Loading ...
Sorry, an error occurred while loading the content.

snipping header lines

Expand Messages
  • rosenfield@users.sourceforge.net
    Hi people I d like to snip out IP addresses and mail client version numbers of clients connecting and authenticating via TLS to the MTA (aka internal users).
    Message 1 of 8 , Oct 30, 2007
    • 0 Attachment
      Hi people

      I'd like to snip out IP addresses and mail client version numbers of
      clients connecting and authenticating via TLS to the MTA (aka internal
      users).

      Tried the following as a header_checks regex:

      /^Received:.*by.*$mydomain \(Postfix\)/ IGNORE

      Works fine, except it also snips out the IP address of the sending
      host for all mails received by the MTA from _external_ users sending
      mail into our domains, which is undesirable.

      Then installed the mimedefang milter, and was going to hack something
      up in Perl to do the right thing, but half-way through I fell upon
      this posting:
      http://archives.neohapsis.com/archives/postfix/2007-10/0431.html

      So my question is:
      What is the recommended way to get Postfix to snip the "received from:
      <internal ip>" line, but preserve this header for mails received from
      the outside?

      Best regards
    • Noel Jones
      ... Milters are never presented this header, so they can t do anything with it. Your header_checks regexp needs to match , or maybe you can use
      Message 2 of 8 , Oct 30, 2007
      • 0 Attachment
        At 11:03 AM 10/30/2007, rosenfield@... wrote:
        >Hi people
        >
        >I'd like to snip out IP addresses and mail client version numbers of
        >clients connecting and authenticating via TLS to the MTA (aka internal
        >users).
        >
        >Tried the following as a header_checks regex:
        >
        >/^Received:.*by.*$mydomain \(Postfix\)/ IGNORE
        >
        >Works fine, except it also snips out the IP address of the sending
        >host for all mails received by the MTA from _external_ users sending
        >mail into our domains, which is undesirable.
        >
        >Then installed the mimedefang milter, and was going to hack something
        >up in Perl to do the right thing, but half-way through I fell upon
        >this posting:
        >http://archives.neohapsis.com/archives/postfix/2007-10/0431.html
        >
        >So my question is:
        >What is the recommended way to get Postfix to snip the "received from:
        ><internal ip>" line, but preserve this header for mails received from
        >the outside?
        >
        >Best regards

        Milters are never presented this header, so they can't do anything with it.
        Your header_checks regexp needs to match <internal ip>, or maybe you
        can use "smtpd_sasl_authenticated_header = yes" or
        "smtpd_tls_received_header = yes" and key on the text unique to your
        authenticated users.

        --
        Noel Jones
      • rosenfield@users.sourceforge.net
        ... Too bad! Would be nice if this was rectified (with an option or whatever). ... Hmm. Not doable, since clients do not have static IP addresses. They are
        Message 3 of 8 , Oct 30, 2007
        • 0 Attachment
          Noel Jones writes:
          > Milters are never presented this header, so they can't do anything with it.

          Too bad! Would be nice if this was rectified (with an option or whatever).

          > Your header_checks regexp needs to match <internal ip>,

          Hmm. Not doable, since clients do not have static IP addresses. They
          are authenticated with a certificate or a password.

          > maybe you can use "smtpd_sasl_authenticated_header = yes" or
          > "smtpd_tls_received_header = yes" and key on the text unique to your
          > authenticated users.

          Ah, sounds useful, if a bit icky.
          Thanks for the suggestion, I'll try it out!

          Right now I wish I had complete control of the Postfix chain of
          events, so that I could branch into two different "trajectories"
          depending on the connection being an auth'ed internal user or an
          external user with (valid recipient, invalid recipient), etc etc etc
          etc.

          /etc/postfix/chain.cf :-)
        • Victor Duchovni
          ... This information goes into the same Received: header that is not visible to milters. However, milters do get to see SASL user information and TLS
          Message 4 of 8 , Oct 30, 2007
          • 0 Attachment
            On Tue, Oct 30, 2007 at 06:11:07PM +0100, rosenfield@... wrote:

            > > maybe you can use "smtpd_sasl_authenticated_header = yes" or
            > > "smtpd_tls_received_header = yes" and key on the text unique to your
            > > authenticated users.

            This information goes into the same Received: header that is not visible
            to milters. However, milters do get to see SASL user information and
            TLS issuer/subject information (for trusted certs) via appropriate macros.

