Merge pull request #15 from phdoerfler/patch-3

Added header filtering for removing sensitive information.
This commit is contained in:
r-raymond 2017-09-20 15:31:06 +02:00 committed by GitHub
commit bc48b701c8

View file

@ -47,7 +47,18 @@ let
# every alias is owned (uniquely) by its user. We have to add the users own # every alias is owned (uniquely) by its user. We have to add the users own
# address though # address though
vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix)); vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix));
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
### Removes sensitive headers from mails handed in via the submission port.
### See https://thomas-leister.de/mailserver-debian-stretch/
### Uses "pcre" style regex.
/^Received:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^User-Agent:/ IGNORE
/^X-Enigmail:/ IGNORE
'';
in in
{ {
config = with cfg; lib.mkIf enable { config = with cfg; lib.mkIf enable {
@ -116,7 +127,13 @@ in
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts"; smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
smtpd_sender_restrictions = "reject_sender_login_mismatch"; smtpd_sender_restrictions = "reject_sender_login_mismatch";
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"; smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
cleanup_service_name = "submission-header-cleanup";
}; };
extraMasterConf = ''
submission-header-cleanup unix n - n - 0 cleanup
-o header_checks=pcre:${submissionHeaderCleanupRules}
'';
}; };
}; };
} }