spam to aliases and system accounts

To: Debian User <debian-user@lists.debian.org>
Subject: spam to aliases and system accounts
From: Jonathan de Boyne Pollard <j.deboynepollard-newsgroups@ntlworld.com>
Date: Sat, 22 Apr 2017 17:48:21 +0100 (BST)
Message-id: <[🔎] 104679089.187728.1492879701339.JavaMail.open-xchange@oxbe4.tb.ukmail.iss.as9143.net>
Reply-to: Jonathan de Boyne Pollard <j.deboynepollard-newsgroups@ntlworld.com>

Daniel Pocock:
> Do any of the mailers (postfix, exim, etc) provide a convenient way 
> to exclude delivery to system accounts by default, or to exclude 
> these aliases and accounts from receiving mail from external senders? 
> Could anybody share examples of how they do it or pointers to 
> any blogs or wikis with examples? 

The qmail convention of long standing is that an account does not receive mail
in a local mailbox of its own (be that a Maildir in its home directory or an
mboxrd file in /var/spool/mail) if (a) it has UID zero, (b) it has a
non-existent or inaccessible home directory, (c) the account is not the owner of
the home directory, or (d) the account has uppercase letters in its name.

* https://manpages.debian.org/jessie/qmail/qmail-getpw.8.en.html

* http://www.lifewithqmail.org/lwq.html#gotchasexim

So, for examples: mail to games@example.com will not be delivered into a mailbox
for the games user because that account is not the owner of /usr/games , its
home directory.  mail to saned@example.com or usbmux@example.com will not be
delivered into a mailbox for the saned or usbmux users because their home
directories, /home/saned and /home/usbmux, do not (normally) exist.

So this is mostly not a packaging problem, and far more a question of whether
your chosen mail system employs a similar convention to that of qmail.  One
could in theory configure exim4 to do the same, but that is not the case in
Debian, where exim4 is merely configured to treat an account as a real person
only unless the account name is the string "root".  Similarly, postfix on Debian
is configured to use the aliases mechanism to filter out rôle accounts, but the
supplied default aliases file in Debian includes almost none of the rôle
accounts employed by Debian packages.

*
https://sources.debian.net/src/exim4/4.89-2/debian/debconf/conf.d/router/900_exim4-config_local_user/

* https://sources.debian.net/src/postfix/3.1.4-4/conf/aliases/

It is to *some* extent a packaging problem inasmuch as some of the rôle user
accounts that some softwares employ are created with seemingly valid home
directories that exist and that they fully own.  The possibly worst offences
here are where people have decided to re-use service runtime directories in /run
as account home directories, given that (with ~/Mailbox or ~/Maildir/ delivery)
this will result in the rôle accounts' junk mail being delivered to a mailbox in
/run .  The avahi account has /var/run/avahi-daemon as its home directory, which
it owns.  Similarly, the irc account has /var/run/ircd as its home directory,
which it owns.  (The hplip account has /var/run/hplip,  and messagebus has
/var/run/dbus; but they do not own those directories.)  Because of this, avahi
and irc satisfy the conventional qmail criteria for being real people user
accounts to whose mailboxes mail should be delivered.

Reply to:

Prev by Date: Re: Possibly erroneous "device not present" message during boot
Next by Date: Re: Possibly erroneous "device not present" message during boot
Previous by thread: Re: spam to aliases and system accounts
Next by thread: (OT) Phishing with Unicode Domains
Index(es):
- Date
- Thread