diff options
| -rw-r--r-- | ansible/roles/postfix/tasks/main.yml | 17 | ||||
| -rw-r--r-- | ansible/roles/postfix/templates/header-checks-submission.j2 | 21 |
2 files changed, 38 insertions, 0 deletions
diff --git a/ansible/roles/postfix/tasks/main.yml b/ansible/roles/postfix/tasks/main.yml index d9567a2..0346aaa 100644 --- a/ansible/roles/postfix/tasks/main.yml +++ b/ansible/roles/postfix/tasks/main.yml @@ -109,6 +109,16 @@ - role::postfix notify: Regenerate transport table +- name: Template Postfix submission header checks + template: + src: header-checks-submission.j2 + dest: /etc/postfix/header-checks-submisison + mode: "0o444" + owner: root + group: root + notify: + - Reload postfix + - name: Add custom services to master.cf blockinfile: path: /etc/postfix/master.cf @@ -127,6 +137,7 @@ -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth + -o cleanup_service_name=authcleanup smtps inet n - y - - smtpd -o syslog_name=postfix/smtps @@ -136,6 +147,12 @@ -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth + -o cleanup_service_name=authcleanup + + # authenticated submission cleanup + authcleanup unix n - y - 0 cleanup + -o header_checks=pcre:/etc/postfix/header-checks-submission + -o nested_header_checks= # Service Mail pipes fortune-pipe unix - n n - - pipe diff --git a/ansible/roles/postfix/templates/header-checks-submission.j2 b/ansible/roles/postfix/templates/header-checks-submission.j2 new file mode 100644 index 0000000..3877c88 --- /dev/null +++ b/ansible/roles/postfix/templates/header-checks-submission.j2 @@ -0,0 +1,21 @@ +# Ansible managed +# Taken from the excellent mailinabox project: +# https://github.com/mail-in-a-box/mailinabox/blob/ddf8e857fdb2ac3508af9339abcdd908835f899b/conf/postfix_outgoing_mail_header_filters +# +# Remove the first line of the Received: header. Note that we cannot fully remove the Received: header +# because OpenDKIM requires that a header be present when signing outbound mail. The first line is +# where the user's home IP address would be. +/^\s*Received:[^\n]*(.*)/ REPLACE Received: from authenticated-user ({{ ansible_fqdn }} [{{ ansible_default_ipv4.address }}])$1 + +# Remove other typically private information. +/^\s*User-Agent:/ IGNORE +/^\s*X-Enigmail:/ IGNORE +/^\s*X-Mailer:/ IGNORE +/^\s*X-Originating-IP:/ IGNORE +/^\s*X-Pgp-Agent:/ IGNORE + +# The Mime-Version header can leak the user agent too, e.g. in Mime-Version: 1.0 (Mac OS X Mail 8.1 \(2010.6\)). +/^\s*(Mime-Version:\s*[0-9\.]+)\s.+/ REPLACE $1 + +# Don't leak the internal network hostname. +/^\s*Message-Id:\s*<(.*?)@.*>.*/ REPLACE Message-Id: <$1@{{ postfix_mailserver_name }}> |