Today I learned a few things on postfix and how to set it up cleaner. So I want to share this insights with you, especially the part how to clean up the mail header since it helps a lot and improves your privacy quite a bit. So let’s get started, shouldn’t we ? Lets start by adding a limitation on the SASL authenticated clients which address they can to send out mail. This gets archived by setting up “smtpd_sender_login_maps =” and adding “reject_authenticated_sender_login_missmatch” to smtpd_recipient_restrictions, so he check the map we setup in smtpd_sender_login_maps and if the SASL authenticated client fails rejects the mail. The map is looking like this:
# envelope sender owners (SASL login names)
email@example.com firstname.lastname@example.org, email@example.com
@example.net fred, barney, firstname.lastname@example.org
So, setup the list with the addressed and allowed owners. Then convert it to a hashmap with postmap, and setup postfix.
$: postmap hash:/etc/postfix/addressowner_map
$: postconf -e \
'smtpd_sender_login_maps = hash:/etc/postfix/addressowner_map'
$: postconf -e \
'smtpd_recipient_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unauth_destination'
Don’t forget to make smtpd_recipient_restrictions fitting your setup! After that restart postfix, try first to send out using the usual sender address. It should work fine, but when you set up a sender address you don’t own he should reject it. More information on this mechanism you can find in the Postfix SASL How to.
I was looking a while now for a way to remove my IP from outgoing mails, so my server is the start point of the delivery path. This is to hide my IP, also internal IPs and it solves problems with anti-spam mechanism like SPF. postfix (or any other SMTP server) receives mail from other mail servers (“incoming”), and mails by users (“outgoing”). As we don’t want to strip any headers from incoming mail, we first have to force all users to authenticate (which is a good thing anyway), and make Postfix add another header to authenticated (“outgoing”) mails. Then, we can match this header and strip both the Received line containing internal host names and IPs, and the authenticated header. So edit the config like this:
$: postconf -e 'smtpd_sasl_authenticated_header = yes'
$: postconf -e 'header_checks = regexp:/etc/postfix/header_checks'
Then create the file “header_checks” and add the following line, while editing “yourdomain\.com” to match your mail servers domain.
/^Received: .*\(Authenticated sender:.*/ IGNORE
/^Received: by yourdomain\.com .*from userid [0-9]+\)/ IGNORE
Restart postfix. This takes care of our problem. Send out a mail and compare the resulting header with an older, its much cleaner. Thanks goes to Moblog, who explained it nice and from where I took some parts. So this enables us, cause we have a clean header, to add a SPF record to our domain. To archive this, just create a TXT record with the content “v=spf1 a mx -all”. Simple but working good. For more information on SPF, check Wikipedia, since OpenSPF.org is at least for me always down.
That’s it for today, hope it was inspiring for you.