Jaroslaw Rafa wrote in
<20230112205215.ga28...@rafa.eu.org>:
|Dnia 12.01.2023 o godz. 13:49:33 post...@ptld.com pisze:
|> My solution...
|>
|> main.cf:
|> smtp_header_checks = pcre:/etc/postfix/header_checks_smtp
|>
|>
|> /etc/postfix/header_checks_smtp:
|> /^Received:/ IGNORE
|> /^X-Originating-Ip:/ IGNORE
|
|If you do it in master.cf for submission services only, it my be OK. But as
It definetely does not work. It only works for smtp not smtpd.
Also message_drop_headers+=. I now have disabled relay from the
outside completely and spawn a in-VPN-only-submission
192.0.2.1:submission inet n - n - - smtpd
-o syslog_name=vpnsubmission
-o smtpd_sasl_auth_enable=no
-o
smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
As this listens only on the VPN (a veth(4) endpoint into an ip(8)
netns that only routes via WireGuard), i neither use TLS for
another layer of transport security nor SASL or TLS client
certificates for authentification (since any postfix server member of the VPN
that relayhost= through the VPN would anyway be able; i still have
the certificates though, from my former approach).
I was not able to remove the Received:.
One more process listening around, what overkill for my purpose
(and only permit_mynetworks is the change in :smtp).
|a general default in main.cf it's definitely wrong. You strip all Received:
|headers from all incoming mail, thus you are unable to investigate the
|details in case of any mail problems (eg. you are receiving spam or \
|messages
|with fake sender address).
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
