Postfix how to secure outgoing authenticated e-mails for privacy and hide the IP address, mailer and other things

The most common solution is to use the /etc/postfix/header_checks but this is a big problem.

Why is header_checks a problem?  Because it does it to all mail whether incoming or outgoing and whether authenticated or not.  We of course want as much header information for incoming as we can get for many reasons but many organizations want to secure and make their mail clients as secure as possible.

I adapted this solution to the client's custom config, they are configured to only send through smtps so editing master.cf is different than most others.

So here's the solution to remove private details from authenticated outgoing mail with Postfix:

1.) Add the following to /etc/postfix/auth_header_checks.pcre

/^\s*(Received: from)[^\n]*(.*for <.*@(?!yourdomain.com).*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])$2
/^\s*Mime-Version: 1.0.*/ REPLACE Mime-Version: 1.0
/^\s*User-Agent/ IGNORE
/^\s*X-Enigmail/ IGNORE
/^\s*X-Mailer/ IGNORE
/^\s*X-Originating-IP/ IGNORE

2.) Now comes the tricky part, for this be sure to backup your /etc/postfix/master.cf before messing around.  Even not having the right white space or anything will completely break postfix and make it refuse to start (this means you won't be receiving e-mail at the time).


Find your "submission" service or in many cases it may just be called "smtps":

Leave it all the same but add the part in bold below it (make sure two spaces are in front or your master.cf will be broken/notwork).

smtps     inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_wrappermode=yes
  -o cleanup_service_name=auth-cleanup

Now anywhere else in master.cf add the following:

auth-cleanup unix n - - - 0 cleanup
  -o header_checks=pcre:/etc/postfix/auth_header_checks.pcre

 

Restart postfix now and make sure it is working and if not check /var/log/maillog and it will tell you what's wrong ( a common issue when copying and pasting is that the white space in the -o sections may be lost and that will cause errors and sometimes the dashes will turn into the long kind and these are not valid and need to be changed/fixed).


Tags:

postfix, outgoing, authenticated, mails, ip, mailer, thingsthe, etc, header_checks, incoming, header, organizations, adapted, custom, config, configured, smtps, editing, cf, auth_header_checks, pcre, yourdomain, localhost, mime, user, enigmail, originating, tricky, receiving, quot, submission, bold, spaces, notwork, inet, smtpd, content_filter, spamassassin, smtpd_enforce_tls, smtpd_tls_wrappermode, cleanup_service_name, auth, cleanup, unix, restart, var, maillog, copying, pasting, sections, errors, dashes, valid,

Latest Articles

  • FreePBX 17 How To Add a Trunk
  • Docker Container Onboot Policy - How to make sure a container is always running
  • FreePBX 17 How To Add Phones / Extensions and Register
  • Warning: The driver descriptor says the physical block size is 2048 bytes, but Linux says it is 512 bytes. solution
  • Cisco How To Use a Third Party SIP Phone (eg. Avaya, 3CX)
  • Cisco Unified Communication Manager (CUCM) - How To Add Phones
  • pptp / pptpd not working in DD-WRT iptables / router
  • systemd-journald high memory usage solution
  • How to Install FreePBX 17 in Linux Debian Ubuntu Mint Guide
  • How To Install Cisco's CUCM (Cisco Unified Communication Manager) 12 Guide
  • Linux Ubuntu Redhat How To Extract Images from PDF
  • Linux and Windows Dual Boot Issue NIC Won't work After Booting Windows
  • Cisco CME How To Enable ACD hunt groups
  • How to install gns3 on Linux Ubuntu Mint
  • How to convert audio for Asterisk .wav format
  • Using Cisco CME Router with Asterisk as a dial-peer
  • Cisco CME How To Configure SIP Trunk VOIP
  • Virtualbox host Only Network Error Failed to save host network interface parameter - Cannot change gateway IP of host only network
  • Cisco CME and C7200 Router Testing and Learning Environment on Ubuntu 20+ Setup Tutorial Guide
  • Abusive IP ranges blacklist