Merge pull request #15 from phdoerfler/patch-3
Added header filtering for removing sensitive information.
This commit is contained in:
commit
bc48b701c8
1 changed files with 17 additions and 0 deletions
|
@ -48,6 +48,17 @@ let
|
|||
# address though
|
||||
vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix));
|
||||
|
||||
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
|
||||
### Removes sensitive headers from mails handed in via the submission port.
|
||||
### See https://thomas-leister.de/mailserver-debian-stretch/
|
||||
### Uses "pcre" style regex.
|
||||
|
||||
/^Received:/ IGNORE
|
||||
/^X-Originating-IP:/ IGNORE
|
||||
/^X-Mailer:/ IGNORE
|
||||
/^User-Agent:/ IGNORE
|
||||
/^X-Enigmail:/ IGNORE
|
||||
'';
|
||||
in
|
||||
{
|
||||
config = with cfg; lib.mkIf enable {
|
||||
|
@ -116,7 +127,13 @@ in
|
|||
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
|
||||
smtpd_sender_restrictions = "reject_sender_login_mismatch";
|
||||
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
|
||||
cleanup_service_name = "submission-header-cleanup";
|
||||
};
|
||||
|
||||
extraMasterConf = ''
|
||||
submission-header-cleanup unix n - n - 0 cleanup
|
||||
-o header_checks=pcre:${submissionHeaderCleanupRules}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue