From 8611ab80eddafb72bdd217509c2b80891dd2b5fc Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@redhat.com>
Date: Wed, 29 May 2019 15:57:22 +0000
Subject: [PATCH] put in proper checks like we have for other domains

---
 handlers/restart_services.yml                 |   3 -
 roles/base/files/postfix/header_checks        | 496 ------------------
 .../base/files/postfix/header_checks.gateway  | 496 ------------------
 .../base/files/postfix/header_checks.mm-smtp  | 496 ------------------
 .../files/postfix/main.cf/main.cf.gateway     |   6 +-
 roles/base/tasks/postfix.yml                  |  20 +-
 6 files changed, 8 insertions(+), 1509 deletions(-)
 delete mode 100644 roles/base/files/postfix/header_checks
 delete mode 100644 roles/base/files/postfix/header_checks.gateway
 delete mode 100644 roles/base/files/postfix/header_checks.mm-smtp

diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index 9e9b563c9a..d59dc9f783 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -95,9 +95,6 @@
 - name: rebuild postfix tls_policy
   command: /usr/sbin/postmap /etc/postfix/tls_policy
 
-- name: rebuild postfix header_checks
-  command: /usr/sbin/postmap /etc/postfix/header_checks
-
 - name: restart postfix
   service: name=postfix state=restarted
 
diff --git a/roles/base/files/postfix/header_checks b/roles/base/files/postfix/header_checks
deleted file mode 100644
index 490e214c72..0000000000
--- a/roles/base/files/postfix/header_checks
+++ /dev/null
@@ -1,496 +0,0 @@
-# HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
-# 
-# NAME
-#        header_checks - Postfix built-in content inspection
-# 
-# SYNOPSIS
-#        header_checks = pcre:/etc/postfix/header_checks
-#        mime_header_checks = pcre:/etc/postfix/mime_header_checks
-#        nested_header_checks = pcre:/etc/postfix/nested_header_checks
-#        body_checks = pcre:/etc/postfix/body_checks
-# 
-#        milter_header_checks = pcre:/etc/postfix/milter_header_checks
-# 
-#        smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
-#        smtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks
-#        smtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks
-#        smtp_body_checks = pcre:/etc/postfix/smtp_body_checks
-# 
-#        postmap -q "string" pcre:/etc/postfix/filename
-#        postmap -q - pcre:/etc/postfix/filename <inputfile
-# 
-# DESCRIPTION
-#        This  document  describes access control on the content of
-#        message headers and message body lines; it is  implemented
-#        by  the  Postfix  cleanup(8) server before mail is queued.
-#        See access(5) for access control  on  remote  SMTP  client
-#        information.
-# 
-#        Each  message  header  or  message  body  line is compared
-#        against a list of patterns.  When a  match  is  found  the
-#        corresponding action is executed, and the matching process
-#        is repeated for the next message header  or  message  body
-#        line.
-# 
-#        Note: message headers are examined one logical header at a
-#        time, even when a message  header  spans  multiple  lines.
-#        Body lines are always examined one line at a time.
-# 
-#        For  examples, see the EXAMPLES section at the end of this
-#        manual page.
-# 
-#        Postfix header or body_checks are designed to stop a flood
-#        of  mail from worms or viruses; they do not decode attach-
-#        ments, and they do not unzip archives. See  the  documents
-#        referenced  below  in the README FILES section if you need
-#        more sophisticated content analysis.
-# 
-# FILTERS WHILE RECEIVING MAIL
-#        Postfix implements the  following  four  built-in  content
-#        inspection classes while receiving mail:
-# 
-#        header_checks (default: empty)
-#               These   are  applied  to  initial  message  headers
-#               (except for the headers  that  are  processed  with
-#               mime_header_checks).
-# 
-#        mime_header_checks (default: $header_checks)
-#               These  are  applied to MIME related message headers
-#               only.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#        nested_header_checks (default: $header_checks)
-#               These  are  applied  to message headers of attached
-#               email messages (except for  the  headers  that  are
-#               processed with mime_header_checks).
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#        body_checks
-#               These are applied to all other  content,  including
-#               multi-part message boundaries.
-# 
-#               With Postfix versions before 2.0, all content after
-#               the initial message headers is treated as body con-
-#               tent.
-# 
-# FILTERS AFTER RECEIVING MAIL
-#        Postfix  supports a subset of the built-in content inspec-
-#        tion classes after the message is received:
-# 
-#        milter_header_checks (default: empty)
-#               These are applied to headers that  are  added  with
-#               Milter applications.
-# 
-#               This feature is available in Postfix 2.7 and later.
-# 
-# FILTERS WHILE DELIVERING MAIL
-#        Postfix supports all four content inspection classes while
-#        delivering mail via SMTP.
-# 
-#        smtp_header_checks (default: empty)
-# 
-#        smtp_mime_header_checks (default: empty)
-# 
-#        smtp_nested_header_checks (default: empty)
-# 
-#        smtp_body_checks (default: empty)
-#               These  features  are  available  in Postfix 2.5 and
-#               later.
-# 
-# COMPATIBILITY
-#        With Postfix version 2.2 and earlier specify "postmap -fq"
-#        to query a table that contains case sensitive patterns. By
-#        default, regexp: and pcre: patterns are case  insensitive.
-# 
-# TABLE FORMAT
-#        This  document  assumes  that header and body_checks rules
-#        are specified in the form of  Postfix  regular  expression
-#        lookup  tables.  Usually  the best performance is obtained
-#        with pcre (Perl Compatible Regular Expression) tables. The
-#        regexp  (POSIX  regular  expressions)  tables  are usually
-#        slower, but more widely available.  Use the command "post-
-#        conf  -m" to find out what lookup table types your Postfix
-#        system supports.
-# 
-#        The general format of Postfix regular expression tables is
-#        given  below.   For  a  discussion  of specific pattern or
-#        flags  syntax,  see  pcre_table(5)   or   regexp_table(5),
-#        respectively.
-# 
-#        /pattern/flags action
-#               When  /pattern/  matches  the input string, execute
-#               the corresponding action. See below for a  list  of
-#               possible actions.
-# 
-#        !/pattern/flags action
-#               When  /pattern/  does  not  match the input string,
-#               execute the corresponding action.
-# 
-#        if /pattern/flags
-# 
-#        endif  Match the input string against the patterns between
-#               if  and endif, if and only if the same input string
-#               also matches /pattern/. The if..endif can nest.
-# 
-#               Note: do not prepend whitespace to patterns  inside
-#               if..endif.
-# 
-#        if !/pattern/flags
-# 
-#        endif  Match the input string against the patterns between
-#               if and endif, if and only if the same input  string
-#               does not match /pattern/. The if..endif can nest.
-# 
-#        blank lines and comments
-#               Empty  lines and whitespace-only lines are ignored,
-#               as are lines whose first  non-whitespace  character
-#               is a `#'.
-# 
-#        multi-line text
-#               A  pattern/action  line  starts with non-whitespace
-#               text. A line that starts with whitespace  continues
-#               a logical line.
