diff options
| -rw-r--r-- | ansible/roles/postfix/tasks/main.yml | 17 | ||||
| -rw-r--r-- | ansible/roles/postfix/templates/header-checks-submission.j2 | 21 | 
2 files changed, 38 insertions, 0 deletions
| diff --git a/ansible/roles/postfix/tasks/main.yml b/ansible/roles/postfix/tasks/main.yml index d9567a2..0346aaa 100644 --- a/ansible/roles/postfix/tasks/main.yml +++ b/ansible/roles/postfix/tasks/main.yml @@ -109,6 +109,16 @@      - role::postfix    notify: Regenerate transport table +- name: Template Postfix submission header checks +  template: +    src: header-checks-submission.j2 +    dest: /etc/postfix/header-checks-submisison +    mode: "0o444" +    owner: root +    group: root +  notify: +    - Reload postfix +  - name: Add custom services to master.cf    blockinfile:      path: /etc/postfix/master.cf @@ -127,6 +137,7 @@          -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject          -o smtpd_sasl_type=dovecot          -o smtpd_sasl_path=private/auth +        -o cleanup_service_name=authcleanup        smtps     inet  n       -       y       -       -       smtpd          -o syslog_name=postfix/smtps @@ -136,6 +147,12 @@          -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject          -o smtpd_sasl_type=dovecot          -o smtpd_sasl_path=private/auth +        -o cleanup_service_name=authcleanup + +      # authenticated submission cleanup +      authcleanup unix  n       -       y       -       0       cleanup +        -o header_checks=pcre:/etc/postfix/header-checks-submission +        -o nested_header_checks=        # Service Mail pipes        fortune-pipe unix  -       n       n       -       -       pipe diff --git a/ansible/roles/postfix/templates/header-checks-submission.j2 b/ansible/roles/postfix/templates/header-checks-submission.j2 new file mode 100644 index 0000000..3877c88 --- /dev/null +++ b/ansible/roles/postfix/templates/header-checks-submission.j2 @@ -0,0 +1,21 @@ +# Ansible managed +# Taken from the excellent mailinabox project: +# https://github.com/mail-in-a-box/mailinabox/blob/ddf8e857fdb2ac3508af9339abcdd908835f899b/conf/postfix_outgoing_mail_header_filters +# +# Remove the first line of the Received: header. Note that we cannot fully remove the Received: header +# because OpenDKIM requires that a header be present when signing outbound mail. The first line is +# where the user's home IP address would be. +/^\s*Received:[^\n]*(.*)/         REPLACE Received: from authenticated-user ({{ ansible_fqdn }} [{{ ansible_default_ipv4.address }}])$1 + +# Remove other typically private information. +/^\s*User-Agent:/        IGNORE +/^\s*X-Enigmail:/        IGNORE +/^\s*X-Mailer:/          IGNORE +/^\s*X-Originating-IP:/  IGNORE +/^\s*X-Pgp-Agent:/       IGNORE + +# The Mime-Version header can leak the user agent too, e.g. in Mime-Version: 1.0 (Mac OS X Mail 8.1 \(2010.6\)). +/^\s*(Mime-Version:\s*[0-9\.]+)\s.+/  REPLACE $1 + +# Don't leak the internal network hostname. +/^\s*Message-Id:\s*<(.*?)@.*>.*/ REPLACE Message-Id: <$1@{{ postfix_mailserver_name }}> | 
