By default, Postfix adds a Received header — on all mail that you send —
that lists the IP of the device you sent the mail from. This feature is
great if you're a mail provider and you need to debug why one user is
having sending issues. This feature is not so great if you run your own
mail server and you don't want every recipient of every email you send
to know the device and IP you sent the email from.
To limit this filtering to outgoing mail only, we apply the filters just
to the submission port. See these guides [1] [2] for more context.
I have taken care to make the configuration logic be **idempotent**.
Unfortunately, due to the syntax of `master.cf`, this requires a small
amount of `sed` and `perl` wizardry :(
In addition to filtering the Received header, the
`submission_header_checks` file is currently configured to filter other,
privacy-sensitive headers. If people object, we can remove those
filters. The important thing is that the IP be filtered or masked.
[1] http://askubuntu.com/a/78168/11259
[2] http://www.void.gr/kargig/blog/2013/11/24/anonymize-headers-in-postfix/
Postfix, Dovecot, and nginx all read the key file while they're running
as root — before dropping permissions — so no authorization is needed on
the private key file beyond being root-readable.
Default IP+hostname values were incorrect for my VPS provider. I
improved the detection, which should give correct results results for
almost any provider. Specific issues addressed:
- icanhazip.com detection was only enabled in non-interactive mode
- `hostname` is by convention a short (non-fqdn) name in Ubuntu
- `hostname --fqdn` fails if provider does not pouplate `hosts` file
- `hostname -i` fails if provider does not populate `hosts` file
- `curl` without `--fail` will someday return crazy results
when icanhazip.com returns 500 errors or similar
* adding a Vagrantfile
* in a non-interactive setup like this, create the user's first email account for them
* let the machine auto-detect its IP address using http://icanhazip.com/
* use our own justtesting.email domain to provision a subdomain for users so they can quickly get started
* Created a new Python/flask-based management daemon.
* Moved the mail user management core code from tools/mail.py to the new daemon.
* tools/mail.py is a wrapper around the daemon and can be run as a non-root user.
* Adding a new initscript for the management daemon.
* Moving dns_update.sh to the management daemon, called via curl'ing the daemon's API.
This also now runs the DNS update after mail users and aliases are added/removed,
which sets up new domains' DNS as needed.