Postfix how to secure outgoing authenticated e-mails for privacy and hide the IP address, mailer and other things

The most common solution is to use the /etc/postfix/header_checks but this is a big problem.

Why is header_checks a problem? Because it does it to all mail whether incoming or outgoing and whether authenticated or not. We of course want as much header information for incoming as we can get for many reasons but many organizations want to secure and make their mail clients as secure as possible.

I adapted this solution to the client's custom config, they are configured to only send through smtps so editing master.cf is different than most others.

So here's the solution to remove private details from authenticated outgoing mail with Postfix:

1.) Add the following to /etc/postfix/auth_header_checks.pcre

/^\s*(Received: from)[^\n]*(.*for <.*@(?!yourdomain.com).*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])$2
/^\s*Mime-Version: 1.0.*/ REPLACE Mime-Version: 1.0
/^\s*User-Agent/ IGNORE
/^\s*X-Enigmail/ IGNORE
/^\s*X-Mailer/ IGNORE
/^\s*X-Originating-IP/ IGNORE

2.) Now comes the tricky part, for this be sure to backup your /etc/postfix/master.cf before messing around. Even not having the right white space or anything will completely break postfix and make it refuse to start (this means you won't be receiving e-mail at the time).


Find your "submission" service or in many cases it may just be called "smtps":

Leave it all the same but add the part in bold below it (make sure two spaces are in front or your master.cf will be broken/notwork).

smtps inet n - n - - smtpd -o content_filter=spamassassin
-o smtpd_enforce_tls=yes
-o smtpd_tls_wrappermode=yes
-o cleanup_service_name=auth-cleanup

Now anywhere else in master.cf add the following:

auth-cleanup unix n - - - 0 cleanup
-o header_checks=pcre:/etc/postfix/auth_header_checks.pcre

Restart postfix now and make sure it is working and if not check /var/log/maillog and it will tell you what's wrong ( a common issue when copying and pasting is that the white space in the -o sections may be lost and that will cause errors and sometimes the dashes will turn into the long kind and these are not valid and need to be changed/fixed).


Tags:

postfix, outgoing, authenticated, mails, ip, mailer, thingsthe, etc, header_checks, incoming, header, organizations, adapted, custom, config, configured, smtps, editing, cf, auth_header_checks, pcre, yourdomain, localhost, mime, user, enigmail, originating, tricky, receiving, quot, submission, bold, spaces, notwork, inet, smtpd, content_filter, spamassassin, smtpd_enforce_tls, smtpd_tls_wrappermode, cleanup_service_name, auth, cleanup, unix, restart, var, maillog, copying, pasting, sections, errors, dashes, valid,

Latest Articles

  • Debian Ubuntu Mint rc-local service startup error solution rc-local.service: Failed at step EXEC spawning /etc/rc.local: Exec format error
  • MySQL Cheatsheet Guide and Tutorial
  • bash script kill whois or other command that is running for too long
  • Linux tftp listens on all interfaces and IPs by DEFAULT Security Risk Hole Solution
  • python import docx error
  • Cisco Unified Communications Manager Express Cheatsheet CUCME CME
  • Linux Ubuntu Debian Missing privilege separation directory: /var/run/sshd
  • bash how to count the number of columns or words in a line
  • bash if statement how to test program output without assigning to variable
  • RTNETLINK answers: Network is unreachable
  • Centos 7 how to save iptables rules like Centos 6
  • nfs tuning maximum amount of connections
  • qemu-kvm error "Could not initialize SDL(No available video device) - exiting"
  • Centos 7 tftpd will not work with selinux enabled
  • Debian Ubuntu Mint Howto Create Bridge (br0)
  • How To Control Interface that dhcpd server listens to on Debian based Linux like Mint and Ubuntu
  • LUKS unable to type password to unlock during boot on Debian, Ubuntu and Mint
  • Debian Ubuntu and Linux Mint Broken Kernel After Date - New Extra Module Naming Convention
  • Wordpress overwrites and wipes out custom htaccess rules and changes soluton
  • Apache htaccess and mod_rewrite how to redirect and force all URLs and visitors to the SSL / HTTPS version