Mailcow-dockerized: Anonymize source IP from emails sent between mailcow hosted domains

Created on 26 Aug 2020 · 14Comments · Source: mailcow/mailcow-dockerized

I have noticed that Mailcow anonymizes the senders source IP for mails sent from a mailcow hosted domain to external domains, but this does not seem to apply to mails sent between domains hosted on the same mailcow server (or between separate users on the same domain) Can this filtering also be applied to inter-domain and intra-domain mail?

Filter rule: https://github.com/mailcow/mailcow-dockerized/blob/master/data/conf/postfix/anonymize_headers.pcre

Inter-domain Example (with personal data redacted):

by mail.mailcowdomain.com with LMTP
id XKRl9ETQAA14o17A
(envelope-from <@domain1.com>)
for <@domain2.com>; Wed, 26 Aug 2020 14:48:11 -0600
Received: from [192.168.0.135] (unknown [..171.22])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits))
(No client certificate requested)
(Authenticated sender: @domain1.com)
by mail.mailcowdomain.com (Postcow) with ESMTPSA id *57E353;
Wed, 26 Aug 2020 14:48:09 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain1.com;
s=dkim; t=1598*91; h=from:subject:date:message-id:to:mime-version:content-type:
content-transfer-encoding; bh=g3zLYH4xKxcPrH*s=;
b=iHRPf/hUanEDG
To: @domain2.com
From: <@domain1.com>
Subject: test
Message-ID: <**@domain1..com>
Date: Wed, 26 Aug 2020 15:48:09 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Thunderbird/68.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Last-TLS-Session-Version: TLSv1.3

test

Thank you

enhancement

Source

thumpco

All 14 comments

We currently use smtp_header_checks, which is applied when delivering a message to another SMTP server. We can‘t just use header_checks as that messes with incoming messages too. It might be possible to use the latter but limit it to ports 587 and 465 by placing it in master.cf.

mkuron on 27 Aug 2020

I think header_checks is run by cleanup and hard to only apply to some mail. Hm. Perhaps we can define a cleanup service for local:, don't know if that works. Probably not.

andryyy on 27 Aug 2020

We currently use smtp_header_checks, which is applied when delivering a message to another SMTP server.

Agreed.. that's how I did it on the server I migrated from, but in that setup I used dedicated SMTP transports for each domain (each bound to a separate IP) instead of one shared smtp instance across domains, so intern-domain still had SMTP checks applied (but still didn't solve for intra-domain).

We can‘t just use header_checks as that messes with incoming messages too. It might be possible to use the latter but limit it to ports 587 and 465 by placing it in master.cf.

Good idea.. googling on this subject I'm coming up with adding "-o cleanup_service_name=ascleanup" to the submission service:
https://serverfault.com/questions/413533/remove-hide-client-sender-ip-from-postfix
(look at the 3rd answer)

Does SOGo also use 587 for submission?

thumpco on 27 Aug 2020

smtp_header_checks are applied for these. These are smtp connections. If I'm wrong, just add the smtp_header_checks to the submission and smtps services in master.cf.

andryyy on 27 Aug 2020

Tried adding this under submission in master.cf:
-o smtp_header_checks=pcre:/opt/postfix/conf/anonymize_headers.pcre

Then tried:
-o header_checks=pcre:/opt/postfix/conf/anonymize_headers.pcre

Ran "docker-compose restart postfix-mailcow" and then tested.. no success with either

thumpco on 27 Aug 2020

This works!

Edit to master.cf:

submission inet n - n - - smtpd
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
-o tls_preempt_cipherlist=yes
-o cleanup_service_name=ascleanup
-o syslog_name=postfix/submission

Then added to the bottom of master.cf:

ascleanup unix n - y - 0 cleanup
-o header_checks=$smtp_header_checks

Now is there a way I can do a master.cf override instead of these changes directly in master.cf?

thumpco on 27 Aug 2020

👍1

Final update.. this works perfect.

For email sent from a mailcow domain to external domains there is no change to the current behavior (origin IP header is replaced with a localhost header).
For email sent between mailcow domains (inter-domain) and between users on the same mailcow domain, the origin IP is now replaced with a localhost header just like with external bound mail.

Master.cf seems to persist after upgrade so all is well for now, but hopefully this can be incorporated into mailcow going forward.

Thank you.

thumpco on 28 Aug 2020

@thumpco this cool and at some time maybe someone like to see user IPs in internal delivered mail and this isn't issue for them.
Can't say which way better to be the default in general, but if speak about privacy then your solution by default more preffered of course.
In both cases (implement by default or not) this good to be described at mailcow docs 😃.

dragoangel on 17 Oct 2020

I would think privacy should be the default, especially consider many are using mailcow to host multiple domains that belong to separate entities on the same instance. Very easy to comment out the lines if you want to expose the local IPs.

thumpco on 17 Oct 2020

👍1

I think same 👍

dragoangel on 17 Oct 2020

@andryyy I checked this solution and works fine. If you agree that by default it better to be included, can you please approve PR? If you approve it - I will create PR to docs how to disable local anonymization back. Or if you decline it - I can provide docs how apply it 🥰 .

dragoangel on 17 Oct 2020

No doc update needed. :)

andryyy on 17 Oct 2020

👍1

Thank you.

thumpco on 17 Oct 2020

You are welcome :)

dragoangel on 17 Oct 2020

Was this page helpful?

0 / 5 - 0 ratings