-# 
-# TABLE SEARCH ORDER
-#        For  each  line of message input, the patterns are applied
-#        in the order as specified in the table. When a pattern  is
-#        found  that  matches  the  input  line,  the corresponding
-#        action is  executed  and  then  the  next  input  line  is
-#        inspected.
-# 
-# TEXT SUBSTITUTION
-#        Substitution  of  substrings  from  the matched expression
-#        into the action string is possible using the  conventional
-#        Perl  syntax  ($1,  $2,  etc.).   The macros in the result
-#        string may need to be written as  ${n}  or  $(n)  if  they
-#        aren't followed by whitespace.
-# 
-#        Note:  since negated patterns (those preceded by !) return
-#        a result when the expression does not match, substitutions
-#        are not available for negated patterns.
-# 
-# ACTIONS
-#        Action names are case insensitive. They are shown in upper
-#        case for consistency with other Postfix documentation.
-# 
-#        DISCARD optional text...
-#               Claim successful delivery and silently discard  the
-#               message.   Log the optional text if specified, oth-
-#               erwise log a generic message.
-# 
-#               Note:  this  action  disables  further  header   or
-#               body_checks  inspection  of the current message and
-#               affects all recipients.  To discard only one recip-
-#               ient without discarding the entire message, use the
-#               transport(5) table to direct mail to the discard(8)
-#               service.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        DUNNO  Pretend  that the input line did not match any pat-
-#               tern, and inspect the next input line. This  action
-#               can be used to shorten the table search.
-# 
-#               For  backwards  compatibility reasons, Postfix also
-#               accepts OK but it is (and always has been)  treated
-#               as DUNNO.
-# 
-#               This feature is available in Postfix 2.1 and later.
-# 
-#        FILTER transport:destination
-#               After the message is queued, send the  entire  mes-
-#               sage through the specified external content filter.
-#               The transport name specifies the first field  of  a
-#               mail  delivery  agent  definition in master.cf; the
-#               syntax of the next-hop destination is described  in
-#               the  manual  page  of  the  corresponding  delivery
-#               agent.  More  information  about  external  content
-#               filters is in the Postfix FILTER_README file.
-# 
-#               Note  1: do not use $number regular expression sub-
-#               stitutions for transport or destination unless  you
-#               know that the information has a trusted origin.
-# 
-#               Note  2:  this  action  overrides  the main.cf con-
-#               tent_filter setting, and affects all recipients  of
-#               the  message.  In  the  case  that  multiple FILTER
-#               actions fire, only the last one is executed.
-# 
-#               Note 3: the purpose of the  FILTER  command  is  to
-#               override  message routing.  To override the recipi-
-#               ent's transport but not the  next-hop  destination,
-#               specify  an  empty  filter destination (Postfix 2.7
-#               and later), or specify a transport:destination that
-#               delivers   through  a  different  Postfix  instance
-#               (Postfix 2.6 and earlier). Other options are  using
-#               the  recipient-dependent transport_maps or the sen-
-#               der-dependent   sender_dependent_default_transport-
-#               _maps features.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        HOLD optional text...
-#               Arrange  for  the  message to be placed on the hold
-#               queue, and inspect the next input line.   The  mes-
-#               sage  remains  on hold until someone either deletes
-#               it or releases it for delivery.  Log  the  optional
-#               text if specified, otherwise log a generic message.
-# 
-#               Mail that is placed on hold can  be  examined  with
-#               the  postcat(1)  command,  and  can be destroyed or
-#               released with the postsuper(1) command.
-# 
-#               Note: use "postsuper -r" to release mail  that  was
-#               kept  on  hold for a significant fraction of $maxi-
-#               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
-#               longer.  Use "postsuper -H" only for mail that will
-#               not expire within a few delivery attempts.
-# 
-#               Note: this action affects  all  recipients  of  the
-#               message.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        IGNORE Delete the current line from the input, and inspect
-#               the next input line.
-# 
-#        INFO optional text...
-#               Log an "info:" record with the optional text... (or
-#               log  a  generic  text),  and inspect the next input
-#               line. This action is useful for routine logging  or
-#               for debugging.
-# 
-#               This feature is available in Postfix 2.8 and later.
-# 
-#        PREPEND text...
-#               Prepend one  line  with  the  specified  text,  and
-#               inspect the next input line.
-# 
-#               Notes:
-# 
-#               o      The  prepended  text is output on a separate
-#                      line,  immediately  before  the  input  that
-#                      triggered the PREPEND action.
-# 
-#               o      The prepended text is not considered part of
-#                      the input  stream:  it  is  not  subject  to
-#                      header/body checks or address rewriting, and
-#                      it does not affect the way that Postfix adds
-#                      missing message headers.
-# 
-#               o      When prepending text before a message header
-#                      line, the prepended text must begin  with  a
-#                      valid message header label.
-# 
-#               o      This action cannot be used to prepend multi-
-#                      line text.
-# 
-#               This feature is available in Postfix 2.1 and later.
-# 
-#               This   feature   is   not   supported   with   mil-
-#               ter_header_checks.
-# 
-#        REDIRECT user@domain
-#               Write a message redirection request  to  the  queue
-#               file,  and  inspect  the next input line. After the
-#               message is queued, it will be sent to the specified
-#               address instead of the intended recipient(s).
-# 
-#               Note:  this action overrides the FILTER action, and
-#               affects all recipients of the message. If  multiple
-#               REDIRECT  actions  fire,  only the last one is exe-
-#               cuted.
-# 
-#               This feature is available in Postfix 2.1 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        REPLACE text...
-#               Replace the current line with the  specified  text,
-#               and inspect the next input line.
-# 
-#               This feature is available in Postfix 2.2 and later.
-#               The description below applies to Postfix 2.2.2  and
-#               later.
-# 
-#               Notes:
-# 
-#               o      When  replacing  a  message header line, the
-#                      replacement text must  begin  with  a  valid
-#                      header label.
-# 
-#               o      The  replaced text remains part of the input
-#                      stream. Unlike the result from  the  PREPEND
-#                      action,  a  replaced  message  header may be
-#                      subject to address rewriting and may  affect
-#                      the  way  that  Postfix adds missing message
-#                      headers.
-# 
-#        REJECT optional text...
-#               Reject the  entire  message.  Reply  with  optional
-#               text... when the optional text is specified, other-
-#               wise reply with a generic error message.
-# 
-#               Note:  this  action  disables  further  header   or
-#               body_checks  inspection  of the current message and
-#               affects all recipients.
-# 
-#               Postfix version 2.3 and later support enhanced sta-
-#               tus codes.  When no code is specified at the begin-
-#               ning of optional text..., Postfix inserts a default
-#               enhanced status code of "5.7.1".
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        WARN optional text...
-#               Log a "warning:" record with the  optional  text...
-#               (or log a generic text), and inspect the next input
-#               line. This action is useful for debugging  and  for
-#               testing  a  pattern  before  applying  more drastic
-#               actions.
-# 
-# BUGS
-#        Empty lines never match, because some map types mis-behave
-#        when  given  a zero-length search string.  This limitation
-#        may be removed for regular expression tables in  a  future
-#        release.
