diff --git a/conf/submission_header_checks b/conf/submission_header_checks new file mode 100644 index 00000000..0dc8eb21 --- /dev/null +++ b/conf/submission_header_checks @@ -0,0 +1,5 @@ +/^\s*Received:/ IGNORE +/^\s*User-Agent:/ IGNORE +/^\s*X-Enigmail:/ IGNORE +/^\s*X-Mailer:/ IGNORE +/^\s*X-Originating-IP:/ IGNORE diff --git a/setup/mail.sh b/setup/mail.sh index 2cfbc43b..ee93cc68 100755 --- a/setup/mail.sh +++ b/setup/mail.sh @@ -26,7 +26,39 @@ mkdir -p $STORAGE_ROOT/mail ######### # Enable the 'submission' port 587 listener. -sed -i "s/#submission/submission/" /etc/postfix/master.cf +sed -i 's/^#submission\b/submission/' /etc/postfix/master.cf + +# Enable selected 'submission' service options. +perl -i -pe 's/ ^[#] ( \s+ -o \s (?: + syslog_name | + smtpd_reject_unlisted_recipient | + smtpd_recipient_restrictions | + smtpd_relay_restrictions | + milter_macro_daemon_name + ) ) + /\1/x + if $rc = /^submission\b/ ... ($_ !~ /^#?\s/) and # submission line to next "logical" line + $rc !~ /(^1|E0)$/ # exclude outer matching lines' \ + /etc/postfix/master.cf + +# Add 'authclean' service hook (if necessary) to 'submission' service options. +if ! grep -Eq '^\s+-o cleanup_service_name=authclean\b' /etc/postfix/master.cf; then + sed -i $'/^submission\\b/ a\\\n -o cleanup_service_name=authclean' /etc/postfix/master.cf +fi + +# Add the 'authclean' service (if necessary) after the 'cleanup' service. It +# will be used to filter privacy-sensitive headers on mail being sent out by +# authenticated users. +if ! grep -q '^authclean\b' /etc/postfix/master.cf; then + sed -i '/^cleanup\b/ a\ +authclean unix n - - - 0 cleanup\ + -o header_checks=regexp:/etc/postfix/submission_header_checks' /etc/postfix/master.cf +fi + +# Install `submission_header_checks` file required by 'authclean' service. +if [ ! -f /etc/postfix/submission_header_checks ]; then + cp conf/submission_header_checks /etc/postfix/submission_header_checks +fi # Enable TLS and require it for all user authentication. tools/editconf.py /etc/postfix/main.cf \