Re: Do not include first 'Received' header when received via 465/587?
LuKreme wrote: On 5-Mar-2009, at 19:15, Noel Jones wrote: Oh, and recent postfix marks authenticated headers; note the ESTMPSA. S = StartTLS, A = Authenticated Received: from [192.168.5.108] (adsl-19-247-14.bna.bellsouth.net [68.19.247.14]) by mgate2.vbhcs.org (Postfix) with ESMTPSA id BAF4A797A6A; Thu, 5 Mar 2009 20:09:39 -0600 (CST) That is very cool, I didn't know that. Of course in my case we're not using TLS, so the header has ESMTPA, but still, quite useful. ... which is why the sample expression is ESTMPS?A, ie. the S is optional. a regexp something like /^(Received: .* myhostname \(Postfix\) with ESTMPS?A .*)$/ REPLACE X-$1 should do the trick. I really like that, there's all sorts of possibilities here. Would it be bad to strip out the IPs (usually local/private) from these headers? /^(Received: from )\[\d\d?\d?\.d\d?\d?\.d\d?\d?\.d\d?\d?\](.* myhostname \(Postfix\) with ESMTPS?A .)$/ REPLACE X-$1[internal LAN]$2 /^(Received: from [^\[].* myhostname \(Postfix\) with ESTMPS?A .*)$/ REPLACE X-$1 ?? I'm thinking that cleanup is called for all messages, which is why you would only want this on a submission port and not just on the regular cleanup service. Although the Received: from [ip.ip.ip.ip] form never shows up on external mail since bare-ip mailservers are banned anyway. This should be safe to use on all mail - no need for a special cleanup-submission with different header_checks. It should only match on authenticated mail to your server. If you don't want the original IP to show, it's probably better to just remove that part rather than putting a fake IP there. Easy to do by just moving the first parenthesis, something like /^Received: .* (myhostname \(Postfix\) with ESTMPS?A .*)$/ REPLACE X-Submitted to $1 That way you at least keep the original QUEUEID. -- Noel Jones
Re: Do not include first 'Received' header when received via 465/587?
On Fri, Mar 06, 2009 at 10:11:24AM -0600, Noel Jones wrote: /^Received: .* (myhostname \(Postfix\) with ESTMPS?A .*)$/ REPLACE X-Submitted to $1 That way you at least keep the original QUEUEID. Probably want a : in there to make it a valid header: header_checks.pcre: if /^Received:/ /\n\tby (smtp\.example\.com \(Postfix\) with ESTMPS?A id \w+)/ REPLACE X-Submitted: to $1 endif -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Do not include first 'Received' header when received via 465/587?
Victor Duchovni wrote: On Fri, Mar 06, 2009 at 10:11:24AM -0600, Noel Jones wrote: /^Received: .* (myhostname \(Postfix\) with ESTMPS?A .*)$/ REPLACE X-Submitted to $1 That way you at least keep the original QUEUEID. Probably want a : in there to make it a valid header: header_checks.pcre: if /^Received:/ /\n\tby (smtp\.example\.com \(Postfix\) with ESTMPS?A id \w+)/ REPLACE X-Submitted: to $1 endif Yes, thanks. -- Noel Jones
Re: Do not include first 'Received' header when received via 465/587?
On Fri, Mar 06, 2009 at 11:33:34AM -0600, Noel Jones wrote: Victor Duchovni wrote: On Fri, Mar 06, 2009 at 10:11:24AM -0600, Noel Jones wrote: /^Received: .* (myhostname \(Postfix\) with ESTMPS?A .*)$/ REPLACE X-Submitted to $1 That way you at least keep the original QUEUEID. Probably want a : in there to make it a valid header: header_checks.pcre: if /^Received:/ /\n\tby (smtp\.example\.com \(Postfix\) with ESTMPS?A id \w+)/ REPLACE X-Submitted: to $1 endif Yes, thanks. Note, there may be a spam-score penalty to sending out mail with no Received headers at all. If the MSA sends directly to the outside without going through additional SMTP servers (post-filter, ...), it is probably best to replace just the Received: header IP address, with an RFC-1918 address and leav the received header intact. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Do not include first 'Received' header when received via 465/587?
