Here's what I did:
Create file 'stripauth' with the following line:
/^(Received:.*)$/ REPLACE X-Recieved: From Authenticated User
In master.cf:
submission inet n - n - - smtpd
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_helo_restrictions=
-o smtpd_sasl_auth_enable=yes
-o content_filter=
-o cleanup_service_name=cleanup-out
cleanup-out unix n - - - 0 cleanup
-o header_checks=pcre:/usr/local/etc/postfix/stripauth
I wish I could give credit for where I got that but it's been too long.
Why I needed to do this? Well, Barracuda appliances offer the ability
to check ALL IPs in Received From: headers (not just the delivering
MTA). Obviously NOT what they should do and not the default
configuration but too many people administer services that have no clue
what they are doing. At any rate, these misconfigured appliances were
rejecting email based on the originating user's IP (dynamic DSL). The
only solution I could come up with was to strip that header for
authenticated users.
On 2/12/2012 3:21 PM, Alex Bligh wrote:
A server I run (let's say mail.example.com) inserts a mail header
similar to the one below, when it receives mail either via normal
SMTP from another MTA, or when it receives mail from an authenticated
MUA.
Received: from [10.10.10.10] (1.1.200.192.example.com [192.200.1.1])
by mail.example.com (Postfix) with ESMTPSA id AAAAAAAAA;
Sun, 12 Feb 2012 19:54:19 +0000 (GMT)
In this example, 10.10.10.10 is behind a NAT, the external IP
address being 192.200.1.1.
In the case of authenticated MUA submissions (only) I do not want to
leak the actual IP address - in fact I'd prefer not to put any "from"
information in at all. I think I need a Received: line still.
I don't want to remove this for mail from other MTAs which do not
authenticate.
Any ideas how I do this?
