diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 0def881..ebcfb0c 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -47,7 +47,18 @@ let
   # every alias is owned (uniquely) by its user. We have to add the users own
   # address though
   vaccounts_file = builtins.toFile "vaccounts" (lib.concatStringsSep "\n" (vaccounts_identity ++ valiases_postfix));
+  
+  submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
+     ### Removes sensitive headers from mails handed in via the submission port.
+     ### See https://thomas-leister.de/mailserver-debian-stretch/
+     ### Uses "pcre" style regex.
 
+     /^Received:/            IGNORE
+     /^X-Originating-IP:/    IGNORE
+     /^X-Mailer:/            IGNORE
+     /^User-Agent:/          IGNORE
+     /^X-Enigmail:/          IGNORE
+  '';
 in
 {
   config = with cfg; lib.mkIf enable {
@@ -116,7 +127,13 @@ in
         smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
         smtpd_sender_restrictions = "reject_sender_login_mismatch";
         smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
+        cleanup_service_name = "submission-header-cleanup";
       };
+
+      extraMasterConf = ''
+        submission-header-cleanup unix n - n    -       0       cleanup
+            -o header_checks=pcre:${submissionHeaderCleanupRules}
+      '';
     };
   };
 }