On Fri, 6 Mar 2009, Noel Jones wrote: Victor Duchovni wrote: Probably want a : in there to make it a valid header: header_checks.pcre: if /^Received:/ /\n\tby (smtp\.example\.com \(Postfix\) with ESTMPS?A id \w+)/ REPLACE X-Submitted: to $1 endif Yes, thanks. I extrapolated from this, and got something that works perfectly - thanks so much! if /^Received:/ /.*by (hostname \(Postfix\) with ESMTPS?A).*/ REPLACE X-Submitted: to $1 endif My servers do additional processing, and add received headers after this, so no issues with spam filters (as mentioned later in this thread.) Appreciate the help!
Re: Do not include first 'Received' header when received via 465/587?
On Fri, Mar 06, 2009 at 01:16:07PM -0600, Nate Carlson wrote: On Fri, 6 Mar 2009, Noel Jones wrote: Victor Duchovni wrote: Probably want a : in there to make it a valid header: header_checks.pcre: if /^Received:/ /\n\tby (smtp\.example\.com \(Postfix\) with ESTMPS?A id \w+)/ REPLACE X-Submitted: to $1 endif Yes, thanks. I extrapolated from this, and got something that works perfectly - thanks so much! if /^Received:/ /.*by (hostname \(Postfix\) with ESMTPS?A).*/ REPLACE X-Submitted: to $1 endif Replace the .* with \n\t or \012\011 if not PCRE and you are losing the queue-id, which is very useful for later trouble-shoots. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Do not include first 'Received' header when received via 465/587?
Victor Duchovni: On Fri, Mar 06, 2009 at 01:16:07PM -0600, Nate Carlson wrote: On Fri, 6 Mar 2009, Noel Jones wrote: Victor Duchovni wrote: Probably want a : in there to make it a valid header: header_checks.pcre: if /^Received:/ /\n\tby (smtp\.example\.com \(Postfix\) with ESTMPS?A id \w+)/ REPLACE X-Submitted: to $1 endif Yes, thanks. I extrapolated from this, and got something that works perfectly - thanks so much! if /^Received:/ /.*by (hostname \(Postfix\) with ESMTPS?A).*/ REPLACE X-Submitted: to $1 endif Replace the .* with \n\t or \012\011 if not PCRE and you are losing the queue-id, which is very useful for later trouble-shoots. The .* are always unnecessary at the start and end of a pattern. Also, he is replacing the entire header, not the middle portion. Therefore the following will suffice: if /^Received:/ /\s+(host\.example\.com \(Postfix\) with ESMTPS?A id \w+)/ REPLACE X-Submitted: to $1 endif Wietse
Do not include first 'Received' header when received via 465/587?
Hi, I have a client that I have set up the submission port and 465 (for submission over raw SSL). They use many different internet connections, and a few of them (Panera Bread in particular) have their IP on blacklists. Because the IP gets included in the first Received header from Postfix, some sites are catching the mail as spam (apparently some sites scan all 'Received' headers for DNSBL's? Sigh.) I've found tricks to remove or edit Received headers for specific IP's via 'header_checks'; however, what I'd like to be able to do is either remove the header altogether or modify the IP to one of the IP's that we own for all authenticated users that submit mail via 465/587. I'm not finding a clean way of doing this; hoping someone has been down this road before so I don't have to reinvent the wheel. ;) Appreciate any advice - thanks much! -Nate
Re: Do not include first 'Received' header when received via 465/587?
