Why are X-Forward* headers removed during cleanup in postfix?

cjwalsh

I’m trying to configure a sieve filter to forward emails to Gmail, and as per latest guidance from Google here I am trying to add the X-Forwarded-For and X-Forwarded-To headers to the redirected messages. The filter validates and looks OK, but these headers don’t appear in the forwarded messages.

Sieve filter details below. Note I’m trying to avoid forwarding messages with DMARC reject policy which Gmail doesn’t seem to like even with ARC validation and signing.

require "editheader"; if allof ( not header :contains "X-Spam-Flag" "YES", not header :contains "ARC-Authentication-Results" "(policy=reject)" ) { addheader :last "X-Forwarded-For" "me@example.com"; addheader :last "X-Forwarded-To" "mygmailaddress@gmail.com"; redirect "mygmailaddress@gmail.com"; }

Doing some digging around, it looks like any X-Forward* headers are being removed by postfix smtp cleanup via this line in anonymize_headers.pcre:
/^\s*X-Forward/ IGNORE

I assume there must be a good reason for this behaviour, can anyone explain why it is configured this way? Is there an easy way to “whitelist” the X-Forwarded-For and X-Forwarded-To headers in anonymize_headers.pcre?

esackbauer

I guess the reason is hiding internal IP addresses and client IP addresses.
You could comment out the line or the one which loads this file.
Or make /^\s*X-Forward/ IGNORE more specific. CHeck the postfix documentation.

cjwalsh

I can see that hiding IP addresses makes sense. However the use of X-Forwarded-For and X-Forwarded-To is for email addresses rather than IP addresses, and so I think these need to be retained in the headers since they are intended for use by the receiving MTA.

Reading the action options in more detail here I think using either DUNNO or INFO actions with specific patterns to match X-Forwarded-For and X-Forwarded-To on lines before the more general match for other X-Forward* headers may work. I’ll test this out.