From 290525f0fc584a4522a3f57d545eb9a283d345b4 Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Tue, 25 Mar 2025 02:19:56 +0000
Subject: [PATCH] Remove DKIM-Signature from incoming mail after checking

---
 CHANGELOG.md                                     |  3 +++
 cmdeploy/src/cmdeploy/__init__.py                | 16 +++++++++++++---
 .../src/cmdeploy/postfix/incoming_header_cleanup |  1 +
 cmdeploy/src/cmdeploy/postfix/master.cf.j2       |  1 +
 4 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 cmdeploy/src/cmdeploy/postfix/incoming_header_cleanup

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9c8f5ae0..c9c67c8f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## untagged
 
+- Remove `DKIM-Signature` from incoming mails after verifying
+  ([#530](https://github.com/chatmail/server/pull/530))
+
 - Send SNI when connecting to outside servers
   ([#524](https://github.com/chatmail/server/pull/524))
 
diff --git a/cmdeploy/src/cmdeploy/__init__.py b/cmdeploy/src/cmdeploy/__init__.py
index a80db7c2..0265ff56 100644
--- a/cmdeploy/src/cmdeploy/__init__.py
+++ b/cmdeploy/src/cmdeploy/__init__.py
@@ -228,7 +228,6 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
     )
     need_restart |= service_file.changed
 
-
     return need_restart
 
 
@@ -275,7 +274,18 @@ def _configure_postfix(config: Config, debug: bool = False) -> bool:
     )
     need_restart |= master_config.changed
 
-    header_cleanup = files.put(
+    incoming_header_cleanup = files.put(
+        src=importlib.resources.files(__package__).joinpath(
+            "postfix/incoming_header_cleanup"
+        ),
+        dest="/etc/postfix/incoming_header_cleanup",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= incoming_header_cleanup.changed
+
+    submission_header_cleanup = files.put(
         src=importlib.resources.files(__package__).joinpath(
             "postfix/submission_header_cleanup"
         ),
@@ -284,7 +294,7 @@ def _configure_postfix(config: Config, debug: bool = False) -> bool:
         group="root",
         mode="644",
     )
-    need_restart |= header_cleanup.changed
+    need_restart |= submission_header_cleanup.changed
 
     # Login map that 1:1 maps email address to login.
     login_map = files.put(
diff --git a/cmdeploy/src/cmdeploy/postfix/incoming_header_cleanup b/cmdeploy/src/cmdeploy/postfix/incoming_header_cleanup
new file mode 100644
index 00000000..d7389122
--- /dev/null
+++ b/cmdeploy/src/cmdeploy/postfix/incoming_header_cleanup
@@ -0,0 +1 @@
+/^DKIM-Signature:/            IGNORE
diff --git a/cmdeploy/src/cmdeploy/postfix/master.cf.j2 b/cmdeploy/src/cmdeploy/postfix/master.cf.j2
index 494cd0ce..74bd32f3 100644
--- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2
@@ -52,6 +52,7 @@ smtps     inet  n       -       y       -       5000    smtpd
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
+  -o header_checks=regexp:/etc/postfix/incoming_header_cleanup
 qmgr      unix  n       -       n       300     1       qmgr
 #qmgr     unix  n       -       n       300     1       oqmgr
 tlsmgr    unix  -       -       y       1000?   1       tlsmgr