From dc7f1bb8f52569b158f0c24c02070fcc459e580d Mon Sep 17 00:00:00 2001 From: Malfurious Date: Mon, 10 Jun 2024 09:06:09 -0400 Subject: postfix: Prevent leaking MUA IP addresses Protect user privacy by stripping IP addresses from headers received from authenticated mail submission. Headers for mail received from other servers are unaffected. Signed-off-by: Malfurious --- Dockerfile | 1 + postfix/master.cf | 3 +++ postfix/submission_header_checks | 2 ++ 3 files changed, 6 insertions(+) create mode 100644 postfix/submission_header_checks diff --git a/Dockerfile b/Dockerfile index 7eafaf1..ec181bd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,6 +25,7 @@ RUN apt update \ dovecot-core \ dovecot-imapd \ postfix \ + postfix-pcre \ && apt clean # Install files diff --git a/postfix/master.cf b/postfix/master.cf index d29c474..45df2bb 100644 --- a/postfix/master.cf +++ b/postfix/master.cf @@ -24,10 +24,13 @@ submissions inet n - n - - smtpd -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o cleanup_service_name=cleanupips -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup +cleanupips unix n - n - 0 cleanup + -o header_checks=pcre:/etc/postfix/submission_header_checks qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr diff --git a/postfix/submission_header_checks b/postfix/submission_header_checks new file mode 100644 index 0000000..a792ca5 --- /dev/null +++ b/postfix/submission_header_checks @@ -0,0 +1,2 @@ +/^Received: from [^ ]+ \([^ ]+ \[[IPv0-9a-f:.]+\]\)\s+(.* \(Postfix\) with .+)$/ REPLACE Received: $1 +/^X-Originating-IP:.*/ IGNORE -- cgit v1.2.3