Securing Postfix on a shared Webserver

I’m operating a webserver for shared webspace accounts. I’m not responsible for the stuff hosted on the webspace, but for the server itself. Many people like to host their wordpress or joomla on this server, both scripts are well known for a large list of vulnerabilities. I’m running a local postfix for sending my cron mails, but I don’t want that php scripts abuse my Postfix for sending spam. You can advice Postfix to only accept mails, that are delivered via sendmail/mail, from certain users (root in my case). First, create a file that holds every system user that is allowed to send mails:
# cat /etc/postfix/AllowedSystemUsers
root OK

Than tell Postfix to honor this file:

 echo 'authorized_submit_users = hash:/etc/postfix/AllowedSystemUsers' >> /etc/postfix/

Last step, create a hashmal and reload Postfix to active the changes:

postmap /etc/postfix/AllowedSystemUsers
systemctl reload postfix.service

You can add more users to the file if you want, but keep in mind that you always have to run the postmap command.

(Take a look here for more)

This entry was posted in General, IT-Security, Linux, Short Tips. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.