Since I had to do some work on the internal network’s mail routing, I decided to give something a go.
I knew there was a way to get postfix to clean out the internal headers, which I’ve always found quite a sensible thing to do as there are a lot of hops from certain machines, some hostnames internally are so old it litters the headers with domains that haven’t been registered for years, and just from a security point, you can probably do a map of the machines with the headers if you really wanted to.
I had a look online for a whole lot of wrong and incomplete answers, I had to even use Google to try and figure it out. I found one blog post (I’ll provide the details below on this post)1 and put it up on the sus docs site so I can refer to it again another time.
To give a brief overview - all the internal network computers relay mail to one machine that does the centralised work of despatching to the responsible 3rd party smarthost.
I used to do all the DKIM business on this side of the network, but that was hard work, so now I get a professional mail relayer to do that part. I usually have only free accounts since I had to cut some budget, so that means there is more than one of these companies doing the job.
I wanted to future proof my setup to allow me to add some redundancy for the learnings and also give me an option to have the same domain (read : service) split between two or more smarthosts to, um, work around the daily limits just in case.
Seeing as I already have some relay servers, I figured YOLO. I installed postfix on AMS3 and I got to playing serious tech guru h4x0r business, since every answer on Stackoverflow is fucking bullshit I had a lot of problems doing this, until I found the sacred doc1.
Got the routing tables up and went for it. It worked great.
I then repeated this three more times on SYD1, SGP1, and BLR1 and tested my way through it all. I have a lot of this email in my inbox but it works.
From: <redacted>
To: <redacted>
Date: Sat Apr 1 15:41:20 UTC 2023
Subject: Test
Thois is a test.
Now my internal mail works like this - internal mail server on joshua collects the mail from inside, using a round robin delivery it then contacts one of the relay servers, the relay server strips the headers from the transaction and pushes the message to the smarthost that relay will be using OR the the one listed in sdr_custom_transport depending on the requirement.
Now what the smarthost receives is something like this :
Received: from relais-ams3-01.sus.fr (relais-ams3-01.sus.fr [178.128.246.40])
by outbound2.eu.mailhop.org (Halon) with ESMTPSA
id REDACTED;
Sat, 01 Apr 2023 17:08:33 +0000 (UTC)
Date: Sat, 01 Apr 2023 19:08:13 +0200
From: REDACTED
Subject: Bird - A Haiku
Message-Id: <REDACTED>
Organization: MMN
To: REDACTED
X-Wildcat-Message-Id: <REDACTED>
Hashtag semi privacy by design. Voilà.
Here is the secret sauce from srv24x7.com
postfix remove received header
nano /etc/postfix/header_checks
/^Received:.*with ESMTPSA/ IGNORE
/^Received:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^Mime-Version:/ IGNORE
nano /etc/postfix/main.cf
mime_header_checks = regexp:/etc/postfix/header_checks
header_checks = regexp:/etc/postfix/header_checks
postmap /etc/postfix/header_checks
postfix reload
Comments
No comments yet. Be the first to react!