-# 
-#        Many  people  overlook  the main limitations of header and
-#        body_checks rules.
-# 
-#        o      These rules operate on one logical  message  header
-#               or one body line at a time. A decision made for one
-#               line is not carried over to the next line.
-# 
-#        o      If text in the message body is encoded  (RFC  2045)
-#               then the rules need to be specified for the encoded
-#               form.
-# 
-#        o      Likewise, when message  headers  are  encoded  (RFC
-#               2047)  then  the rules need to be specified for the
-#               encoded form.
-# 
-#        Message headers added by the cleanup(8) daemon itself  are
-#        excluded from inspection. Examples of such message headers
-#        are From:, To:, Message-ID:, Date:.
-# 
-#        Message headers deleted by the cleanup(8) daemon  will  be
-#        examined before they are deleted. Examples are: Bcc:, Con-
-#        tent-Length:, Return-Path:.
-# 
-# CONFIGURATION PARAMETERS
-#        body_checks
-#               Lookup tables with content filter rules for message
-#               body lines.  These filters see one physical line at
-#               a time, in chunks  of  at  most  $line_length_limit
-#               bytes.
-# 
-#        body_checks_size_limit
-#               The  amount  of  content  per  message body segment
-#               (attachment) that is subjected to $body_checks fil-
-#               tering.
-# 
-#        header_checks
-# 
-#        mime_header_checks (default: $header_checks)
-# 
-#        nested_header_checks (default: $header_checks)
-#               Lookup tables with content filter rules for message
-#               header lines: respectively, these  are  applied  to
-#               the  initial  message  headers  (not including MIME
-#               headers), to the MIME headers anywhere in the  mes-
-#               sage,  and  to the initial headers of attached mes-
-#               sages.
-# 
-#               Note: these filters see one logical message  header
-#               at  a time, even when a message header spans multi-
-#               ple lines. Message headers  that  are  longer  than
-#               $header_size_limit characters are truncated.
-# 
-#        disable_mime_input_processing
-#               While  receiving mail, give no special treatment to
-#               MIME related message headers; all  text  after  the
-#               initial message headers is considered to be part of
-#               the message body. This means that header_checks  is
-#               applied  to  all  the  initial message headers, and
-#               that body_checks is applied to the remainder of the
-#               message.
-# 
-#               Note:  when  used  in this manner, body_checks will
-#               process a multi-line message header one line  at  a
-#               time.
-# 
-# EXAMPLES
-#        Header  pattern  to  block  attachments with bad file name
-#        extensions.  For convenience, the PCRE /x flag  is  speci-
-#        fied,  so  that  there  is no need to collapse the pattern
-#        into  a  single  line  of  text.   The  purpose   of   the
-#        [[:xdigit:]] sub-expressions is to recognize Windows CLSID
-#        strings.
-# 
-#        /etc/postfix/main.cf:
-#            header_checks = pcre:/etc/postfix/header_checks.pcre
-# 
-#        /etc/postfix/header_checks.pcre:
-#            /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
-#              ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
-#              hlp|ht[at]|
-#              inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
-#              \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
-#              ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
-#              vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
-#                REJECT Attachment name "$2" may not end with ".$4"
-# 
-#        Body pattern to stop a specific HTML browser vulnerability
-#        exploit.
-# 
-#        /etc/postfix/main.cf:
-#            body_checks = regexp:/etc/postfix/body_checks
-# 
-#        /etc/postfix/body_checks:
-#            /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
-#                REJECT IFRAME vulnerability exploit
-# 
-# SEE ALSO
-#        cleanup(8), canonicalize and enqueue Postfix message
-#        pcre_table(5), format of PCRE lookup tables
-#        regexp_table(5), format of POSIX regular expression tables
-#        postconf(1), Postfix configuration utility
-#        postmap(1), Postfix lookup table management
-#        postsuper(1), Postfix janitor
-#        postcat(1), show Postfix queue file contents
-#        RFC 2045, base64 and quoted-printable encoding rules
-#        RFC 2047, message header encoding for non-ASCII text
-# 
-# README FILES
-#        Use  "postconf  readme_directory" or "postconf html_direc-
-#        tory" to locate this information.
-#        DATABASE_README, Postfix lookup table overview
-#        CONTENT_INSPECTION_README, Postfix content inspection overview
-#        BUILTIN_FILTER_README, Postfix built-in content inspection
-#        BACKSCATTER_README, blocking returned forged mail
-# 
-# LICENSE
-#        The Secure Mailer license must be  distributed  with  this
-#        software.
-# 
-# AUTHOR(S)
-#        Wietse Venema
-#        IBM T.J. Watson Research
-#        P.O. Box 704
-#        Yorktown Heights, NY 10598, USA
-# 
-#                                                               HEADER_CHECKS(5)
diff --git a/roles/base/files/postfix/header_checks.gateway b/roles/base/files/postfix/header_checks.gateway
deleted file mode 100644
index 490e214c72..0000000000
--- a/roles/base/files/postfix/header_checks.gateway
+++ /dev/null
@@ -1,496 +0,0 @@
-# HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
-# 
-# NAME
-#        header_checks - Postfix built-in content inspection
-# 
-# SYNOPSIS
-#        header_checks = pcre:/etc/postfix/header_checks
-#        mime_header_checks = pcre:/etc/postfix/mime_header_checks
-#        nested_header_checks = pcre:/etc/postfix/nested_header_checks
-#        body_checks = pcre:/etc/postfix/body_checks
-# 
-#        milter_header_checks = pcre:/etc/postfix/milter_header_checks
-# 
-#        smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
-#        smtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks
-#        smtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks
-#        smtp_body_checks = pcre:/etc/postfix/smtp_body_checks
-# 
-#        postmap -q "string" pcre:/etc/postfix/filename
-#        postmap -q - pcre:/etc/postfix/filename <inputfile
-# 
-# DESCRIPTION
-#        This  document  describes access control on the content of
-#        message headers and message body lines; it is  implemented
-#        by  the  Postfix  cleanup(8) server before mail is queued.
-#        See access(5) for access control  on  remote  SMTP  client
-#        information.
-# 
-#        Each  message  header  or  message  body  line is compared
-#        against a list of patterns.  When a  match  is  found  the
-#        corresponding action is executed, and the matching process
-#        is repeated for the next message header  or  message  body
-#        line.
-# 
-#        Note: message headers are examined one logical header at a
-#        time, even when a message  header  spans  multiple  lines.
-#        Body lines are always examined one line at a time.
-# 
-#        For  examples, see the EXAMPLES section at the end of this
-#        manual page.
-# 
-#        Postfix header or body_checks are designed to stop a flood
-#        of  mail from worms or viruses; they do not decode attach-
-#        ments, and they do not unzip archives. See  the  documents
-#        referenced  below  in the README FILES section if you need
-#        more sophisticated content analysis.
-# 
-# FILTERS WHILE RECEIVING MAIL
-#        Postfix implements the  following  four  built-in  content
-#        inspection classes while receiving mail:
-# 
-#        header_checks (default: empty)
-#               These   are  applied  to  initial  message  headers
-#               (except for the headers  that  are  processed  with
-#               mime_header_checks).