Nate Carlson: Hi, I have a client that I have set up the submission port and 465 (for submission over raw SSL). They use many different internet connections, and a few of them (Panera Bread in particular) have their IP on blacklists. Because the IP gets included in the first Received header from Postfix, some sites are catching the mail as spam (apparently some sites scan all 'Received' headers for DNSBL's? Sigh.) I've found tricks to remove or edit Received headers for specific IP's via 'header_checks'; however, what I'd like to be able to do is either remove the header altogether or modify the IP to one of the IP's that we own for all authenticated users that submit mail via 465/587. I'm not finding a clean way of doing this; hoping someone has been down this road before so I don't have to reinvent the wheel. ;) Appreciate any advice - thanks much! $ man header_checks | less +/IGNORE $ man header_checks | less +/REPLACE Wietse
Re: Do not include first 'Received' header when received via 465/587?
On Thu, 5 Mar 2009, Wietse Venema wrote: I've found tricks to remove or edit Received headers for specific IP's via 'header_checks'; however, what I'd like to be able to do is either remove the header altogether or modify the IP to one of the IP's that we own for all authenticated users that submit mail via 465/587. $ man header_checks | less +/IGNORE $ man header_checks | less +/REPLACE Thanks.. I've got that, but I'm not finding a way to only match mail that comes in via Submission, and not via regular SMTP. Is there a way to tell Postfix to only apply the header_checks to certain mail processes? I suppose I could do something like 'no_header_body_checks' on the main SMTP process, but it'd be nice to be able to do some checks there in the future too. -Nate
Re: Do not include first 'Received' header when received via 465/587?
Nate Carlson wrote: On Thu, 5 Mar 2009, Wietse Venema wrote: I've found tricks to remove or edit Received headers for specific IP's via 'header_checks'; however, what I'd like to be able to do is either remove the header altogether or modify the IP to one of the IP's that we own for all authenticated users that submit mail via 465/587. $ man header_checks | less +/IGNORE $ man header_checks | less +/REPLACE Thanks.. I've got that, but I'm not finding a way to only match mail that comes in via Submission, and not via regular SMTP. Is there a way to tell Postfix to only apply the header_checks to certain mail processes? I suppose I could do something like 'no_header_body_checks' on the main SMTP process, but it'd be nice to be able to do some checks there in the future too. You can make the change in master.cf. Find the submission line, and add the parameter. For example: submission inet n - - - - smtpd -o header_checks=hash:/etc/postfix/maps/submission_header_checks -- Daniel
Re: Do not include first 'Received' header when received via 465/587?
On Thu, Mar 05, 2009 at 05:35:11PM -0800, Daniel L. Miller wrote: I suppose I could do something like 'no_header_body_checks' on the main SMTP process, but it'd be nice to be able to do some checks there in the future too. You can make the change in master.cf. Find the submission line, and add the parameter. For example: submission inet n - - - - smtpd -o header_checks=hash:/etc/postfix/maps/submission_header_checks No, this is useless, smtpd does not implement header_checks. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Do not include first 'Received' header when received via 465/587?
Daniel L. Miller wrote: Nate Carlson wrote: On Thu, 5 Mar 2009, Wietse Venema wrote: I've found tricks to remove or edit Received headers for specific IP's via 'header_checks'; however, what I'd like to be able to do is either remove the header altogether or modify the IP to one of the IP's that we own for all authenticated users that submit mail via 465/587. $ man header_checks | less +/IGNORE $ man header_checks | less +/REPLACE Thanks.. I've got that, but I'm not finding a way to only match mail that comes in via Submission, and not via regular SMTP. Is there a way to tell Postfix to only apply the header_checks to certain mail processes? I suppose I could do something like 'no_header_body_checks' on the main SMTP process, but it'd be nice to be able to do some checks there in the future too. You can make the change in master.cf. Find the submission line, and add the parameter. For example: submission inet n - - - - smtpd -o header_checks=hash:/etc/postfix/maps/submission_header_checks You're on the right track, but your example won't work - header_checks are a property of the cleanup process, not smtpd. And while it's legal to use hash: maps for header_checks, it's not very useful. The solution is to define an alternate cleanup service for submission, and then define alternate header_checks for that cleanup submission ... smtpd -o cleanup_service_name=cleanup_submission cleanup_submission ... cleanup -o header_checks=pcre:/path/to/header_checks
Re: Do not include first 'Received' header when received via 465/587?
