = hash:/etc/postfix/localmap
Then run:
cd /etc/postfix/ touch localmap postmap hash:localmap
That will build what is effectively an empty set of ‘valid’ local recipients, so now any incoming email to a user@[IP] will be rejected, while you’ll continue to receive email like normal for your Plesk-defined virtual domains. Just in case you’re concerned about where those are set up before you follow my instructions, you can find those in /var/spool/postfix/plesk/. They are three parts:
- All domains; reveal them by running: postmap -s /var/spool/postfix/plesk/virtual_domains
- All valid email addresses (including aliases that you set up and that Plesk sets up for you); reveal them by running: postmap -s /var/spool/postfix/plesk/virtual
- All actual email accounts with mailboxes; reveal them by running: postmap -s /var/spool/postfix/plesk/vmailbox