From 8eb056260ff022da9857690790d10385f3431465 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Mon, 20 Aug 2012 21:22:08 +0200
Subject: Configuring sender anonymization on the MSA.

---
 fripost-docs.org | 52 +++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 45 insertions(+), 7 deletions(-)

diff --git a/fripost-docs.org b/fripost-docs.org
index 794705a..ea8a762 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -159,6 +159,9 @@ sudo aptitude install logcheck syslog-summary
 # | There is no way to get rid of the warning `Fixed query_filter [...] is probably useless'.
 # It is harmless in our case, since the search base is precise enough.
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(smtpd|cleanup|trivial-rewrite|postmap)\[[0-9]+\]: warning: dict_ldap_open: /etc/postfix/ldap/ldap_virtual_alias_catchall_maps.cf: Fixed query_filter \(\&\(ObjectClass=virtualAliases\)\(mailLocalAddress=\)\(isActive=TRUE\)\) is probably useless$
+# | Untrusted connections should be taken care of on the client's side.
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: Untrusted TLS connection established from
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [._[:alnum:]-]+\[[0-9.:]+\]: (Unt|T)rusted: subject_CN=.*, issuer=.*, fingerprint=
 
 ** Configuring aptitude and friends
 
@@ -1473,8 +1476,16 @@ can be obtained by the command
 
     echo -ne '\000user@fripost.org\000user' | openssl base64
 
+or slightly better (does not write password in your ~/.bash_history)
+    
+    read U PW; echo -ne "\000$U\000$PW" | openssl base64
+
 **** Anonymize the senders
 
+***** Overview
+
+Reference: https://we.riseup.net/debian/mail#getting-your-postfix-anonymized
+
 If RoudCube automatically anonymize the sender (by simply shortening the
 trace), it's not the case (by default) for SquirrelMail, or when clients
 connect via ESMTP/ESMTPS/ESMTPA/ESMTPSA. Here are a couple of traces we want
@@ -1549,9 +1560,7 @@ valid certificate, and in case of an SMTP relay, the early part of the
 trace (before it entered our Postfix sever) remains unchanged. For
 example, the early part of the third trace would become:
 
-    Received: from localhost (localhost [127.0.0.1])
-            (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
-            (Client CN "", Issuer "" (not verified))
+    Received: from [127.0.0.1] (localhost [127.0.0.1])
             (Authenticated sender: username)
             by fripost.org (Postfix) with ESMTPSA id 40284804F5
             for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
@@ -1563,10 +1572,10 @@ smtp_header_checks. In that case, the corresponding file would contain
 the following rexep, forging the header by pretending that the client
 has EHLO'ed from localhost:
 
-    /^Received:\s+from (\S+)\s+\(\S+\s+\S+\)(.*\sby fripost\.org \(Postfix\)\s+with E?SMTP(S|A|SA)\W.*)$/
-      REPLACE Received: from localhost (localhost [127.0.0.1])${2}
+    /^Received:\s+from\s+(\S+\s+\([-._[:alnum:]]+\s+\[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender:\s+([^)]+)\).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[A-F[:digit:]]+.*)/
+        REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}$4
 
-You can try out the regexp using "postmap -h -q - regexp:smtp_header_checks < email"
+You can try out the regexp using "postmap -h -q - regex:/etc/postfix/smtp_header_checks < email"
 (where `email' may also be a bunch of traces).
 
 DISCLAIMER: The regexp probably needs tests (especially for multiple hops,
@@ -1578,6 +1587,36 @@ responsability to masquerade it I suppose. In the same way, the CN and Issuer
 of the client's certificate may help to track him/her down. Maybe we should
 forge these as well?
 
+***** Install packages
+
+  apt-get install postfix-pcre
+
+***** Configure postfix
+
+  :: /etc/postfix/smtp_anonymize_sender.pcre
+
+    /^Received:\s+from\s+(\S+\s+\([-._[:alnum:]]+\s+\[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender:\s+([^)]+)\).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[A-F[:digit:]]+.*)/
+        REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}$4
+
+
+  :: /etc/postfix/main.cf
+  
+    smtp_header_checks = pcre:$config_directory/smtp_anonymize_sender.pcre
+
+
+By default, postfix logs the header checks (or rewrites in our case).
+For privacy reasons, we drop these when they entery syslog:
+
+  :: /etc/rsyslog.conf
+
+    # Do not log our Postfix's header rewrites, that are meant to
+    # anonymize senders.
+    :msg, ereregex, "^ [[:alnum:]]+: replace: header Received: from" ~
+    [...]
+    auth,authpriv.*                 /var/log/auth.log
+    *.*;auth,authpriv.none          -/var/log/syslog
+    [...]
+
 ** Configuring the webserver
 
 sudo apt-get install apache2
@@ -1809,7 +1848,6 @@ mv hooks/post-update.sample hooks/post-update
 
 echo "Mötesprotokoll" > fripost-meetings.git/description
 
-
 ** Logging
 *** Overview
 We want to limit how much we log for privacy reasons. At the same time we want
-- 
cgit v1.2.3