Support hiding the originating IP in email relayed for an authenticated SASL client.

Untested as I've no Puppet-managed relaying email server yet.

Reference: https://we.riseup.net/debian/anonymizing-postfix

2 files changed, 24 insertions, 0 deletions

diff --git a/manifests/classes/postfix-anonsasl.pp b/manifests/classes/postfix-anonsasl.pp
new file mode 100644
index 0000000..ca97f19
--- /dev/null
+++ b/manifests/classes/postfix-anonsasl.pp
@@ -0,0 +1,18 @@
+class postfix::anonsasl {
+
+  include postfix::header_checks
+
+  postfix::config {
+    'smtpd_sasl_authenticated_header':
+      value => 'yes';
+  }
+
+  postfix::header_checks_snippet {
+    'anonsasl':
+      content => template("postfix/anonsasl_header_checks.erb"),
+      require => [
+                  Postfix::Config['smtpd_sasl_authenticated_header'],
+                  ];
+  }
+  
+}
diff --git a/manifests/classes/postfix.pp b/manifests/classes/postfix.pp
index 4446c17..4e9cd6f 100644
--- a/manifests/classes/postfix.pp
+++ b/manifests/classes/postfix.pp
@@ -40,6 +40,9 @@ class postfix {
   case $root_mail_recipient {
     "":   { $root_mail_recipient = "nobody" }
   }
+  case $postfix_anon_sasl {
+    "":    { $postfix_anon_sasl = "no" }
+  }
   case $postfix_manage_header_checks {
     "":   { $postfix_manage_header_checks = "no" }
   }
@@ -67,6 +70,9 @@ class postfix {
   module_dir{'postfix': }
 
   # Include optional classes
+  if $postfix_anon_sasl == 'yes' {
+    include postfix::anonsasl
+  }
   if $postfix_manage_header_checks == 'yes' {
     include postfix::header_checks
   }