Hi
I'm working on configuring a new mail server instance on Debian Bookworm, with
Postfix 3.7.10-0+deb12u1. To hide internal IP addresses, I'd like to rewrite
the first "Received" header for mails submitted by authenticated users. There
are a number of options I found online, and it seems rather straightforward.
Ultimately, I ended up with the following rule, but I have a problem with it
(or any other that I've found):
/^\s*Received:[^\n]+(.*)/ REPLACE Received: from
[127.0.0.1] (localhost [127.0.0.1])$1
This works just fine with postman:
cat mail.txt | postmap -h -q - pcre:/etc/postfix/auth_header_checks.pcre
Received: from smtpclient.apple (unknown [1.2.3.4])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits))
But when I send an actual e-mail, some characters of the original header show
up:
from [127.0.0.1] (localhost [127.0.0.1])nknown [1.2.3.4])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Note the "nknown [1.2.3.4])" text.
It seems like the text is appended, as adding additional spaces does not help:
/^\s*Received:[^\n]+(.*)/ REPLACE Received: from
[127.0.0.1] (localhost [127.0.0.1]) $1
Causes:
from [127.0.0.1] (localhost [127.0.0.1]) nknown [1.2.3.4])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
The tab, newline, and carriage return characters also seem to be correct after
"nknown [1.2.3.4])" there's "\r\n\t" before "(using".
Am I doing something wrong, or is this a bug?
Here's what I hope is enough of my config to confirm:
postconf -P
smtps/inet/cleanup_service_name = privacy_cleanup
smtps/inet/milter_macro_daemon_name = ORIGINATING
smtps/inet/smtpd_helo_restrictions = permit_sasl_authenticated, reject
smtps/inet/smtpd_recipient_restrictions = check_recipient_access
pcre:${config_directory}/recipient_whitelist.pcre, reject
smtps/inet/smtpd_reject_unlisted_recipient = no
smtps/inet/smtpd_relay_restrictions = permit_sasl_authenticated, reject
smtps/inet/smtpd_sasl_auth_enable = yes
smtps/inet/smtpd_tls_wrappermode = yes
smtps/inet/syslog_name = postfix/smtps
smtps/inet/tls_preempt_cipherlist = yes
privacy_cleanup/unix/header_checks = regexp:/etc/postfix/auth_header_checks.pcre
privacy_cleanup/unix/syslog_name = postfix/privacy_cleanup
172.21.203.190:2525/inet/smtpd_tls_cert_file = /etc/pki/realms/dci/default.crt
172.21.203.190:2525/inet/smtpd_tls_key_file = /etc/pki/realms/dci/default.key
172.21.203.190:2525/inet/syslog_name = postfix/dci-relay
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
compatibility_level = 3.7
disable_vrfy_command = yes
enable_long_queue_ids = yes
html_directory = no
inet_interfaces = all
lmtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
lmtp_tls_ciphers = high
lmtp_tls_exclude_ciphers = aNULL, RC4, MD5, DES, 3DES, RSA, SHA
lmtp_tls_loglevel = 1
lmtp_tls_mandatory_ciphers = high
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
lmtp_tls_note_starttls_offer = no
lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
lmtp_tls_security_level = none
lmtp_tls_session_cache_database = btree:${data_directory}/lmtp_scache
mailbox_size_limit = 0
message_size_limit = 20971520
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {client_addr}
{client_name} {mail_addr} {mail_host} {mail_mailer}
non_smtpd_milters = inet:localhost:11332, unix:/opendkim/opendkim.sock
postscreen_access_list = permit_mynetworks,
cidr:${config_directory}/postscreen_access.cidr
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:${config_directory}/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*1, b.barracudacentral.org*1,
bl.spamcop.net*1, list.dnswl.org=127.[0..255].[0..255].[0..254]*-3,
list.dnswl.org=127.[0..255].[0..255].0*-2,
list.dnswl.org=127.[0..255].[0..255].1*-3,
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = yes
postscreen_whitelist_interfaces = static:all
readme_directory = no
recipient_delimiter = +
relayhost =
sender_bcc_maps = ldap:${config_directory}/ldap_force_bcc.cf
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL, RC4, MD5, DES, 3DES, RSA, SHA
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce
smtpd_discard_ehlo_keywords = dsn, etrn
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
pcre:${config_directory}/banned_helo_names.pcre, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_milters = inet:localhost:11332, unix:/opendkim/opendkim.sock
smtpd_permit_known_sender_relays = reject_unlisted_sender,
permit_sasl_authenticated, reject
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks, check_sasl_access
ldap:${config_directory}/ldap_known_sender_relays.cf,
permit_sasl_authenticated, defer_unauth_destination
smtpd_restriction_classes = smtpd_permit_known_sender_relays
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = unionmap:{
ldap:/etc/postfix/ldap_smtpd_sender_login_maps.cf,
ldap:/etc/postfix/ldap_distribution_list_login_map.cf }
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain, permit_mynetworks, check_sasl_access
ldap:${config_directory}/ldap_known_sender_relays.cf,
reject_authenticated_sender_login_mismatch, check_sender_access
ldap:${config_directory}/ldap_unauth_domain_access.cf,
permit_sasl_authenticated, check_sender_access
ldap:${config_directory}/ldap_unauth_sender_access.cf
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/realms/mail/default.crt
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/pki/dhparam/set0
smtpd_tls_dh512_param_file = /etc/pki/dhparam/set0
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES, 3DES, RSA, SHA
smtpd_tls_key_file = /etc/pki/realms/mail/default.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1, TLSv1.2,
TLSv1.3
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = no
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps = $alias_maps,
ldap:/etc/postfix/ldap_virtual_forward_maps.cf,
ldap:/etc/postfix/ldap_virtual_alias_maps.cf
virtual_gid_maps = static:200
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = cloudscale.zone
virtual_mailbox_maps = ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:200
/etc/postfix/auth_header_checks.pcre
/^\s*Received:[^\n]+(.*)/ REPLACE Received: from [127.0.0.1]
(localhost [127.0.0.1])$1
/^\s*Mime-Version:\s*([0-9\.]+).*/ REPLACE Mime-Version: $1
/^\s*User-Agent:/ IGNORE
/^\s*X-Mailer:/ IGNORE
/^\s*X-Originating-IP:/ IGNORE
/^\s*X-Enigmail:/ IGNORE
/^\s*X-Pgp-Agent:/ IGNORE
Cheers,
Denis
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