-# 
-#        mime_header_checks (default: $header_checks)
-#               These  are  applied to MIME related message headers
-#               only.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#        nested_header_checks (default: $header_checks)
-#               These  are  applied  to message headers of attached
-#               email messages (except for  the  headers  that  are
-#               processed with mime_header_checks).
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#        body_checks
-#               These are applied to all other  content,  including
-#               multi-part message boundaries.
-# 
-#               With Postfix versions before 2.0, all content after
-#               the initial message headers is treated as body con-
-#               tent.
-# 
-# FILTERS AFTER RECEIVING MAIL
-#        Postfix  supports a subset of the built-in content inspec-
-#        tion classes after the message is received:
-# 
-#        milter_header_checks (default: empty)
-#               These are applied to headers that  are  added  with
-#               Milter applications.
-# 
-#               This feature is available in Postfix 2.7 and later.
-# 
-# FILTERS WHILE DELIVERING MAIL
-#        Postfix supports all four content inspection classes while
-#        delivering mail via SMTP.
-# 
-#        smtp_header_checks (default: empty)
-# 
-#        smtp_mime_header_checks (default: empty)
-# 
-#        smtp_nested_header_checks (default: empty)
-# 
-#        smtp_body_checks (default: empty)
-#               These  features  are  available  in Postfix 2.5 and
-#               later.
-# 
-# COMPATIBILITY
-#        With Postfix version 2.2 and earlier specify "postmap -fq"
-#        to query a table that contains case sensitive patterns. By
-#        default, regexp: and pcre: patterns are case  insensitive.
-# 
-# TABLE FORMAT
-#        This  document  assumes  that header and body_checks rules
-#        are specified in the form of  Postfix  regular  expression
-#        lookup  tables.  Usually  the best performance is obtained
-#        with pcre (Perl Compatible Regular Expression) tables. The
-#        regexp  (POSIX  regular  expressions)  tables  are usually
-#        slower, but more widely available.  Use the command "post-
-#        conf  -m" to find out what lookup table types your Postfix
-#        system supports.
-# 
-#        The general format of Postfix regular expression tables is
-#        given  below.   For  a  discussion  of specific pattern or
-#        flags  syntax,  see  pcre_table(5)   or   regexp_table(5),
-#        respectively.
-# 
-#        /pattern/flags action
-#               When  /pattern/  matches  the input string, execute
-#               the corresponding action. See below for a  list  of
-#               possible actions.
-# 
-#        !/pattern/flags action
-#               When  /pattern/  does  not  match the input string,
-#               execute the corresponding action.
-# 
-#        if /pattern/flags
-# 
-#        endif  Match the input string against the patterns between
-#               if  and endif, if and only if the same input string
-#               also matches /pattern/. The if..endif can nest.
-# 
-#               Note: do not prepend whitespace to patterns  inside
-#               if..endif.
-# 
-#        if !/pattern/flags
-# 
-#        endif  Match the input string against the patterns between
-#               if and endif, if and only if the same input  string
-#               does not match /pattern/. The if..endif can nest.
-# 
-#        blank lines and comments
-#               Empty  lines and whitespace-only lines are ignored,
-#               as are lines whose first  non-whitespace  character
-#               is a `#'.
-# 
-#        multi-line text
-#               A  pattern/action  line  starts with non-whitespace
-#               text. A line that starts with whitespace  continues
-#               a logical line.
-# 
-# TABLE SEARCH ORDER
-#        For  each  line of message input, the patterns are applied
-#        in the order as specified in the table. When a pattern  is
-#        found  that  matches  the  input  line,  the corresponding
-#        action is  executed  and  then  the  next  input  line  is
-#        inspected.
-# 
-# TEXT SUBSTITUTION
-#        Substitution  of  substrings  from  the matched expression
-#        into the action string is possible using the  conventional
-#        Perl  syntax  ($1,  $2,  etc.).   The macros in the result
-#        string may need to be written as  ${n}  or  $(n)  if  they
-#        aren't followed by whitespace.
-# 
-#        Note:  since negated patterns (those preceded by !) return
-#        a result when the expression does not match, substitutions
-#        are not available for negated patterns.
-# 
-# ACTIONS
-#        Action names are case insensitive. They are shown in upper
-#        case for consistency with other Postfix documentation.
-# 
-#        DISCARD optional text...
-#               Claim successful delivery and silently discard  the
-#               message.   Log the optional text if specified, oth-
-#               erwise log a generic message.
-# 
-#               Note:  this  action  disables  further  header   or
-#               body_checks  inspection  of the current message and
-#               affects all recipients.  To discard only one recip-
-#               ient without discarding the entire message, use the
-#               transport(5) table to direct mail to the discard(8)
-#               service.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        DUNNO  Pretend  that the input line did not match any pat-
-#               tern, and inspect the next input line. This  action
-#               can be used to shorten the table search.
-# 
-#               For  backwards  compatibility reasons, Postfix also
-#               accepts OK but it is (and always has been)  treated
-#               as DUNNO.
-# 
-#               This feature is available in Postfix 2.1 and later.
-# 
-#        FILTER transport:destination
-#               After the message is queued, send the  entire  mes-
-#               sage through the specified external content filter.
-#               The transport name specifies the first field  of  a
-#               mail  delivery  agent  definition in master.cf; the
-#               syntax of the next-hop destination is described  in
-#               the  manual  page  of  the  corresponding  delivery
-#               agent.  More  information  about  external  content
-#               filters is in the Postfix FILTER_README file.
-# 
-#               Note  1: do not use $number regular expression sub-
-#               stitutions for transport or destination unless  you
-#               know that the information has a trusted origin.
-# 
-#               Note  2:  this  action  overrides  the main.cf con-
-#               tent_filter setting, and affects all recipients  of
-#               the  message.  In  the  case  that  multiple FILTER
-#               actions fire, only the last one is executed.
-# 
-#               Note 3: the purpose of the  FILTER  command  is  to
-#               override  message routing.  To override the recipi-
-#               ent's transport but not the  next-hop  destination,
-#               specify  an  empty  filter destination (Postfix 2.7
-#               and later), or specify a transport:destination that
-#               delivers   through  a  different  Postfix  instance
-#               (Postfix 2.6 and earlier). Other options are  using
-#               the  recipient-dependent transport_maps or the sen-
-#               der-dependent   sender_dependent_default_transport-
-#               _maps features.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        HOLD optional text...
-#               Arrange  for  the  message to be placed on the hold
-#               queue, and inspect the next input line.   The  mes-
-#               sage  remains  on hold until someone either deletes
-#               it or releases it for delivery.  Log  the  optional
-#               text if specified, otherwise log a generic message.
-# 
-#               Mail that is placed on hold can  be  examined  with
-#               the  postcat(1)  command,  and  can be destroyed or
-#               released with the postsuper(1) command.
-# 
-#               Note: use "postsuper -r" to release mail  that  was
-#               kept  on  hold for a significant fraction of $maxi-
-#               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
-#               longer.  Use "postsuper -H" only for mail that will
-#               not expire within a few delivery attempts.
