diff options
author | Robin Raymond <robin@robinraymond.de> | 2017-09-20 15:31:37 +0200 |
---|---|---|
committer | Robin Raymond <robin@robinraymond.de> | 2017-09-20 15:31:37 +0200 |
commit | f123fa7fd3260ff3a1179303e3c312c8cfa5463d (patch) | |
tree | aa3e37d21ee007d2acbbd7d2717f60ffafe598e5 | |
parent | 82cf8db01d8ea9fe8b3ea66f023041e2722f8891 (diff) | |
parent | bc48b701c8cd3215e4ad1509ccad3397e5d4bfac (diff) |
Merge branch 'master' of github.com:r-raymond/nixos-mailserver
-rw-r--r-- | mail-server/postfix.nix | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 0def881..ebcfb0c 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -47,7 +47,18 @@ let # every alias is owned (uniquely) by its user. We have to add the users own # address though vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix)); - + + submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" '' + ### Removes sensitive headers from mails handed in via the submission port. + ### See https://thomas-leister.de/mailserver-debian-stretch/ + ### Uses "pcre" style regex. + + /^Received:/ IGNORE + /^X-Originating-IP:/ IGNORE + /^X-Mailer:/ IGNORE + /^User-Agent:/ IGNORE + /^X-Enigmail:/ IGNORE + ''; in { config = with cfg; lib.mkIf enable { @@ -116,7 +127,13 @@ in smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts"; smtpd_sender_restrictions = "reject_sender_login_mismatch"; smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"; + cleanup_service_name = "submission-header-cleanup"; }; + + extraMasterConf = '' + submission-header-cleanup unix n - n - 0 cleanup + -o header_checks=pcre:${submissionHeaderCleanupRules} + ''; }; }; } |