Ralph,
> A1: Have Postfix accept mail on port 587 from SASL-authenticated
> clients only.
> A2: Remove "Received:" headers to hide internal routing.
> A3: Inject mail into amavisd-new for virus checks and DKIM signing.
With the help of custom hooks this can be achieved by amavisd itself:
amavisd.conf:
include_config_files('/etc/amavisd-custom.conf');
/etc/amavisd-custom.conf:
package Amavis::Custom;
use strict;
BEGIN {
import Amavis::Conf qw(c cr ca);
import Amavis::Util qw(do_log);
}
sub new {
my($class,$conn,$msginfo) = @_;
my($self) = bless {}, $class;
$self;
}
sub before_send {
my($self,$conn,$msginfo) = @_;
if (c('originating')) {
my($hdr_edits) = $msginfo->header_edits;
$hdr_edits->delete_header('Received');
}
}
1; # insure a defined return
If you need to be more selective and delete only selective
Received header fields, this is a bit more tricky, but doable.
Instead of $hdr_edits->delete_header(...) use the following:
$hdr_edits->edit_header('Received',
sub { my($hn,$b)=...@_; $b=~/from xxx \[10\./si ? (undef,0) : ($b,1) });
matching the regexp to your needs. The $b is a header field body,
the result is a replacement body, or undef to delete it.
> $signed_header_fields{lc('Received')} = 0;
> @Mark Martinec (in case you're reading this): Do you think
> this would make a reasonable default setting for amavisd-new?
It is certainly reasonable, but I most likely won't be changing
the default. The reason the DKIM document suggests not to sign
Received header fields is for fear that MTAs in the chain may
modify them and thus break a signature. In my experience this
practically never happens. It is much more likely that other
header fields get mangled, such as To, Cc, Sender, Message-ID.
The Received header field if one of the few which survives
practically intact even the more obscure mailers.
Mark
