1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-23 02:27:05 +00:00

Filter privacy-sensitive headers on outgoing mail

By default, Postfix adds a Received header — on all mail that you send —
that lists the IP of the device you sent the mail from.  This feature is
great if you're a mail provider and you need to debug why one user is
having sending issues.  This feature is not so great if you run your own
mail server and you don't want every recipient of every email you send
to know the device and IP you sent the email from.

To limit this filtering to outgoing mail only, we apply the filters just
to the submission port.  See these guides [1] [2] for more context.

I have taken care to make the configuration logic be **idempotent**.
Unfortunately, due to the syntax of `master.cf`, this requires a small
amount of `sed` and `perl` wizardry :(

In addition to filtering the Received header, the
`submission_header_checks` file is currently configured to filter other,
privacy-sensitive headers.  If people object, we can remove those
filters.  The important thing is that the IP be filtered or masked.

  [1] http://askubuntu.com/a/78168/11259
  [2] http://www.void.gr/kargig/blog/2013/11/24/anonymize-headers-in-postfix/
This commit is contained in:
Michael Kropat 2014-06-08 15:18:36 -04:00
parent ca34c1b1ae
commit d904feb399
2 changed files with 38 additions and 1 deletions

View File

@ -0,0 +1,5 @@
/^\s*Received:/ IGNORE
/^\s*User-Agent:/ IGNORE
/^\s*X-Enigmail:/ IGNORE
/^\s*X-Mailer:/ IGNORE
/^\s*X-Originating-IP:/ IGNORE

View File

@ -26,7 +26,39 @@ mkdir -p $STORAGE_ROOT/mail
######### #########
# Enable the 'submission' port 587 listener. # Enable the 'submission' port 587 listener.
sed -i "s/#submission/submission/" /etc/postfix/master.cf sed -i 's/^#submission\b/submission/' /etc/postfix/master.cf
# Enable selected 'submission' service options.
perl -i -pe 's/ ^[#] ( \s+ -o \s (?:
syslog_name |
smtpd_reject_unlisted_recipient |
smtpd_recipient_restrictions |
smtpd_relay_restrictions |
milter_macro_daemon_name
) )
/\1/x
if $rc = /^submission\b/ ... ($_ !~ /^#?\s/) and # submission line to next "logical" line
$rc !~ /(^1|E0)$/ # exclude outer matching lines' \
/etc/postfix/master.cf
# Add 'authclean' service hook (if necessary) to 'submission' service options.
if ! grep -Eq '^\s+-o cleanup_service_name=authclean\b' /etc/postfix/master.cf; then
sed -i $'/^submission\\b/ a\\\n -o cleanup_service_name=authclean' /etc/postfix/master.cf
fi
# Add the 'authclean' service (if necessary) after the 'cleanup' service. It
# will be used to filter privacy-sensitive headers on mail being sent out by
# authenticated users.
if ! grep -q '^authclean\b' /etc/postfix/master.cf; then
sed -i '/^cleanup\b/ a\
authclean unix n - - - 0 cleanup\
-o header_checks=regexp:/etc/postfix/submission_header_checks' /etc/postfix/master.cf
fi
# Install `submission_header_checks` file required by 'authclean' service.
if [ ! -f /etc/postfix/submission_header_checks ]; then
cp conf/submission_header_checks /etc/postfix/submission_header_checks
fi
# Enable TLS and require it for all user authentication. # Enable TLS and require it for all user authentication.
tools/editconf.py /etc/postfix/main.cf \ tools/editconf.py /etc/postfix/main.cf \