            --
            Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.
          • Noel Jones
            ... Right. The intention is to use one of the *_header options to create text that can be matched by a header_checks rule. -- Noel Jones
            Message 5 of 8 , Oct 30, 2007
            • 0 Attachment
              At 12:54 PM 10/30/2007, Victor Duchovni wrote:
              >On Tue, Oct 30, 2007 at 06:11:07PM +0100,
              >rosenfield@... wrote:
              >
              > > > maybe you can use "smtpd_sasl_authenticated_header = yes" or
              > > > "smtpd_tls_received_header = yes" and key on the text unique to your
              > > > authenticated users.
              >
              >This information goes into the same Received: header that is not visible
              >to milters. However, milters do get to see SASL user information and
              >TLS issuer/subject information (for trusted certs) via appropriate macros.
              >
              >--
              > Viktor.

              Right. The intention is to use one of the *_header options to
              create text that can be matched by a header_checks rule.

              --
              Noel Jones
            • rosenfield@users.sourceforge.net
              ... Not going to work with users that authenticate with a password, AFAICT. I think Noel meant the above in context of a check_headers RE.. Would be nice if a
              Message 6 of 8 , Oct 31, 2007
              • 0 Attachment
                > > maybe you can use "smtpd_sasl_authenticated_header = yes" or
                > > "smtpd_tls_received_header = yes" and key on the text unique to your
                > > authenticated users.
                >
                > This information goes into the same Received: header that is not visible
                > to milters. However, milters do get to see SASL user information and
                > TLS issuer/subject information (for trusted certs) via appropriate macros.

                Not going to work with users that authenticate with a password, AFAICT.
                I think Noel meant the above in context of a check_headers RE..

                Would be nice if a Postfix developer would step up and fix this in a
                sane manner once and for all :-). I can think of lots of nice
                solutions, but I think the easiest one to implement by far is to send
                the Received header to milters, and fix the dkim-milter so it ignores
                this header.

                I'm sure the dkim folks would be happy to cooperate to reach a common
                design that can incorporate everything people need in their day-to-day
                MTA setups.

                Perhaps this can even be done in a way that preserves
                backwards-compatibility? I'm thinking a call that milters can poke at
                to tell Postfix that they understand / would like the new format with
                all header contents included..
              • Noel Jones
                ... Milter is a sendmail design. Don t expect non-sendmail developers to alter that design. Postfix already gives you a tool via header_checks to alter or
                Message 7 of 8 , Oct 31, 2007
                • 0 Attachment
                  At 09:40 AM 10/31/2007, rosenfield@... wrote:
                  > > > maybe you can use "smtpd_sasl_authenticated_header = yes" or
                  > > > "smtpd_tls_received_header = yes" and key on the text unique to your
                  > > > authenticated users.
                  > >
                  > > This information goes into the same Received: header that is not visible
                  > > to milters. However, milters do get to see SASL user information and
                  > > TLS issuer/subject information (for trusted certs) via appropriate macros.
                  >
                  >Not going to work with users that authenticate with a password, AFAICT.
                  >I think Noel meant the above in context of a check_headers RE..
                  >
                  >Would be nice if a Postfix developer would step up and fix this in a
                  >sane manner once and for all :-). I can think of lots of nice
                  >solutions, but I think the easiest one to implement by far is to send
                  >the Received header to milters, and fix the dkim-milter so it ignores
                  >this header.

                  Milter is a sendmail design. Don't expect non-sendmail developers to
                  alter that design.

                  Postfix already gives you a tool via header_checks to alter or remove
                  selected Received headers. Headers from authenticated dynamic users
                  can be identified reliably using smtpd_sasl_authenticated_header
                  and/or smtpd_tls_received_header.

                  I don't see a problem to solve here.

                  --
                  Noel Jones
                • rosenfield@users.sourceforge.net
                  ... Based on earlier postings, it sounds like Sendmail has already been changed to feed all content through the mail filters. ... It s cumbersome to implement,
                  Message 8 of 8 , Nov 1, 2007
                  • 0 Attachment
                    > Milter is a sendmail design. Don't expect
                    > non-sendmail developers to alter that design.

                    Based on earlier postings, it sounds like Sendmail has already been
                    changed to feed all content through the mail filters.

                    > Postfix already gives you a tool via header_checks to alter or remove
                    > selected Received headers. Headers from authenticated dynamic users
                    > can be identified reliably using smtpd_sasl_authenticated_header
                    > and/or smtpd_tls_received_header.

                    It's cumbersome to implement, and in addition it forces you to split
                    your filter rules in two places in a bizarre way.

                    > I don't see a problem to solve here.

                    Look harder ;)
                  Your message has been successfully submitted and would be delivered to recipients shortly.