[Rspamd-Users] remove smtp.auth from header without breaking dkim

L. Jankok ljankok at gmail.com
Mon May 13 08:45:37 UTC 2019 

Op ma 13 mei 2019 om 09:31 schreef Alex JOST <jost+lists at dimejo.at>:

> Am 12.05.2019 um 22:57 schrieb L. Jankok:
> > Op zo 12 mei 2019 om 19:52 schreef Ralph Seichter <abbot at monksofcool.net
> >:
> >
> >> * L. Jankok:
> >>
> >>> In the "ARC-Authentication-Results:" header I want
> >>> "smtp.auth=username at domain" removed for security reasons, but without
> >>> breaking dkim signing for authenticated users.
> >>
> >> You can have Postfix strip headers during the submission cleanup phase,
> >> before DKIM signing happens (see "cleanup_service_name").
> >>
> >> -Ralph
> >> --
> >>
> >>
> > That is the first thing I did, but removing the header before rspamd make
> > dkim not knowing for which domain to sign the mail.
> >
>
> You can configure which domain is used by rspamd to sign messages.
>
> # Domain to use for DKIM signing: can be "header" (MIME From),
> # "envelope" (SMTP From) or "auth" (SMTP username)
> use_domain = "envelope";
>
> https://rspamd.com/doc/modules/dkim_signing.html#configuration
>
> --
> Alex JOST
> --
>

Due to my setup I have this:

use_domain_sign_networks = "header";

use_domain_sign_local = "header";

The part of the header I want to remove is added by the arc module after
postfix submission.
Having said that, I filter the following during submission:

/^Received:/                    IGNORE

/^X-Originating-IP:/            IGNORE

/^X-Mailer:/                    IGNORE

/^User-Agent:/                  IGNORE

/^Mime-Version:/                IGNORE

/^Received:.*\(Postfix/         IGNORE


What I want removed is "smtp.auth=auth-username at somedomain" from the
following header (since it reveals the username used for authentication
during submission):


ARC-Authentication-Results: i=1; ORIGINATING; auth=pass
smtp.auth=auth-username at somedomain smtp.mailfrom=username at domain


It looks to me that I have to do this in milter_headers.conf:


use = ["x-spamd-bar", "x-virus"];

remove_upstream_spam_flag = true;

skip_authenticated = true;

routines {

   authentication-results {

     add_smtp_user = false;

   }

}


Right now, dkim and arc works just fine. smtp.auth=auth-username at somedomain"
is still present in the headers though.


I am still looking for a way to remove this part of the header.


Regards,


Lucius

More information about the Users mailing list