Remove DKIM-Signature from incoming mail after checking

link2xt · link2xt · commit 290525f0fc58 · 2025-03-25T02:21:14.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## untagged
 
+- Remove `DKIM-Signature` from incoming mails after verifying
+  ([#530](https://github.com/chatmail/server/pull/530))
+
 - Send SNI when connecting to outside servers
   ([#524](https://github.com/chatmail/server/pull/524))
 
diff --git a/cmdeploy/src/cmdeploy/__init__.py b/cmdeploy/src/cmdeploy/__init__.py
@@ -228,7 +228,6 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
     )
     need_restart |= service_file.changed
 
-
     return need_restart
 
 
@@ -275,7 +274,18 @@ def _configure_postfix(config: Config, debug: bool = False) -> bool:
     )
     need_restart |= master_config.changed
 
-    header_cleanup = files.put(
+    incoming_header_cleanup = files.put(
+        src=importlib.resources.files(__package__).joinpath(
+            "postfix/incoming_header_cleanup"
+        ),
+        dest="/etc/postfix/incoming_header_cleanup",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= incoming_header_cleanup.changed
+
+    submission_header_cleanup = files.put(
         src=importlib.resources.files(__package__).joinpath(
             "postfix/submission_header_cleanup"
         ),
@@ -284,7 +294,7 @@ def _configure_postfix(config: Config, debug: bool = False) -> bool:
         group="root",
         mode="644",
     )
-    need_restart |= header_cleanup.changed
+    need_restart |= submission_header_cleanup.changed
 
     # Login map that 1:1 maps email address to login.
     login_map = files.put(
diff --git a/cmdeploy/src/cmdeploy/postfix/incoming_header_cleanup b/cmdeploy/src/cmdeploy/postfix/incoming_header_cleanup
@@ -0,0 +1 @@
+/^DKIM-Signature:/            IGNORE
diff --git a/cmdeploy/src/cmdeploy/postfix/master.cf.j2 b/cmdeploy/src/cmdeploy/postfix/master.cf.j2
@@ -52,6 +52,7 @@ smtps     inet  n       -       y       -       5000    smtpd
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
+  -o header_checks=regexp:/etc/postfix/incoming_header_cleanup
 qmgr      unix  n       -       n       300     1       qmgr
 #qmgr     unix  n       -       n       300     1       oqmgr
 tlsmgr    unix  -       -       y       1000?   1       tlsmgr
