Remove IPs from Outgoing Mail (Postfix SMTP)

I use Postfix as SMTP server. By default, it includes every user’s IP and hostname in outgoing mails, even internal ones. As there is no need for the outside world to see what IPs I use internally (or what external IPs my users connect from), I decided to remove IP headers from outgoing email. This post explains how.


Postfix (or any other SMTP server) receives mail from other mail servers (“incoming”), and mails by users (“outgoing”). As we don’t want to strip any headers from incoming mail, we first have to force all users to authenticate (which is a good thing anyway), and make Postfix add another header to authenticated (“outgoing”) mails. Then, we can match this header and strip both the Received line containing internal hostnames and IPs, and the authenticated header.

/etc/postfix/main.cf:

# add header for authenticated mail to strip IP
smtpd_sasl_authenticated_header = yes
header_checks = regexp:/etc/postfix/header_checks

/etc/postfix/header_checks

/^Received: .*\(Authenticated sender:.*/ IGNORE
/^Received: by yourdomain\.com .*from userid [0-9]+\)/ IGNORE

(replace yourdomain.com by your server’s name)

You may also like...

9 Responses

  1. Erics Blog says:

    Nachdem mein Debian Server eine Weile zuverlässig lief, habe ich mich entschlossen, auch einen Mailserver hinzuzufügen. Nach kurzer Zeit wurde mir allerdings klar, dass dies nicht so einfach werden und ich einige Zeit benötigen würde, um diesen fehlerfrei

  2. Snaky says:

    Interesting approach – but of course the consequences of your idea have to be checked: how does spam-recognition think about that? How long will it take until your servers are blacklisted with this config and you will be de facto cut off from the world? Any real life experience?
    Please report!

  3. Moritz says:

    Last time I checked, Google Mail also doesn’t include the user’s IP when using the web interface. There is absolutely no requirement to forward this information to third parties. I have been using the configuration above for a long time now. Why would my server get blacklisted when there is never any spam coming from it?
    Also, many users use a relay host, because their own infrastructure is on a dynamic IP, or they don’t want to cope with the details of running a public mailserver that basically has to be up 24/7. Removing the ‘first incoming IP’ is really nothing to be worried about.
    An obvious reminder: This will only make you anonymous among the set of users of this mail server. In my case, as the only user of the server, it stops location tracking. It does not make me anonymous.
    Most email providers don’t want to remove IPs because they don’t want to deal with abuse complaints. It would be easy to match message IDs or some inserted random header in case, but it’s just too much work for most ISPs.

  4. Bob says:

    > How long will it take until your servers are blacklisted with this config and you will be de facto cut off from the world?
    You won’t be blacklisted. Many companies use this to hide internal IPs. There is no reason (other than nefarious purposes) for the world+dog to know the internal IP space of an intra-net.
    If you blacklisted are then then something is incorrectly configured.

  5. Jan says:

    Actually, this PREVENTS overzealous spam filters from blocking your mail.
    The rason is that some spam filters mark as spam any mail that has a dynamically-assigned IP address in ANY Received: header. This is obviously wrong if the user of said dynamic IP is authenticated (but arguably sensible if the dynamic IP user is not, as in spambots on infected user PCs).
    So, removing the user name and IP for authenticated users is good.
    I currently use something a bit more elaborate that leaves the Received: line in but edits out the IP and user name. I found the recipe on the Postfix-Users mailing list.

  6. Rakesh says:

    No longer work, gmail still tracking mail ip, just see original in any mail.

  7. Bryan says:

    How can i check that this is working or not? Because when i check logs file in postfix it shows my relay mail server hostname and ip address.

Leave a Reply

Your email address will not be published. Required fields are marked *