On 2018-04-05 08:54:45 (+0800), J Doe wrote:
Hi Phillip,
I have a question in regards to removing some trace records when
providing submission on Postfix 3.1.x and later.
While reading RFC 6409 (“Message Submission for Mail”), I note
that the RFC observes that:
"Even when submitted messages are complete, local site policy may
dictate that the message text be examined or modified in some way,
e.g., to conceal local name or address spaces.”
By this I take it that I could remove perhaps the initial trace
message that returns information about internal addresses and
network names. It seems to me that both Hotmail/Outlook and Gmail
do this.
Is this acceptable ? The only bad side to it would appear to be
possibly some increased difficulty in troubleshooting.
If it is an acceptable process, how would I configure Postfix to do
this only on submission ?
I anonymise the initial Received: header with a header_checks on the
submission service.
In master.cf, I add `-o cleanup_service_name=subcleanup` to the
submission service. That service is defined as:
subcleanup unix n - n - 0 cleanup
-o syslog_name=postfix/subcleanup
-o
header_checks=pcre:$config_directory/submission_header_checks.pcre
The submission_header_checks.pcre file contains:
/^\s*(Received: from .+?(?=\s\())[^\n]*(.*for <.*)/ REPLACE $1
(localhost [127.0.0.1])$2
I'm sure there are better ways to do this, but this works for me.
It doesn't interfere with debugging much because the logs will
mentain the replacement and it's easy to grep for.
Thank you for your reply.
I currently use DKIM and as per the RFC for DKIM, I don’t include
trace headers in the message hash that makes up the DKIM signature. I
am under the impression that my DKIM signatures should be correct in
this case if I use your solution and it re-writes the first trace
header - is that true or are there any other DKIM issues I might run
into ?
Unless you have specifically configured your DKIM setup to include trace
headers in the hash (which you should not do according to the RFC), your
DKIM signatures will continue to be correct if you anonymise the first
trace header like I do.
Philip
--
Philip Paeps
Senior Reality Engineer
Ministry of Information