-# 
-#               Note: this action affects  all  recipients  of  the
-#               message.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        IGNORE Delete the current line from the input, and inspect
-#               the next input line.
-# 
-#        INFO optional text...
-#               Log an "info:" record with the optional text... (or
-#               log  a  generic  text),  and inspect the next input
-#               line. This action is useful for routine logging  or
-#               for debugging.
-# 
-#               This feature is available in Postfix 2.8 and later.
-# 
-#        PREPEND text...
-#               Prepend one  line  with  the  specified  text,  and
-#               inspect the next input line.
-# 
-#               Notes:
-# 
-#               o      The  prepended  text is output on a separate
-#                      line,  immediately  before  the  input  that
-#                      triggered the PREPEND action.
-# 
-#               o      The prepended text is not considered part of
-#                      the input  stream:  it  is  not  subject  to
-#                      header/body checks or address rewriting, and
-#                      it does not affect the way that Postfix adds
-#                      missing message headers.
-# 
-#               o      When prepending text before a message header
-#                      line, the prepended text must begin  with  a
-#                      valid message header label.
-# 
-#               o      This action cannot be used to prepend multi-
-#                      line text.
-# 
-#               This feature is available in Postfix 2.1 and later.
-# 
-#               This   feature   is   not   supported   with   mil-
-#               ter_header_checks.
-# 
-#        REDIRECT user@domain
-#               Write a message redirection request  to  the  queue
-#               file,  and  inspect  the next input line. After the
-#               message is queued, it will be sent to the specified
-#               address instead of the intended recipient(s).
-# 
-#               Note:  this action overrides the FILTER action, and
-#               affects all recipients of the message. If  multiple
-#               REDIRECT  actions  fire,  only the last one is exe-
-#               cuted.
-# 
-#               This feature is available in Postfix 2.1 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        REPLACE text...
-#               Replace the current line with the  specified  text,
-#               and inspect the next input line.
-# 
-#               This feature is available in Postfix 2.2 and later.
-#               The description below applies to Postfix 2.2.2  and
-#               later.
-# 
-#               Notes:
-# 
-#               o      When  replacing  a  message header line, the
-#                      replacement text must  begin  with  a  valid
-#                      header label.
-# 
-#               o      The  replaced text remains part of the input
-#                      stream. Unlike the result from  the  PREPEND
-#                      action,  a  replaced  message  header may be
-#                      subject to address rewriting and may  affect
-#                      the  way  that  Postfix adds missing message
-#                      headers.
-# 
-#        REJECT optional text...
-#               Reject the  entire  message.  Reply  with  optional
-#               text... when the optional text is specified, other-
-#               wise reply with a generic error message.
-# 
-#               Note:  this  action  disables  further  header   or
-#               body_checks  inspection  of the current message and
-#               affects all recipients.
-# 
-#               Postfix version 2.3 and later support enhanced sta-
-#               tus codes.  When no code is specified at the begin-
-#               ning of optional text..., Postfix inserts a default
-#               enhanced status code of "5.7.1".
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        WARN optional text...
-#               Log a "warning:" record with the  optional  text...
-#               (or log a generic text), and inspect the next input
-#               line. This action is useful for debugging  and  for
-#               testing  a  pattern  before  applying  more drastic
-#               actions.
-# 
-# BUGS
-#        Empty lines never match, because some map types mis-behave
-#        when  given  a zero-length search string.  This limitation
-#        may be removed for regular expression tables in  a  future
-#        release.
-# 
-#        Many  people  overlook  the main limitations of header and
-#        body_checks rules.
-# 
-#        o      These rules operate on one logical  message  header
-#               or one body line at a time. A decision made for one
-#               line is not carried over to the next line.
-# 
-#        o      If text in the message body is encoded  (RFC  2045)
-#               then the rules need to be specified for the encoded
-#               form.
-# 
-#        o      Likewise, when message  headers  are  encoded  (RFC
-#               2047)  then  the rules need to be specified for the
-#               encoded form.
-# 
-#        Message headers added by the cleanup(8) daemon itself  are
-#        excluded from inspection. Examples of such message headers
-#        are From:, To:, Message-ID:, Date:.
-# 
-#        Message headers deleted by the cleanup(8) daemon  will  be
-#        examined before they are deleted. Examples are: Bcc:, Con-
-#        tent-Length:, Return-Path:.
-# 
-# CONFIGURATION PARAMETERS
-#        body_checks
-#               Lookup tables with content filter rules for message
-#               body lines.  These filters see one physical line at
-#               a time, in chunks  of  at  most  $line_length_limit
-#               bytes.
-# 
-#        body_checks_size_limit
-#               The  amount  of  content  per  message body segment
-#               (attachment) that is subjected to $body_checks fil-
-#               tering.
-# 
-#        header_checks
-# 
-#        mime_header_checks (default: $header_checks)
-# 
-#        nested_header_checks (default: $header_checks)
-#               Lookup tables with content filter rules for message
-#               header lines: respectively, these  are  applied  to
-#               the  initial  message  headers  (not including MIME
-#               headers), to the MIME headers anywhere in the  mes-
-#               sage,  and  to the initial headers of attached mes-
-#               sages.
-# 
-#               Note: these filters see one logical message  header
-#               at  a time, even when a message header spans multi-
-#               ple lines. Message headers  that  are  longer  than
-#               $header_size_limit characters are truncated.
-# 
-#        disable_mime_input_processing
-#               While  receiving mail, give no special treatment to
-#               MIME related message headers; all  text  after  the
-#               initial message headers is considered to be part of
-#               the message body. This means that header_checks  is
-#               applied  to  all  the  initial message headers, and
-#               that body_checks is applied to the remainder of the
-#               message.
-# 
-#               Note:  when  used  in this manner, body_checks will
-#               process a multi-line message header one line  at  a
-#               time.
-# 
-# EXAMPLES
-#        Header  pattern  to  block  attachments with bad file name
-#        extensions.  For convenience, the PCRE /x flag  is  speci-
-#        fied,  so  that  there  is no need to collapse the pattern
-#        into  a  single  line  of  text.   The  purpose   of   the
-#        [[:xdigit:]] sub-expressions is to recognize Windows CLSID
-#        strings.
-# 
-#        /etc/postfix/main.cf:
-#            header_checks = pcre:/etc/postfix/header_checks.pcre
-# 
-#        /etc/postfix/header_checks.pcre:
-#            /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
-#              ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
-#              hlp|ht[at]|
-#              inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
-#              \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
-#              ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
-#              vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
-#                REJECT Attachment name "$2" may not end with ".$4"
-# 
-#        Body pattern to stop a specific HTML browser vulnerability
-#        exploit.
