Untested as I've no Puppet-managed relaying email server yet.
Reference: https://we.riseup.net/debian/anonymizing-postfix
Config
------
- set $postfix_use_amavisd="yes" to include postfix::amavis
+- set $postfix_anon_sasl="yes" to hide the originating IP in email
+ relayed for an authenticated SASL client; this needs Postfix
+ 2.3 or later to work; beware! Postfix logs the header replacement
+ has been done, which means that you are storing this information,
+ unless you are anonymizing your logs.
- set $postfix_manage_header_checks="yes" to manage header checks (see
postfix::header_checks for details)
- set $postfix_manage_tls_policy="yes" to manage TLS policy (see
--- /dev/null
+class postfix::anonsasl {
+
+ include postfix::header_checks
+
+ postfix::config {
+ 'smtpd_sasl_authenticated_header':
+ value => 'yes';
+ }
+
+ postfix::header_checks_snippet {
+ 'anonsasl':
+ content => template("postfix/anonsasl_header_checks.erb"),
+ require => [
+ Postfix::Config['smtpd_sasl_authenticated_header'],
+ ];
+ }
+
+}
case $root_mail_recipient {
"": { $root_mail_recipient = "nobody" }
}
+ case $postfix_anon_sasl {
+ "": { $postfix_anon_sasl = "no" }
+ }
case $postfix_manage_header_checks {
"": { $postfix_manage_header_checks = "no" }
}
module_dir{'postfix': }
# Include optional classes
+ if $postfix_anon_sasl == 'yes' {
+ include postfix::anonsasl
+ }
if $postfix_manage_header_checks == 'yes' {
include postfix::header_checks
}
--- /dev/null
+/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender: ([^)]+)\).*by (<%= fqdn.gsub(/\./, '\.') %>) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/
+ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}with $6 id $7
projects / puppet-postfix.git / commitdiff