Anonymizing Postfix

Anonymizing Postfix

Background Information

Typically, users of mail clients (such as Thunderbird and Outlook) require a remote SMTP server in order to be able to send mail (often called simply an ‘outgoing mail server’ by the mail clients). Mail Transport Agents (such as postfix) include information about this initial hop from the user’s home computer to the relaying SMTP server in the “Received” headers it adds to the outgoing message. In particular, the user’s home IP address is included with every email they send.

Many users might consider this a breach of their privacy, since significant information can be gleened from one’s home IP address.

What this does

This anonymizes the first Received: header that comes from a client who SASL authenticates before sending mail.

If you authenticate and then send a message out through postfix, the following
type of header, complete with identifying information is added:

 
Received: from pond (adsl-79-259-53-135.dsl.some.place.net [79.259.53.135])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mail.riseup.net (Postfix) with ESMTP id 5128CA2CA6

If you use our web mail, it is sent without this extra unnecessary information:

 
Received: from localhost (127.0.0.1)
        (SquirrelMail authenticated user micah)
        by mail.riseup.net with HTTP;
        Wed, 9 Feb 2005 11:24:51 -0800 (PST)

This simply gets postfix to anonymize the first header into this:

 
Received: from localhost (localhost [127.0.0.1])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mail.riseup.net (Postfix) with ESMTP id 5128CA2CA6

getting your postfix anonymized

We used to provide a patch, and pre-build debian packages for postfix versions prior to 2.3 which did the anonymization. However, these are quite old now and only worked with versions of Postfix that are years old now. You really should be running a version of Postfix greater than 2.3 at this point.

Postfix 2.3 and later

UPDATED: December 2, 2009 – newer regexp that does newlines properly in the header, credit and thanks to Paul Lesniewski!

Newer versions of postfix have the option that makes this much easier. You need to enable “smtpd_sasl_authenticated_heade r = yes”, which adds SASL information to your header. Once this information is there, header_checks can be put into place that rewrite the headers to anonymize their content.

The regular expression needs to be on one line, with a newline between the expression and the REPLACE line. Also, you will need to change the (auk.riseup.net) in the regexp below:


/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender: ([^)]+)\).*by (auk\.riseup\.net) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/
  REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}with $6 id $7

This will replace the SASL authenticated hostname with ‘localhost’ and the resulting header will look like this:

Received: from [127.0.0.1] (localhost [127.0.0.1])   (Authenticated sender: micah@auk.riseup.net) with ESMTP id 17E6C86A for <micah@riseup.net>;   Sun, 12 Nov 2006 16:54:56 -0800 (PST)

NOTE: Be careful if you decide to use this regexp, you will need to replace $HOSTNAME, $DOMAIN and $TLD to match your system. Also, becareful if you change this regexp, some clients present different headers, I’ve seen some people have different information sent as ‘helo’ and not all say where the message is for.

NOTE2: Be even more careful, this header replacement works great, but it logs that the replacement has been done, which means that you are storing this information, unless you are anonymizing your logs (see our syslog-ng section for more information about this), an example log for a header replacement:

Aug 11 10:12:00 mail postfix/cleanup[9204]: 1F6C52B2403: replace: header Received: from [192.168.1.1] (adsl-11-22-33-44.dsl.somenet.net [11.22.33.44])??(Authenticated sender: jose@example.com)??by mail.example.com (Postfix) with ESMTP id 1F6C from adsl-11-22-33-44.dsl.somenet.net[11.22.33.44]; from=<jose@example.com> to=<maria@example.com> proto=ESMTP helo=<[192.168.1.1]>: Received: from [127.0.0.1] (localhost [127.0.0.1])??(Authenticated sender: jose@examplecom)??with ESMTP id 1F6C52B2403

If you are not anonymizing your logs, you will capture the IP address as above, this is a bad thing!

Thanks to Paul Lesniewski for the updated regexp, and the additional poke about the important bit about the logs!
Thanks to Martin Krafft for this new information

Update: As of postfix 2.5, RFC3848 additional transmission types are now supported (ESMTPA, ESMTPS and ESMTPSA), the above regexp has been altered to include those in a way that will work for older versions as well