-# 
-#        /etc/postfix/main.cf:
-#            body_checks = regexp:/etc/postfix/body_checks
-# 
-#        /etc/postfix/body_checks:
-#            /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
-#                REJECT IFRAME vulnerability exploit
-# 
-# SEE ALSO
-#        cleanup(8), canonicalize and enqueue Postfix message
-#        pcre_table(5), format of PCRE lookup tables
-#        regexp_table(5), format of POSIX regular expression tables
-#        postconf(1), Postfix configuration utility
-#        postmap(1), Postfix lookup table management
-#        postsuper(1), Postfix janitor
-#        postcat(1), show Postfix queue file contents
-#        RFC 2045, base64 and quoted-printable encoding rules
-#        RFC 2047, message header encoding for non-ASCII text
-# 
-# README FILES
-#        Use  "postconf  readme_directory" or "postconf html_direc-
-#        tory" to locate this information.
-#        DATABASE_README, Postfix lookup table overview
-#        CONTENT_INSPECTION_README, Postfix content inspection overview
-#        BUILTIN_FILTER_README, Postfix built-in content inspection
-#        BACKSCATTER_README, blocking returned forged mail
-# 
-# LICENSE
-#        The Secure Mailer license must be  distributed  with  this
-#        software.
-# 
-# AUTHOR(S)
-#        Wietse Venema
-#        IBM T.J. Watson Research
-#        P.O. Box 704
-#        Yorktown Heights, NY 10598, USA
-# 
-#                                                               HEADER_CHECKS(5)
diff --git a/roles/base/files/postfix/header_checks.mm-smtp b/roles/base/files/postfix/header_checks.mm-smtp
deleted file mode 100644
index 490e214c72..0000000000
--- a/roles/base/files/postfix/header_checks.mm-smtp
+++ /dev/null
@@ -1,496 +0,0 @@
-# HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
-# 
-# NAME
-#        header_checks - Postfix built-in content inspection
-# 
-# SYNOPSIS
-#        header_checks = pcre:/etc/postfix/header_checks
-#        mime_header_checks = pcre:/etc/postfix/mime_header_checks
-#        nested_header_checks = pcre:/etc/postfix/nested_header_checks
-#        body_checks = pcre:/etc/postfix/body_checks
-# 
-#        milter_header_checks = pcre:/etc/postfix/milter_header_checks
-# 
-#        smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
-#        smtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks
-#        smtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks
-#        smtp_body_checks = pcre:/etc/postfix/smtp_body_checks
-# 
-#        postmap -q "string" pcre:/etc/postfix/filename
-#        postmap -q - pcre:/etc/postfix/filename <inputfile
-# 
-# DESCRIPTION
-#        This  document  describes access control on the content of
-#        message headers and message body lines; it is  implemented
-#        by  the  Postfix  cleanup(8) server before mail is queued.
-#        See access(5) for access control  on  remote  SMTP  client
-#        information.
-# 
-#        Each  message  header  or  message  body  line is compared
-#        against a list of patterns.  When a  match  is  found  the
-#        corresponding action is executed, and the matching process
-#        is repeated for the next message header  or  message  body
-#        line.
-# 
-#        Note: message headers are examined one logical header at a
-#        time, even when a message  header  spans  multiple  lines.
-#        Body lines are always examined one line at a time.
-# 
-#        For  examples, see the EXAMPLES section at the end of this
-#        manual page.
-# 
-#        Postfix header or body_checks are designed to stop a flood
-#        of  mail from worms or viruses; they do not decode attach-
-#        ments, and they do not unzip archives. See  the  documents
-#        referenced  below  in the README FILES section if you need
-#        more sophisticated content analysis.
-# 
-# FILTERS WHILE RECEIVING MAIL
-#        Postfix implements the  following  four  built-in  content
-#        inspection classes while receiving mail:
-# 
-#        header_checks (default: empty)
-#               These   are  applied  to  initial  message  headers
-#               (except for the headers  that  are  processed  with
-#               mime_header_checks).
-# 
-#        mime_header_checks (default: $header_checks)
-#               These  are  applied to MIME related message headers
-#               only.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#        nested_header_checks (default: $header_checks)
-#               These  are  applied  to message headers of attached
-#               email messages (except for  the  headers  that  are
-#               processed with mime_header_checks).
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#        body_checks
-#               These are applied to all other  content,  including
-#               multi-part message boundaries.
-# 
-#               With Postfix versions before 2.0, all content after
-#               the initial message headers is treated as body con-
-#               tent.
-# 
-# FILTERS AFTER RECEIVING MAIL
-#        Postfix  supports a subset of the built-in content inspec-
-#        tion classes after the message is received:
-# 
-#        milter_header_checks (default: empty)
-#               These are applied to headers that  are  added  with
-#               Milter applications.
-# 
-#               This feature is available in Postfix 2.7 and later.
-# 
-# FILTERS WHILE DELIVERING MAIL
-#        Postfix supports all four content inspection classes while
-#        delivering mail via SMTP.
-# 
-#        smtp_header_checks (default: empty)
-# 
-#        smtp_mime_header_checks (default: empty)
-# 
-#        smtp_nested_header_checks (default: empty)
-# 
-#        smtp_body_checks (default: empty)
-#               These  features  are  available  in Postfix 2.5 and
-#               later.
-# 
-# COMPATIBILITY
-#        With Postfix version 2.2 and earlier specify "postmap -fq"
-#        to query a table that contains case sensitive patterns. By
-#        default, regexp: and pcre: patterns are case  insensitive.
-# 
-# TABLE FORMAT
-#        This  document  assumes  that header and body_checks rules
-#        are specified in the form of  Postfix  regular  expression
-#        lookup  tables.  Usually  the best performance is obtained
-#        with pcre (Perl Compatible Regular Expression) tables. The
-#        regexp  (POSIX  regular  expressions)  tables  are usually
-#        slower, but more widely available.  Use the command "post-
-#        conf  -m" to find out what lookup table types your Postfix
-#        system supports.
-# 
-#        The general format of Postfix regular expression tables is
-#        given  below.   For  a  discussion  of specific pattern or
-#        flags  syntax,  see  pcre_table(5)   or   regexp_table(5),
-#        respectively.
-# 
-#        /pattern/flags action
-#               When  /pattern/  matches  the input string, execute
-#               the corresponding action. See below for a  list  of
-#               possible actions.
-# 
-#        !/pattern/flags action
-#               When  /pattern/  does  not  match the input string,
-#               execute the corresponding action.
-# 
-#        if /pattern/flags
-# 
-#        endif  Match the input string against the patterns between
-#               if  and endif, if and only if the same input string
-#               also matches /pattern/. The if..endif can nest.
-# 
-#               Note: do not prepend whitespace to patterns  inside
-#               if..endif.
-# 
-#        if !/pattern/flags
-# 
-#        endif  Match the input string against the patterns between
-#               if and endif, if and only if the same input  string
-#               does not match /pattern/. The if..endif can nest.
-# 
-#        blank lines and comments
-#               Empty  lines and whitespace-only lines are ignored,
-#               as are lines whose first  non-whitespace  character
-#               is a `#'.
-# 
-#        multi-line text
-#               A  pattern/action  line  starts with non-whitespace
-#               text. A line that starts with whitespace  continues
-#               a logical line.
-# 
-# TABLE SEARCH ORDER
-#        For  each  line of message input, the patterns are applied
-#        in the order as specified in the table. When a pattern  is
-#        found  that  matches  the  input  line,  the corresponding
-#        action is  executed  and  then  the  next  input  line  is
-#        inspected.
