Protecting the Client IP Address of a Mail Server connecting client

Introduction

Many mail servers send the connecting clients IP address in email headers (Received header). This can post a problem if you mail server is located remotely (and not on a private network), and you communicate not through the protected IP. Basically the mail server will then include your non-protected IP in the mail headers.

This may look something like:

Received: from localhost (something [1.1.1.1])
    by mail.domain.com (Postfix) with ESMTP id 25EDB8AA2F
    for <abc@gmail.com>; Sun, 14 Jun 2015 14:20:13 -0400 (EDT)

If your mail server is on localhost or on a private network, this tutorial is not relevant. This tutorial is provided for Postfix & Zimbra (Postfix). Contributions for other mail server platforms welcome.

Configuring with Postfix

For this tutorial we are assuming the postfix configuration is located at /etc/postfix. This is the default on Debian and Debian based distributions (Ubuntu).

Step 1: Create header checks file

Create the file /etc/postfix/header_checks on your server. If this file exists it may contain a large header block, if so insert this on a new line at the bottom of the file.

/^Received:.*with ESMTPSA/              IGNORE
/^X-Originating-IP:/    IGNORE
/^X-Mailer:/            IGNORE
/^Mime-Version:/        IGNORE

The “ESMTPSA” works if you send mail via SSL. If this is not the case for you, remove that part of the regular expression. Instead use:

/^Received:/    IGNORE

Step 2: Edit main.cf

Now, add the following two lines to your /etc/postfix/main.cf:

mime_header_checks = regexp:/etc/postfix/header_checks
header_checks = regexp:/etc/postfix/header_checks

When doing this you may wish to remove any other references to these two options, often header_checks already exists and will throw a warning if not removed.

Step 3: Build Postfix Maps

Execute:

postmap /etc/postfix/header_checks

Step 4: Reload Postfix

Reload the postfix configuration:

postfix reload

Configuring with Zimbra

For this tutorial we are assuming that Zimbra is installed at /opt/Zimbra (Default). This tutorial is largely the same as the Postfix one, although with a different base path.

Step 1: Create header checks file

Create the file /opt/zimbra/postfix/conf/header_checks on your server. If this file exists it may contain a large header block, if so insert this on a new line at the bottom of the file.

/^Received:.*with ESMTPSA/              IGNORE
/^X-Originating-IP:/    IGNORE
/^X-Mailer:/            IGNORE
/^Mime-Version:/        IGNORE

The “ESMTPSA” works if you send mail via SSL. If this is not the case for you, remove that part of the regular expression. Instead use:

/^Received:/    IGNORE

Step 2: Edit main.cf

Now, add the following two lines to your /opt/zimbra/postfix/conf/main.cf:

mime_header_checks = regexp:/opt/zimbra/postfix/conf/header_checks
header_checks = regexp:/opt/zimbra/postfix/conf/header_checks

When doing this you may wish to remove any other references to these two options, often header_checks already exists and will throw a warning if not removed.

Step 3: Build Postfix Maps

Execute:

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/header_checks

Step 4: Reload Postfix

Reload the postfix configuration:

/opt/zimbra/postfix/sbin/postfix reload