Remove headers on outgoing mail

[Marc Risse]

Hello Vsevolod,

I asked you about any possibilities about removing headers on outgoing mail at #SLAC last week.

I want to remove headers like these:

[...]

Received: from [192.168.1.100] (p5B17xxx.dip0.t-ipconnect.de [91.23.187.xx])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: marc@xxxx)
	by relay.xxxx (Postfix) with ESMTPSA id 7AA321A2F3F
	for <risse@xxxx>; Wed, 14 Mar 2018 20:37:46 +0100 (CET)

X-Rspamd-Queue-Id: 7AA321A2F3F
X-Spamd-Bar: -------------
X-Spamd-Result: default: False [-13.20 / 10.00]
	 BAYES_HAM(-3.00)[100.00%]
	 TO_MATCH_ENVRCPT_ALL(0.00)[]
	 RCVD_COUNT_ZERO(0.00)[0]
	 FROM_EQ_ENVFROM(0.00)[]
	 MAIL_AUTH(-10.00)[]
	 MIME_GOOD(-0.20)[multipart/signed,text/plain]
	 RCPT_COUNT_ONE(0.00)[1]
	 MID_RHS_MATCH_FROM(0.00)[]
	 TO_DN_ALL(0.00)[]
	 RCVD_TLS_ALL(0.00)[]
	 ASN(0.00)[asn:3320, ipnet:91.0.0.0/10, country:DE]
	 FROM_HAS_DN(0.00)[]
	 HAS_ATTACHMENT(0.00)[]
	 URIBL_BLOCKED(0.00)[xxx.services.multi.uribl.com]
	 ARC_NA(0.00)[]
X-Rspamd-Server: relay
[...]



My /etc/rspamd/local.d/milter_headers.conf:

use = ["x-spamd-bar", "spam-header", "x-spamd-result", "x-rspamd-queue-id"];
skip_local = false;
skip_authenticated = false;
extended_spam_headers = true;
routines {
  spam-header {
    header = "X-Spam-Flag";
    value = "YES";
    remove = 1;
  }
  authentication-results {
    header = "Authentication-Results";
    remove = 1;
    add_smtp_user = false;
    spf_symbols {
      pass = "R_SPF_ALLOW";
      fail = "R_SPF_FAIL";
      softfail = "R_SPF_SOFTFAIL";
      neutral = "R_SPF_NEUTRAL";
      temperror = "R_SPF_DNSFAIL";
      none = "R_SPF_NA";
      permerror = "R_SPF_PERMFAIL";
    }
    dkim_symbols {
      pass = "R_DKIM_ALLOW";
      fail = "R_DKIM_REJECT";
      temperror = "R_DKIM_TEMPFAIL";
      none = "R_DKIM_NA";
      permerror = "R_DKIM_PERMFAIL";
    }
    dmarc_symbols {
      pass = "DMARC_POLICY_ALLOW";
      permerror = "DMARC_BAD_POLICY";
      temperror = "DMARC_DNSFAIL";
      none = "DMARC_NA";
      reject = "DMARC_POLICY_REJECT";
      softfail = "DMARC_POLICY_SOFTFAIL";
      quarantine = "DMARC_POLICY_QUARANTINE";
    }
  }
}

But rspamd doesn't remove the authentication-result header neither for incoming or outgoing mail.
The biggest challenge will be to have different header-rules for incoming and outgoing mail. Maybe I didn't get how it works or it isn't possible.

Any hints?

Best,
Marc
(English isn’t my first language, so please excuse any mistakes.)

[Alexander Moisseev]

On 5/14/2018 7:30 PM, Marc Risse wrote:
> HelloVsevolod,

>
> I asked you about any possibilities about removing headers on outgoing mail at #SLAC last week.
> I want to remove headers like these:
>

> [...]

This is not an "Authentication-Results:" header:

> Received: from [192.168.1.100] (p5B17xxx.dip0.t-ipconnect.de [91.23.187.xx])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> (Authenticated sender: marc@xxxx)
> by relay.xxxx (Postfix) with ESMTPSA id 7AA321A2F3F
> for <risse@xxxx>; Wed, 14 Mar 2018 20:37:46 +0100 (CET)
>

>
>

> My /etc/rspamd/local.d/milter_headers.conf:
>

The following line can be shortened to 'use = ["x-spamd-bar"];' as the other headers are enabled by 'extended_spam_headers = true;':

> use = ["x-spamd-bar", "spam-header", "x-spamd-result", "x-rspamd-queue-id"];

If you do not want to _add_ headers to outgoing mail just remove the following lines:

> skip_local = false;
> skip_authenticated = false;

> extended_spam_headers = true;
> routines {

What are you trying to achieve here? Maybe it is not what you need.

> spam-header {
> header = "X-Spam-Flag";
> value = "YES";
> remove = 1;
> }

> authentication-results {
> header = "Authentication-Results";
> remove = 1;
> add_smtp_user = false;
> spf_symbols {

>

> But rspamd doesn't remove the authentication-result header neither for incoming or outgoing mail.

There is no "Authentication-Results:" header in your sample. Do you actually want to remove the first "Received:" header?

[Marc Risse]

Hi Alexander,

thank you for your reply. With your input I was able to reduce information at outgoing mail white keeping all headers on incoming mail.

Now my last challange is to remove or replace "Received: from [192.168.1.100] (p5B17xxx.dip0.t-ipconnect.de [91.23.187.xx])" and "Authenticated sender: marc@xxxx".

I mixed up Authenticated sender with Authentication-Results, sorry.

[Alexander Moisseev]

On 5/15/2018 9:23 AM, Marc Risse wrote:
> Hi Alexander,
>
> thank you for your reply. With your input I was able to reduce information at outgoing mail white keeping all headers on incoming mail.

> Now my last challange is to remove or replace "Received: from [192.168.1.100] (p5B17xxx.dip0.t-ipconnect.de <http://p5B17xxx.dip0.t-ipconnect.de> [91.23.187.xx])" and "Authenticated sender: marc@xxxx".

> I mixed up Authenticated sender with Authentication-Results, sorry.
>
>

> > Received: from [192.168.1.100] (p5B17xxx.dip0.t-ipconnect.de <http://p5B17xxx.dip0.t-ipconnect.de> [91.23.187.xx])

> >         (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> >         (No client certificate requested)
> >         (Authenticated sender: marc@xxxx)
> >         by relay.xxxx (Postfix) with ESMTPSA id 7AA321A2F3F
> >         for <risse@xxxx>; Wed, 14 Mar 2018 20:37:46 +0100 (CET)
> >
>

Marc, IIRC we do not have such option in Rspamd and IMO it is not needed.
Why don't you want to do it in Postfix?
To remove the SASL login name (Authenticated sender), you can set in main.cf :

smtpd_sasl_authenticated_header = no

It is the default BTW.

If you need to remove the whole "Received" header you can use header_checks on submission port.