Loading ...
Sorry, an error occurred while loading the content.

Re: Stripping Received: headers

Expand Messages
  • Wietse Venema
    ... You need to do postfix reload after editing master.cf. The submission_cleanup service will see the Received: header that was prepended by the submission
    Message 1 of 16 , Apr 12 7:20 AM
    View Source
    • 0 Attachment
      Geoff Shang:
      > On Fri, 12 Apr 2013, Geoff Shang wrote:
      >
      > >> submission inet n - - - - smtpd
      > >> -o cleanup_service=submission_cleanup
      > >>
      > >> submission_cleanup unix n ............................ cleanup
      > >> -o header_checks=pcre:/etc/postfix/header_checks
      > >>
      > >> would do the job.
      > >
      > > Thanks Wietse. I think I will opt for this latter option.
      >
      > hmm. This didn't work. I'm a bit stuck as to why. I thought that
      > perhaps it might be running before the Received: header is created, but in
      > that case, I don't know why the example I linked to earlier that searches
      > for an authenticated header would work, while this would not.

      You need to do "postfix reload" after editing master.cf.

      The submission_cleanup service will see the Received: header that
      was prepended by the submission server.

      However, if your Milter adds headers then those aren't seen by
      header_checks; you would need to use milter_header_checks.

      Wietse
    • Geoff Shang
      ... I did. I did it again for good measure - no difference. ... Is there any way I can be sure that the special cleanup agent is running? I see the socket
      Message 2 of 16 , Apr 12 7:49 AM
      View Source
      • 0 Attachment
        On Fri, 12 Apr 2013, Wietse Venema wrote:

        > You need to do "postfix reload" after editing master.cf.

        I did. I did it again for good measure - no difference.

        > The submission_cleanup service will see the Received: header that
        > was prepended by the submission server.

        Is there any way I can be sure that the special cleanup agent is running?
        I see the socket /var/spool/postfix/public/submission_cleanup

        > However, if your Milter adds headers then those aren't seen by
        > header_checks; you would need to use milter_header_checks.

        We don't appear to be using any milters, despite the
        'milter_macro_daemon_name=ORIGINATING'

        Here's what I did in case I messed up:

        master.cf:

        # service type private unpriv chroot wakeup maxproc command + args
        # (yes) (yes) (yes) (never) (100)
        #
        ==========================================================================
        smtp inet n - - - - smtpd
        submission inet n - - - - smtpd
        -o smtpd_enforce_tls=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o milter_macro_daemon_name=ORIGINATING
        # Use a special cleanup service so we can strip headers.
        -o cleanup_service=submission_cleanup

        smtps inet n - - - - smtpd
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o milter_macro_daemon_name=ORIGINATING
        # Use a special cleanup service so we can strip headers.
        -o cleanup_service=submission_cleanup

        submission_cleanup unix n - - - - cleanup
        # Strip Received: lines from authenticated mail
        -o header_checks=pcre:/etc/postfix/header_checks



        /etc/postfix/header_checks:

        # Remove any Received: headers from authenticated mail.
        /^Received:/ IGNORE



        An example message. The line is matched if I run it through postmap.
        Some details have to be obscured, sorry. I'm on holiday so I'm not
        worried about letting the hostname through, you can all get it from my
        headers anyway. Obviously I'm not posting from my work address.

        Return-Path: <my.address@...>
        X-Original-To: my.address@...
        Delivered-To: my.address@...
        Received: from [192.168.0.20] (dsl-mlibrasgw2-50de1c-161.dhcp.inet.fi
        [80.222.28.161])
        by mail.example.com (Postfix) with ESMTPSA id DED281C40E9
        for <my.address@...>; Fri, 12 Apr 2013 14:35:47
        +0000 (UTC)
        Date: Fri, 12 Apr 2013 17:35:44 +0300 (EEST)
        From: Geoff Shang <my.address@...>
        X-X-Sender: geoff@...
        To: my.address@...
        Subject: test
        Message-ID: <alpine.DEB.2.02.1304121735310.14582@...>
        User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
        MIME-Version: 1.0
        Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

        Geoff.\
      • /dev/rob0
        A word at the outset here: I predict this will come back to bite you in a most painful way. As Noel suggested, you re going to run afoul of some clueless spam
        Message 3 of 16 , Apr 12 8:03 AM
        View Source
        • 0 Attachment
          A word at the outset here: I predict this will come back to bite you
          in a most painful way. As Noel suggested, you're going to run afoul
          of some clueless spam checks. Some years back I know that Hotmail/MSN
          actually *discarded* such mail silently!

          Note also that Postfix itself uses Received: headers as a protection
          against mail loops. Let's hope you don't get a loop going!

          On Fri, Apr 12, 2013 at 05:49:47PM +0300, Geoff Shang wrote:
          > Is there any way I can be sure that the special cleanup agent
          > is running? I see the socket
          > /var/spool/postfix/public/submission_cleanup

          It's running. To see what it does:

          > master.cf:

          > submission_cleanup unix n - - - - cleanup
          > # Strip Received: lines from authenticated mail
          > -o header_checks=pcre:/etc/postfix/header_checks
          -o syslog_name=postfix/submission/cleanup

          Every non-default service should have its own syslog_name to enhance
          your log searches.

          > /etc/postfix/header_checks:
          >
          > # Remove any Received: headers from authenticated mail.
          > /^Received:/ IGNORE
          /./ WARN

          That might get too noisy in the logs, but at least you will know your
          alternate cleanup service is being used.
          --
          http://rob0.nodns4.us/ -- system administration and consulting
          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
        • Wietse Venema
          ... Are you using receive_override_options? in main.cf or master.cf? Wietse
          Message 4 of 16 , Apr 12 10:17 AM
          View Source
          • 0 Attachment
            Geoff Shang:
            > On Fri, 12 Apr 2013, Wietse Venema wrote:
            >
            > > You need to do "postfix reload" after editing master.cf.
            >
            > I did. I did it again for good measure - no difference.

            Are you using receive_override_options? in main.cf or master.cf?

            Wietse
          • Geoff Shang
            ... No. Geoff.
            Message 5 of 16 , Apr 15 7:15 AM
            View Source
            • 0 Attachment
              On Fri, 12 Apr 2013, Wietse Venema wrote:

              > Geoff Shang:
              >> On Fri, 12 Apr 2013, Wietse Venema wrote:
              >>
              >>> You need to do "postfix reload" after editing master.cf.
              >>
              >> I did. I did it again for good measure - no difference.
              >
              > Are you using receive_override_options? in main.cf or master.cf?

              No.

              Geoff.
            Your message has been successfully submitted and would be delivered to recipients shortly.