-# 
-# TEXT SUBSTITUTION
-#        Substitution  of  substrings  from  the matched expression
-#        into the action string is possible using the  conventional
-#        Perl  syntax  ($1,  $2,  etc.).   The macros in the result
-#        string may need to be written as  ${n}  or  $(n)  if  they
-#        aren't followed by whitespace.
-# 
-#        Note:  since negated patterns (those preceded by !) return
-#        a result when the expression does not match, substitutions
-#        are not available for negated patterns.
-# 
-# ACTIONS
-#        Action names are case insensitive. They are shown in upper
-#        case for consistency with other Postfix documentation.
-# 
-#        DISCARD optional text...
-#               Claim successful delivery and silently discard  the
-#               message.   Log the optional text if specified, oth-
-#               erwise log a generic message.
-# 
-#               Note:  this  action  disables  further  header   or
-#               body_checks  inspection  of the current message and
-#               affects all recipients.  To discard only one recip-
-#               ient without discarding the entire message, use the
-#               transport(5) table to direct mail to the discard(8)
-#               service.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        DUNNO  Pretend  that the input line did not match any pat-
-#               tern, and inspect the next input line. This  action
-#               can be used to shorten the table search.
-# 
-#               For  backwards  compatibility reasons, Postfix also
-#               accepts OK but it is (and always has been)  treated
-#               as DUNNO.
-# 
-#               This feature is available in Postfix 2.1 and later.
-# 
-#        FILTER transport:destination
-#               After the message is queued, send the  entire  mes-
-#               sage through the specified external content filter.
-#               The transport name specifies the first field  of  a
-#               mail  delivery  agent  definition in master.cf; the
-#               syntax of the next-hop destination is described  in
-#               the  manual  page  of  the  corresponding  delivery
-#               agent.  More  information  about  external  content
-#               filters is in the Postfix FILTER_README file.
-# 
-#               Note  1: do not use $number regular expression sub-
-#               stitutions for transport or destination unless  you
-#               know that the information has a trusted origin.
-# 
-#               Note  2:  this  action  overrides  the main.cf con-
-#               tent_filter setting, and affects all recipients  of
-#               the  message.  In  the  case  that  multiple FILTER
-#               actions fire, only the last one is executed.
-# 
-#               Note 3: the purpose of the  FILTER  command  is  to
-#               override  message routing.  To override the recipi-
-#               ent's transport but not the  next-hop  destination,
-#               specify  an  empty  filter destination (Postfix 2.7
-#               and later), or specify a transport:destination that
-#               delivers   through  a  different  Postfix  instance
-#               (Postfix 2.6 and earlier). Other options are  using
-#               the  recipient-dependent transport_maps or the sen-
-#               der-dependent   sender_dependent_default_transport-
-#               _maps features.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        HOLD optional text...
-#               Arrange  for  the  message to be placed on the hold
-#               queue, and inspect the next input line.   The  mes-
-#               sage  remains  on hold until someone either deletes
-#               it or releases it for delivery.  Log  the  optional
-#               text if specified, otherwise log a generic message.
-# 
-#               Mail that is placed on hold can  be  examined  with
-#               the  postcat(1)  command,  and  can be destroyed or
-#               released with the postsuper(1) command.
-# 
-#               Note: use "postsuper -r" to release mail  that  was
-#               kept  on  hold for a significant fraction of $maxi-
-#               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
-#               longer.  Use "postsuper -H" only for mail that will
-#               not expire within a few delivery attempts.
-# 
-#               Note: this action affects  all  recipients  of  the
-#               message.
-# 
-#               This feature is available in Postfix 2.0 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        IGNORE Delete the current line from the input, and inspect
-#               the next input line.
-# 
-#        INFO optional text...
-#               Log an "info:" record with the optional text... (or
-#               log  a  generic  text),  and inspect the next input
-#               line. This action is useful for routine logging  or
-#               for debugging.
-# 
-#               This feature is available in Postfix 2.8 and later.
-# 
-#        PREPEND text...
-#               Prepend one  line  with  the  specified  text,  and
-#               inspect the next input line.
-# 
-#               Notes:
-# 
-#               o      The  prepended  text is output on a separate
-#                      line,  immediately  before  the  input  that
-#                      triggered the PREPEND action.
-# 
-#               o      The prepended text is not considered part of
-#                      the input  stream:  it  is  not  subject  to
-#                      header/body checks or address rewriting, and
-#                      it does not affect the way that Postfix adds
-#                      missing message headers.
-# 
-#               o      When prepending text before a message header
-#                      line, the prepended text must begin  with  a
-#                      valid message header label.
-# 
-#               o      This action cannot be used to prepend multi-
-#                      line text.
-# 
-#               This feature is available in Postfix 2.1 and later.
-# 
-#               This   feature   is   not   supported   with   mil-
-#               ter_header_checks.
-# 
-#        REDIRECT user@domain
-#               Write a message redirection request  to  the  queue
-#               file,  and  inspect  the next input line. After the
-#               message is queued, it will be sent to the specified
-#               address instead of the intended recipient(s).
-# 
-#               Note:  this action overrides the FILTER action, and
-#               affects all recipients of the message. If  multiple
-#               REDIRECT  actions  fire,  only the last one is exe-
-#               cuted.
-# 
-#               This feature is available in Postfix 2.1 and later.
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        REPLACE text...
-#               Replace the current line with the  specified  text,
-#               and inspect the next input line.
-# 
-#               This feature is available in Postfix 2.2 and later.
-#               The description below applies to Postfix 2.2.2  and
-#               later.
-# 
-#               Notes:
-# 
-#               o      When  replacing  a  message header line, the
-#                      replacement text must  begin  with  a  valid
-#                      header label.
-# 
-#               o      The  replaced text remains part of the input
-#                      stream. Unlike the result from  the  PREPEND
-#                      action,  a  replaced  message  header may be
-#                      subject to address rewriting and may  affect
-#                      the  way  that  Postfix adds missing message
-#                      headers.
-# 
-#        REJECT optional text...
-#               Reject the  entire  message.  Reply  with  optional
-#               text... when the optional text is specified, other-
-#               wise reply with a generic error message.
-# 
-#               Note:  this  action  disables  further  header   or
-#               body_checks  inspection  of the current message and
-#               affects all recipients.
-# 
-#               Postfix version 2.3 and later support enhanced sta-
-#               tus codes.  When no code is specified at the begin-
-#               ning of optional text..., Postfix inserts a default
-#               enhanced status code of "5.7.1".
-# 
-#               This feature is not supported with smtp header/body
-#               checks.
-# 
-#        WARN optional text...
-#               Log a "warning:" record with the  optional  text...
-#               (or log a generic text), and inspect the next input
-#               line. This action is useful for debugging  and  for
-#               testing  a  pattern  before  applying  more drastic
-#               actions.
-# 
-# BUGS
-#        Empty lines never match, because some map types mis-behave
-#        when  given  a zero-length search string.  This limitation
-#        may be removed for regular expression tables in  a  future
-#        release.
