Re: Removing trace records on submission MSA

Wed, 04 Apr 2018 19:50:53 -0700 

On 2018-04-05 08:54:45 (+0800), J Doe wrote:


Hi Phillip,
I have a question in regards to removing some trace records when providing submission on Postfix 3.1.x and later.
While reading RFC 6409 (“Message Submission for Mail”), I note that the RFC observes that:
"Even when submitted messages are complete, local site policy may dictate that the message text be examined or modified in some way, e.g., to conceal local name or address spaces.”
By this I take it that I could remove perhaps the initial trace message that returns information about internal addresses and network names. It seems to me that both Hotmail/Outlook and Gmail do this.
Is this acceptable ? The only bad side to it would appear to be possibly some increased difficulty in troubleshooting.
If it is an acceptable process, how would I configure Postfix to do this only on submission ?
I anonymise the initial Received: header with a header_checks on the submission service.
In master.cf, I add `-o cleanup_service_name=subcleanup` to the submission service. That service is defined as: 

  subcleanup  unix n       -       n       -       0       cleanup
    -o syslog_name=postfix/subcleanup
-o header_checks=pcre:$config_directory/submission_header_checks.pcre 

The submission_header_checks.pcre file contains:
/^\s*(Received: from .+?(?=\s\())[^\n]*(.*for <.*)/ REPLACE $1 (localhost [127.0.0.1])$2 

I'm sure there are better ways to do this, but this works for me.
It doesn't interfere with debugging much because the logs will mentain the replacement and it's easy to grep for. 

Thank you for your reply.
I currently use DKIM and as per the RFC for DKIM, I don’t include trace headers in the message hash that makes up the DKIM signature. I am under the impression that my DKIM signatures should be correct in this case if I use your solution and it re-writes the first trace header - is that true or are there any other DKIM issues I might run into ?
Unless you have specifically configured your DKIM setup to include trace headers in the hash (which you should not do according to the RFC), your DKIM signatures will continue to be correct if you anonymise the first trace header like I do. 

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

Reply via email to