From ed694ff4b412c36801e17c93c0ee587da1ebc981 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Thu, 3 Oct 2013 17:57:48 -0400
Subject: implement stripping user's home IPs from Received headers (#3866)

Change-Id: I6d78286f84144bba5fd3166cc0264570e4fd3ee0
---
 .../modules/site_postfix/files/checks/received_anon  |  2 ++
 puppet/modules/site_postfix/manifests/checks.pp      | 20 +++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 puppet/modules/site_postfix/files/checks/received_anon

diff --git a/puppet/modules/site_postfix/files/checks/received_anon b/puppet/modules/site_postfix/files/checks/received_anon
new file mode 100644
index 00000000..2822973e
--- /dev/null
+++ b/puppet/modules/site_postfix/files/checks/received_anon
@@ -0,0 +1,2 @@
+/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))([[:space:]]+).*(\(using [.[:alnum:]]+ with cipher [-A-Z0-9]+ \([0-9]+\/[0-9]+ bits\)\))[[:space:]]+\(Client CN "([[:alnum:]]+)", Issuer "[[:print:]]+" \(verified OK\)\)[[:space:]]+by ([.[:alnum:]]+) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/
+ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${3}${2}(Authenticated sender: $4)${2}with $7 id $8
diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp
index 06f9a7a4..31399d32 100644
--- a/puppet/modules/site_postfix/manifests/checks.pp
+++ b/puppet/modules/site_postfix/manifests/checks.pp
@@ -6,7 +6,7 @@ class site_postfix::checks {
       mode    => '0755',
       owner   => root,
       group   => postfix,
-      require => Class['postfix'];
+      require => Package['postfix'];
 
     '/etc/postfix/checks/helo_checks':
       content => template('site_postfix/checks/helo_access.erb'),
@@ -20,4 +20,22 @@ class site_postfix::checks {
       refreshonly => true,
       subscribe   => File['/etc/postfix/checks/helo_checks'];
   }
+
+  # Anonymize the user's home IP from the email headers (Feature #3866)
+  package { 'postfix-pcre': ensure => installed }
+
+  file { '/etc/postfix/checks/received_anon':
+    source  => 'puppet:///modules/site_postfix/checks/received_anon',
+    mode    => '0644',
+    owner   => root,
+    group   => root,
+    notify  => Service['postfix']
+  }
+
+  postfix::config {
+    'header_checks':
+      value   => 'pcre:/etc/postfix/checks/received_anon',
+      require => File['/etc/postfix/checks/received_anon'];
+  }
+
 }
-- 
cgit v1.2.3