How to hide IP address when sending emails?

How to configure postfix to hide the client IP address when sending email? By default, postfix will add a “Received:” header to emails it receives. The “Received:” header leaks the privacy such as your home IP address and your computer name(Yes, email client such as outlook express will send your computer name rather than a FQDN in the EHLO command). There are several methods to keep you anonymized.

First, you can config postfix to remove the “Received:” header from messages: Set the header_checks           = regexp:/etc/postfix/header_checks in /etc/postfix/, and edit /etc/postfix/header_checks to include the following line:

/^Received:/ IGNORE
This way, postfix will match every header beginning with “Received:” and get rid of these headers(this is what the “IGNORE” action does). However, if you use opendkim with postfix, the missing “Received:” header will make opendkim not work. You will find the DKIM-Signature header is missing and a new header appears to indicate this error:

Authentication-Results:; dkim=permerror (bad message/signature format)

Second, you can use the REPLACE action in /etc/postfix/header_checks to replace the client IP address with another value so as not to expose the original IP address. We use the regex in this post to match the “Received:” header. In order to make the regex work, you should add a line in /etc/postfix/

smtpd_sasl_authenticated_header = yes

This will instruct postfix to generate the string like “Authenticated sender:” in the “Received:” header, and the following regular expression will catch the “Received:” header, then the replace action will rewrite the header to hide the IP.

Note there are two lines: one is the regexp, the other is the replace action.

The benefit of this method is that it will not break opendkim but also keep the “Received:” header in incoming emails untouched because it does not contain the “Authenticated sender” pattern. Only outgoing emails alter their  “Received:” header.

In practice, we find that the altered Received header may not be parsed correctly because the “by xxx(xxx)” is omitted from it. (The syntax of the Received email header can be found in this post. )This will be caught by some spam detection software as

and votes for a spam.  Thus, we modify header_checks as follows:

This way, only the sender information: “from ehlodomain(rdnsname[ipaddress])” is changed to “from [] (localhost [])”. The other parts of the Received header remain untouched.

Posted in tips of hosting