Support hiding the originating IP in email relayed for an authenticated SASL client.

Untested as I've no Puppet-managed relaying email server yet. Reference: https://we.riseup.net/debian/anonymizing-postfix
2011-03-05 04:55:18 +01:00 · 2011-03-05 04:55:18 +01:00 · 1f99fcdfdb
commit 1f99fcdfdb
parent 0583cf4988
4 changed files with 31 additions and 0 deletions
--- a/5
+++ b/5
@ -7,6 +7,11 @@ A couple of classes will preconfigure postfix for common needs.
 Config
 ------
 - set $postfix_use_amavisd="yes" to include postfix::amavis
+- set $postfix_anon_sasl="yes" to hide the originating IP in email
+  relayed for an authenticated SASL client; this needs Postfix
+  2.3 or later to work; beware! Postfix logs the header replacement
+  has been done, which means that you are storing this information,
+  unless you are anonymizing your logs.
 - set $postfix_manage_header_checks="yes" to manage header checks (see
  postfix::header_checks for details)
 - set $postfix_manage_tls_policy="yes" to manage TLS policy (see
--- a/manifests/classes/postfix-anonsasl.pp
+++ b/manifests/classes/postfix-anonsasl.pp
@ -0,0 +1,18 @@
+class postfix::anonsasl {
+
+  include postfix::header_checks
+
+  postfix::config {
+    'smtpd_sasl_authenticated_header':
+      value => 'yes';
+  }
+
+  postfix::header_checks_snippet {
+    'anonsasl':
+      content => template("postfix/anonsasl_header_checks.erb"),
+      require => [
+                  Postfix::Config['smtpd_sasl_authenticated_header'],
+                  ];
+  }
+  
+}
--- a/manifests/classes/postfix.pp
+++ b/manifests/classes/postfix.pp
@ -40,6 +40,9 @@ class postfix {
  case $root_mail_recipient {
    "":   { $root_mail_recipient = "nobody" }
  }
+  case $postfix_anon_sasl {
+    "":    { $postfix_anon_sasl = "no" }
+  }
  case $postfix_manage_header_checks {
    "":   { $postfix_manage_header_checks = "no" }
  }
@ -67,6 +70,9 @@ class postfix {
  module_dir{'postfix': }

  # Include optional classes
+  if $postfix_anon_sasl == 'yes' {
+    include postfix::anonsasl
+  }
  if $postfix_manage_header_checks == 'yes' {
    include postfix::header_checks
  }
--- a/templates/anonsasl_header_checks.erb
+++ b/templates/anonsasl_header_checks.erb
@ -0,0 +1,2 @@
+/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender: ([^)]+)\).*by (<%= fqdn.gsub(/\./, '\.') %>) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/
+  REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}with $6 id $7