Postfix how to secure outgoing authenticated e-mails for privacy and hide the IP address, mailer and other things

The most common solution is to use the /etc/postfix/header_checks but this is a big problem.

Why is header_checks a problem? Because it does it to all mail whether incoming or outgoing and whether authenticated or not. We of course want as much header information for incoming as we can get for many reasons but many organizations want to secure and make their mail clients as secure as possible.

I adapted this solution to the client's custom config, they are configured to only send through smtps so editing master.cf is different than most others.

So here's the solution to remove private details from authenticated outgoing mail with Postfix:

1.) Add the following to /etc/postfix/auth_header_checks.pcre

/^\s*(Received: from)[^\n]*(.*for <.*@(?!yourdomain.com).*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])$2
/^\s*Mime-Version: 1.0.*/ REPLACE Mime-Version: 1.0
/^\s*User-Agent/ IGNORE
/^\s*X-Enigmail/ IGNORE
/^\s*X-Mailer/ IGNORE
/^\s*X-Originating-IP/ IGNORE

2.) Now comes the tricky part, for this be sure to backup your /etc/postfix/master.cf before messing around. Even not having the right white space or anything will completely break postfix and make it refuse to start (this means you won't be receiving e-mail at the time).


Find your "submission" service or in many cases it may just be called "smtps":

Leave it all the same but add the part in bold below it (make sure two spaces are in front or your master.cf will be broken/notwork).

smtps inet n - n - - smtpd -o content_filter=spamassassin
-o smtpd_enforce_tls=yes
-o smtpd_tls_wrappermode=yes
-o cleanup_service_name=auth-cleanup

Now anywhere else in master.cf add the following:

auth-cleanup unix n - - - 0 cleanup
-o header_checks=pcre:/etc/postfix/auth_header_checks.pcre

Restart postfix now and make sure it is working and if not check /var/log/maillog and it will tell you what's wrong ( a common issue when copying and pasting is that the white space in the -o sections may be lost and that will cause errors and sometimes the dashes will turn into the long kind and these are not valid and need to be changed/fixed).


Tags:

postfix, outgoing, authenticated, mails, ip, mailer, thingsthe, etc, header_checks, incoming, header, organizations, adapted, custom, config, configured, smtps, editing, cf, auth_header_checks, pcre, yourdomain, localhost, mime, user, enigmail, originating, tricky, receiving, quot, submission, bold, spaces, notwork, inet, smtpd, content_filter, spamassassin, smtpd_enforce_tls, smtpd_tls_wrappermode, cleanup_service_name, auth, cleanup, unix, restart, var, maillog, copying, pasting, sections, errors, dashes, valid,

Latest Articles

  • Centos 7 how to save iptables rules like Centos 6
  • nfs tuning maximum amount of connections
  • qemu-kvm error "Could not initialize SDL(No available video device) - exiting"
  • Centos 7 tftpd will not work with selinux enabled
  • Debian Ubuntu Mint Howto Create Bridge (br0)
  • How To Control Interface that dhcpd server listens to on Debian based Linux like Mint and Ubuntu
  • LUKS unable to type password to unlock during boot on Debian, Ubuntu and Mint
  • Debian Ubuntu and Linux Mint Broken Kernel After Date - New Extra Module Naming Convention
  • Wordpress overwrites and wipes out custom htaccess rules and changes soluton
  • Apache htaccess and mod_rewrite how to redirect and force all URLs and visitors to the SSL / HTTPS version
  • python 3 pip cannot install mysql module
  • QEMU-KVM won't boot Windows 2016 or 2019 server on an Intel Core i3
  • Virtualbox vbox not starting
  • Bind / named not responding to queries solution
  • Linux Mint How To Set Desktop Background Image From Bash Prompt CLI
  • ImageMagick Convert PDF Not Authorized
  • ImageMagick Converted PDF to JPEG some files have a black background solution
  • Linux Mint Mate Customize the Lock screen messages and hide username and real name
  • Ubuntu/Gnome/Mint/Centos How To Take a partial screenshot
  • ssh how to verify your host key / avoid MIM attacks