diff --git a/default.nix b/default.nix index 5ef87a3..989199a 100644 --- a/default.nix +++ b/default.nix @@ -433,6 +433,16 @@ in ''; }; + rewriteMessageId = mkOption { + type = types.bool; + default = false; + description = '' + Rewrites the Message-ID's hostname-part of outgoing emails to the FQDN. + Please be aware that this may cause problems with some mail clients + relying on the original Message-ID. + ''; + }; + monitoring = { enable = mkEnableOption "monitoring via monit"; diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix index 8fd67b5..f101b7a 100644 --- a/mail-server/postfix.nix +++ b/mail-server/postfix.nix @@ -66,7 +66,7 @@ let # The user's own address is already in all_valiases_postfix. vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" all_valiases_postfix); - submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" '' + submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ('' # Removes sensitive headers from mails handed in via the submission port. # See https://thomas-leister.de/mailserver-debian-stretch/ # Uses "pcre" style regex. @@ -76,7 +76,13 @@ let /^X-Mailer:/ IGNORE /^User-Agent:/ IGNORE /^X-Enigmail:/ IGNORE - ''; + '' + lib.optionalString cfg.rewriteMessageId '' + + # Replaces the user submitted hostname with the server's FQDN to hide the + # user's host or network. + + /^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${cfg.fqdn}> + ''); in { config = with cfg; lib.mkIf enable { diff --git a/tests/extern.nix b/tests/extern.nix index 86a4750..b552552 100644 --- a/tests/extern.nix +++ b/tests/extern.nix @@ -29,6 +29,7 @@ import { fqdn = "mail.example.com"; domains = [ "example.com" "example2.com" ]; dhParamBitLength = 512; + rewriteMessageId = true; loginAccounts = { "user1@example.com" = { @@ -65,9 +66,14 @@ import { echo grep '${clientIP}' "$@" >&2 exec grep '${clientIP}' "$@" ''; + check-mail-id = pkgs.writeScriptBin "check-mail-id" '' + #!${pkgs.stdenv.shell} + echo grep '^Message-ID:.*@mail.example.com>$' "$@" >&2 + exec grep '^Message-ID:.*@mail.example.com>$' "$@" + ''; in { environment.systemPackages = with pkgs; [ - fetchmail msmtp procmail findutils grep-ip + fetchmail msmtp procmail findutils grep-ip check-mail-id ]; environment.etc = { "root/.fetchmailrc" = { @@ -128,6 +134,7 @@ import { ''; }; "root/email1".text = '' + Message-ID: <12345qwerty@host.local.network> From: User2 To: User1 Cc: @@ -140,6 +147,7 @@ import { how are you doing today? ''; "root/email2".text = '' + Message-ID: <232323abc@host.local.network> From: User To: User1 Cc: @@ -154,6 +162,7 @@ import { XOXO User1 ''; "root/email3".text = '' + Message-ID: From: Postmaster To: Chuck Cc: @@ -167,6 +176,7 @@ import { XOXO Postmaster ''; "root/email4".text = '' + Message-ID: From: Single Alias To: User1 Cc: @@ -181,6 +191,7 @@ import { XOXO User1 aka Single Alias ''; "root/email5".text = '' + Message-ID: <789asdf@host.local.network> From: User2 To: Multi Alias Cc: @@ -234,6 +245,7 @@ import { $client->succeed("cat ~/mail/* >&2"); ## make sure our IP is _not_ in the email header $client->fail("grep-ip ~/mail/*"); + $client->succeed("check-mail-id ~/mail/*"); }; subtest "have correct fqdn as sender", sub {