-# 
-#        Many  people  overlook  the main limitations of header and
-#        body_checks rules.
-# 
-#        o      These rules operate on one logical  message  header
-#               or one body line at a time. A decision made for one
-#               line is not carried over to the next line.
-# 
-#        o      If text in the message body is encoded  (RFC  2045)
-#               then the rules need to be specified for the encoded
-#               form.
-# 
-#        o      Likewise, when message  headers  are  encoded  (RFC
-#               2047)  then  the rules need to be specified for the
-#               encoded form.
-# 
-#        Message headers added by the cleanup(8) daemon itself  are
-#        excluded from inspection. Examples of such message headers
-#        are From:, To:, Message-ID:, Date:.
-# 
-#        Message headers deleted by the cleanup(8) daemon  will  be
-#        examined before they are deleted. Examples are: Bcc:, Con-
-#        tent-Length:, Return-Path:.
-# 
-# CONFIGURATION PARAMETERS
-#        body_checks
-#               Lookup tables with content filter rules for message
-#               body lines.  These filters see one physical line at
-#               a time, in chunks  of  at  most  $line_length_limit
-#               bytes.
-# 
-#        body_checks_size_limit
-#               The  amount  of  content  per  message body segment
-#               (attachment) that is subjected to $body_checks fil-
-#               tering.
-# 
-#        header_checks
-# 
-#        mime_header_checks (default: $header_checks)
-# 
-#        nested_header_checks (default: $header_checks)
-#               Lookup tables with content filter rules for message
-#               header lines: respectively, these  are  applied  to
-#               the  initial  message  headers  (not including MIME
-#               headers), to the MIME headers anywhere in the  mes-
-#               sage,  and  to the initial headers of attached mes-
-#               sages.
-# 
-#               Note: these filters see one logical message  header
-#               at  a time, even when a message header spans multi-
-#               ple lines. Message headers  that  are  longer  than
-#               $header_size_limit characters are truncated.
-# 
-#        disable_mime_input_processing
-#               While  receiving mail, give no special treatment to
-#               MIME related message headers; all  text  after  the
-#               initial message headers is considered to be part of
-#               the message body. This means that header_checks  is
-#               applied  to  all  the  initial message headers, and
-#               that body_checks is applied to the remainder of the
-#               message.
-# 
-#               Note:  when  used  in this manner, body_checks will
-#               process a multi-line message header one line  at  a
-#               time.
-# 
-# EXAMPLES
-#        Header  pattern  to  block  attachments with bad file name
-#        extensions.  For convenience, the PCRE /x flag  is  speci-
-#        fied,  so  that  there  is no need to collapse the pattern
-#        into  a  single  line  of  text.   The  purpose   of   the
-#        [[:xdigit:]] sub-expressions is to recognize Windows CLSID
-#        strings.
-# 
-#        /etc/postfix/main.cf:
-#            header_checks = pcre:/etc/postfix/header_checks.pcre
-# 
-#        /etc/postfix/header_checks.pcre:
-#            /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
-#              ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
-#              hlp|ht[at]|
-#              inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
-#              \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
-#              ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
-#              vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
-#                REJECT Attachment name "$2" may not end with ".$4"
-# 
-#        Body pattern to stop a specific HTML browser vulnerability
-#        exploit.
-# 
-#        /etc/postfix/main.cf:
-#            body_checks = regexp:/etc/postfix/body_checks
-# 
-#        /etc/postfix/body_checks:
-#            /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
-#                REJECT IFRAME vulnerability exploit
-# 
-# SEE ALSO
-#        cleanup(8), canonicalize and enqueue Postfix message
-#        pcre_table(5), format of PCRE lookup tables
-#        regexp_table(5), format of POSIX regular expression tables
-#        postconf(1), Postfix configuration utility
-#        postmap(1), Postfix lookup table management
-#        postsuper(1), Postfix janitor
-#        postcat(1), show Postfix queue file contents
-#        RFC 2045, base64 and quoted-printable encoding rules
-#        RFC 2047, message header encoding for non-ASCII text
-# 
-# README FILES
-#        Use  "postconf  readme_directory" or "postconf html_direc-
-#        tory" to locate this information.
-#        DATABASE_README, Postfix lookup table overview
-#        CONTENT_INSPECTION_README, Postfix content inspection overview
-#        BUILTIN_FILTER_README, Postfix built-in content inspection
-#        BACKSCATTER_README, blocking returned forged mail
-# 
-# LICENSE
-#        The Secure Mailer license must be  distributed  with  this
-#        software.
-# 
-# AUTHOR(S)
-#        Wietse Venema
-#        IBM T.J. Watson Research
-#        P.O. Box 704
-#        Yorktown Heights, NY 10598, USA
-# 
-#                                                               HEADER_CHECKS(5)
diff --git a/roles/base/files/postfix/main.cf/main.cf.gateway b/roles/base/files/postfix/main.cf/main.cf.gateway
index ed97d93344..294a6e6bd2 100644
--- a/roles/base/files/postfix/main.cf/main.cf.gateway
+++ b/roles/base/files/postfix/main.cf/main.cf.gateway
@@ -561,7 +561,7 @@ recipient_delimiter = +
 #
 # For details, see "man header_checks".
 #
-header_checks = regexp:/etc/postfix/header_checks
+#header_checks = regexp:/etc/postfix/header_checks
 
 # FAST ETRN SERVICE
 #
@@ -745,3 +745,7 @@ smtp_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
 smtpd_milters           = inet:localhost:8891
 milter_default_action   = accept
 inet_protocols = ipv4
+
+# Deny email from some domains
+smtpd_sender_restrictions = regexp:/etc/postfix/sender_access
+
diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml
index 6e8162de66..e6c93a98d6 100644
--- a/roles/base/tasks/postfix.yml
+++ b/roles/base/tasks/postfix.yml
@@ -32,7 +32,9 @@
 
 - name: Deploy sender_access file
   copy: src="{{private}}/files/smtpd/sender_access.{{postfix_group}}" dest="/etc/postfix/sender_access"
-  when: postfix_group == "smtp-mm" or postfix_group == "mailman"
+  when: postfix_group == "smtp-mm" or postfix_group == "mailman" or postfix_group == "gateway"
+  notify:
+  - restart postfix
   tags:
   - postfix
   - config
@@ -55,22 +57,6 @@
   - base
   - config
 
-- name: install /etc/postfix/header_checks file
-  copy: src={{ item }} dest=/etc/postfix/header_checks
-  with_first_found:
-    - "postfix/header_checks.{{ inventory_hostname }}"
-    - "postfix/header_checks.{{ host_group }}"
-    - "postfix/header_checks.{{ postfix_group }}"
-    - "postfix/header_checks.{{ datacenter }}"
-    - "postfix/header_checks"
-  notify:
-  - rebuild postfix header_checks
-  - restart postfix
-  tags:
-  - postfix
-  - config
-  - base
-
 - name: create /etc/postfix/tls_policy
   copy: src="postfix/tls_policy" dest=/etc/postfix/tls_policy
   when: inventory_hostname.startswith(('bastion','smtp-mm'))