Noel Jones wrote: Daniel L. Miller wrote: Nate Carlson wrote: On Thu, 5 Mar 2009, Wietse Venema wrote: I've found tricks to remove or edit Received headers for specific IP's via 'header_checks'; however, what I'd like to be able to do is either remove the header altogether or modify the IP to one of the IP's that we own for all authenticated users that submit mail via 465/587. $ man header_checks | less +/IGNORE $ man header_checks | less +/REPLACE Thanks.. I've got that, but I'm not finding a way to only match mail that comes in via Submission, and not via regular SMTP. Is there a way to tell Postfix to only apply the header_checks to certain mail processes? I suppose I could do something like 'no_header_body_checks' on the main SMTP process, but it'd be nice to be able to do some checks there in the future too. You can make the change in master.cf. Find the submission line, and add the parameter. For example: submission inet n - - - - smtpd -o header_checks=hash:/etc/postfix/maps/submission_header_checks You're on the right track, but your example won't work - header_checks are a property of the cleanup process, not smtpd. And while it's legal to use hash: maps for header_checks, it's not very useful. The solution is to define an alternate cleanup service for submission, and then define alternate header_checks for that cleanup submission ... smtpd -o cleanup_service_name=cleanup_submission cleanup_submission ... cleanup -o header_checks=pcre:/path/to/header_checks Oh, and recent postfix marks authenticated headers; note the ESTMPSA. S = StartTLS, A = Authenticated Received: from [192.168.5.108] (adsl-19-247-14.bna.bellsouth.net [68.19.247.14]) by mgate2.vbhcs.org (Postfix) with ESMTPSA id BAF4A797A6A; Thu, 5 Mar 2009 20:09:39 -0600 (CST) a regexp something like /^(Received: .* myhostname \(Postfix\) with ESTMPS?A .*)$/ REPLACE X-$1 should do the trick. -- Noel Jones
Re: Do not include first 'Received' header when received via 465/587?
On 5-Mar-2009, at 19:15, Noel Jones wrote: Oh, and recent postfix marks authenticated headers; note the ESTMPSA. S = StartTLS, A = Authenticated Received: from [192.168.5.108] (adsl-19-247-14.bna.bellsouth.net [68.19.247.14]) by mgate2.vbhcs.org (Postfix) with ESMTPSA id BAF4A797A6A; Thu, 5 Mar 2009 20:09:39 -0600 (CST) That is very cool, I didn't know that. Of course in my case we're not using TLS, so the header has ESMTPA, but still, quite useful. a regexp something like /^(Received: .* myhostname \(Postfix\) with ESTMPS?A .*)$/ REPLACE X-$1 should do the trick. I really like that, there's all sorts of possibilities here. Would it be bad to strip out the IPs (usually local/private) from these headers? /^(Received: from )\[\d\d?\d?\.d\d?\d?\.d\d?\d?\.d\d?\d?\](.* myhostname \(Postfix\) with ESMTPS?A .)$/ REPLACE X-$1[internal LAN]$2 /^(Received: from [^\[].* myhostname \(Postfix\) with ESTMPS?A .*)$/ REPLACE X-$1 ?? I'm thinking that cleanup is called for all messages, which is why you would only want this on a submission port and not just on the regular cleanup service. Although the Received: from [ip.ip.ip.ip] form never shows up on external mail since bare-ip mailservers are banned anyway. -- Athene we all have our moments when we lose it Slyspy the key is though, to conceal the evidence before the police arrive
