diff options
| author | intrigeri <intrigeri@boum.org> | 2011-03-05 04:55:18 +0100 |
|---|---|---|
| committer | intrigeri <intrigeri@boum.org> | 2011-03-05 04:58:57 +0100 |
| commit | 1f99fcdfdbe73be25c7a5ea80853bbc4618d4f76 (patch) | |
| tree | 5e14c92e42121b2d34c822b7cbaaac33f5e4f2da | |
| parent | 0583cf4988aec251f129ac4c595e38ff5bb93132 (diff) | |
| download | puppet-postfix-1f99fcdfdbe73be25c7a5ea80853bbc4618d4f76.tar.gz puppet-postfix-1f99fcdfdbe73be25c7a5ea80853bbc4618d4f76.tar.bz2 | |
Support hiding the originating IP in email relayed for an authenticated SASL client.
Untested as I've no Puppet-managed relaying email server yet.
Reference: https://we.riseup.net/debian/anonymizing-postfix
| -rw-r--r-- | README | 5 | ||||
| -rw-r--r-- | manifests/classes/postfix-anonsasl.pp | 18 | ||||
| -rw-r--r-- | manifests/classes/postfix.pp | 6 | ||||
| -rw-r--r-- | templates/anonsasl_header_checks.erb | 2 |
4 files changed, 31 insertions, 0 deletions
@@ -7,6 +7,11 @@ A couple of classes will preconfigure postfix for common needs. Config ------ - set $postfix_use_amavisd="yes" to include postfix::amavis +- set $postfix_anon_sasl="yes" to hide the originating IP in email + relayed for an authenticated SASL client; this needs Postfix + 2.3 or later to work; beware! Postfix logs the header replacement + has been done, which means that you are storing this information, + unless you are anonymizing your logs. - set $postfix_manage_header_checks="yes" to manage header checks (see postfix::header_checks for details) - set $postfix_manage_tls_policy="yes" to manage TLS policy (see diff --git a/manifests/classes/postfix-anonsasl.pp b/manifests/classes/postfix-anonsasl.pp new file mode 100644 index 0000000..ca97f19 --- /dev/null +++ b/manifests/classes/postfix-anonsasl.pp @@ -0,0 +1,18 @@ +class postfix::anonsasl { + + include postfix::header_checks + + postfix::config { + 'smtpd_sasl_authenticated_header': + value => 'yes'; + } + + postfix::header_checks_snippet { + 'anonsasl': + content => template("postfix/anonsasl_header_checks.erb"), + require => [ + Postfix::Config['smtpd_sasl_authenticated_header'], + ]; + } + +} diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp index 4446c17..4e9cd6f 100644 --- a/manifests/classes/postfix.pp +++ b/manifests/classes/postfix.pp @@ -40,6 +40,9 @@ class postfix { case $root_mail_recipient { "": { $root_mail_recipient = "nobody" } } + case $postfix_anon_sasl { + "": { $postfix_anon_sasl = "no" } + } case $postfix_manage_header_checks { "": { $postfix_manage_header_checks = "no" } } @@ -67,6 +70,9 @@ class postfix { module_dir{'postfix': } # Include optional classes + if $postfix_anon_sasl == 'yes' { + include postfix::anonsasl + } if $postfix_manage_header_checks == 'yes' { include postfix::header_checks } diff --git a/templates/anonsasl_header_checks.erb b/templates/anonsasl_header_checks.erb new file mode 100644 index 0000000..bca5914 --- /dev/null +++ b/templates/anonsasl_header_checks.erb @@ -0,0 +1,2 @@ +/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender: ([^)]+)\).*by (<%= fqdn.gsub(/\./, '\.') %>) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ + REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}with $6 id $7 |