From 16e31c6a0daf83b6550f4d714c3c660b391a6ecc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philipp=20D=C3=B6rfler?= <phdoerfler@gmail.com>
Date: Wed, 20 Sep 2017 00:05:01 +0200
Subject: [PATCH 1/2] Added header filtering for removing sensitive
 information.

---
 mail-server/postfix.nix | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 5ef634f..a5bfa69 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -97,6 +97,26 @@ in
         smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
         smtpd_sender_restrictions = "reject_sender_login_mismatch";
         smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
+        cleanup_service_name = "submission-header-cleanup";
+      };
+      
+      extraMasterConf = ''
+        submission-header-cleanup unix n - n    -       0       cleanup
+            -o header_checks=regexp:/etc/postfixsupport/submission_header_cleanup
+      '';
+    };
+    
+    environment.etc = {
+      "postfixsupport/submission_header_cleanup" = {
+        text = ''
+          ### Removes sensitive headers from mails handed in via the submission port.
+          ### Thanks to https://thomas-leister.de/mailserver-debian-stretch/
+
+          /^Received:/            IGNORE
+          /^X-Originating-IP:/    IGNORE
+          /^X-Mailer:/            IGNORE
+          /^User-Agent:/          IGNORE
+        '';
       };
     };
   };

From 893c6db5cda475594537dc5ddc129984151ef286 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philipp=20D=C3=B6rfler?= <phdoerfler@gmail.com>
Date: Wed, 20 Sep 2017 08:38:40 +0200
Subject: [PATCH 2/2] Now using pkgs.writeText

this places header cleanup rules into /store out of /etc and avoids the name clash.
---
 mail-server/postfix.nix | 29 +++++++++++++----------------
 1 file changed, 13 insertions(+), 16 deletions(-)

diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index a5bfa69..6a02b0a 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -47,7 +47,18 @@ let
   # every alias is owned (uniquely) by its user. We have to add the users own
   # address though
   vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix));
+  
+  submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
+     ### Removes sensitive headers from mails handed in via the submission port.
+     ### See https://thomas-leister.de/mailserver-debian-stretch/
+     ### Uses "pcre" style regex.
 
+     /^Received:/            IGNORE
+     /^X-Originating-IP:/    IGNORE
+     /^X-Mailer:/            IGNORE
+     /^User-Agent:/          IGNORE
+     /^X-Enigmail:/          IGNORE
+  '';
 in
 {
   config = with cfg; lib.mkIf enable {
@@ -99,25 +110,11 @@ in
         smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
         cleanup_service_name = "submission-header-cleanup";
       };
-      
+
       extraMasterConf = ''
         submission-header-cleanup unix n - n    -       0       cleanup
-            -o header_checks=regexp:/etc/postfixsupport/submission_header_cleanup
+            -o header_checks=pcre:${submissionHeaderCleanupRules}
       '';
     };
-    
-    environment.etc = {
-      "postfixsupport/submission_header_cleanup" = {
-        text = ''
-          ### Removes sensitive headers from mails handed in via the submission port.
-          ### Thanks to https://thomas-leister.de/mailserver-debian-stretch/
-
-          /^Received:/            IGNORE
-          /^X-Originating-IP:/    IGNORE
-          /^X-Mailer:/            IGNORE
-          /^User-Agent:/          IGNORE
-        '';
-      };
-    };
   };
 }