When sending email with Postfix, how can I hide the sender’s IP and username in the Received header?

The standard solution is to use the header_checks option. This will work, however, if we filter received lines on all mail both incoming and outgoing (as this will do), we could potentially lose Received headers on mail sent to us, which can be important for troubleshooting. To get around this problem, we will apply the header_checks only to the mail that could not possibly have been sent to us—mail that was sent to the submission port (you are using the submission port, aren’t you?).

This post explains how to apply header_checks exclusively to the submission port. What we need to do is pass the cleanup_service_name option to the submission service so that we can set up a new cleanup service, “subcleanup.” The relevant section of /etc/postfix/master.cf might look like this:

submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o cleanup_service_name=subcleanup

Now we can pass the header_checks option to the new cleanup service. That part of /etc/postfix/master.cf might look like this:

cleanup   unix  n       -       -       -       0       cleanup
subcleanup unix n       -       -       -       0       cleanup
  -o header_checks=regexp:/etc/postfix/submission_header_checks

Finally, we need to create the file /etc/postfix/submission_header_checks, which will contain the regex that filters offending Received header lines. Which regex you put in the file depends on whether you have smtpd_sasl_authenticated_header set.

If smtpd_sasl_authenticated_header is yes, then use:

/^Received:.*\(Authenticated sender:/ IGNORE

Otherwise, use:

/^Received:.*\(Postfix/ IGNORE

(Thanks to Dominic P and Bryan Drewery for showing how to handle the second case.)