There may have different methods to implement this feature. But I use the way from answer from serverfault.

First, I have to install postfix-pcre in my debian/ubuntu system,

sudo apt install postfix-pcre

Then, I defined a cleanup service in master.cf,

ascleanup   unix  n       -       y       -       0       cleanup
  -o header_checks=pcre:/etc/postfix/header_checks_submission

Let’s update submission and smtps in master.cf to use this cleanup service,

submission inet n       -       y       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o cleanup_service_name=ascleanup

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o cleanup_service_name=ascleanup

pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
ascleanup   unix  n       -       y       -       0       cleanup
  -o header_checks=pcre:/etc/postfix/header_checks_submission

As you see above, ‘-o cleanup_service_name=ascleanup’ option was added into submission and smtps services.

The last, here is the content in /etc/postfix/header_checks_submission,

/^Received: .*/ IGNORE

Now, restart postfix and new configuration should be working. When you send a message from client via smtps/submission, you will see that client’s IP is removed from the headers.

When selecting an email domain, a meaningful name carries more weight than a generic one. Take aol.com, for instance, which stands for America Online – it’s a solid choice for email addresses because it’s easy to remember. In contrast, web.com falls short. While it might look good on paper, its meaning is too broad and lacks specific value.

Let’s compare gmail.com and mail.com. Gmail, representing Google Mail, has become the internet’s top brand. Mail.com, a product of 1&1, has an excellent domain name but lacks distinct brand value.

Two other notable products from 1&1 are GMX and web.de. GMX is widely recognized in Europe (and has a global presence), standing for Global Mail eXchange. Web.de, however, lacks unique brand appeal and is primarily used within Germany, making it less renowned than GMX.

Yandex, a Russian search engine company, has a well-known email service with users worldwide. Generally, those who trust Yandex’s search engine also favor its email offering. In contrast, mail.ru, another Russian email provider, is mostly recognized only within Russia.

Inbox.com, a generic domain name belonging to an American email company, has a long history but hasn’t managed to make significant market inroads. Its lack of a distinctive meaning contributes to its lukewarm reception. On the flip side, inbox.lv, a Latvian email company, has gained considerable fame in Europe. Its other products include mail.ee and inbox.eu. In this case, the “lv” suffix, representing Latvia, arguably carries more weight than a generic “.com”.

Though postfix is the most widely used MTA software on internet, it’s hard to find every detail for setup it correctly. For example, how to reject a sender domain in postfix? I took quite a few time to check the doc to get answers.

If the rejected domains list is short, it can go in main.cf:

smtpd_sender_restrictions = inline:{
  { example.com = reject }
  { other.example = reject} }

Otherwise some external file will do it as follows.

/etc/postfix/main.cf:

smtpd_sender_restrictions = hash:/etc/postfix/sender-access

/etc/postfix/sender-access:

example.com reject
other.example reject

Run “postmap /etc/postfix/sender-access” after editing the file.

If you have rspamd or spamassassin installed with postfix, it’s more easy to control rejected domains in them.

Here is the list I gathered. These email providers are still active on internet. They have a simple domain, like mail.xx or inbox.xx, which are easy to remember. Hope you like it.

• Mail.com – 1&1 group
• Email.com – 1&1 group
• Email.de – 1&1 group
• Mail.net – run by memail.com
• Mail.de – Germany mail provider
• Mail.fr /uk /ch – owned by mail.de
• Mail.be – Belgium provider
• Mail.ee – inbox.lv as provider
• Mail.ru – Russian portal
• Mail.io – encryption mail
• Mail.dk – Denmark provider
• Inbox.com – once free mail, now paid only
• Inbox.de – by aikq.de, paid version
• Inbox.net /org /uk – by aikq.de, b1gmail hosting
• Inbox.lv – Latvia free mail
• Inbox.eu – run by inbox.lv, paid version
• Inbox.ru – run by mail.ru

The answer is provided by Alexander on postfix mailing list.

SMTP-DANE

Outgoing:
# validate DANE
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane   # or dane-only (https://www.postfix.org/TLS_README.html)

Incoming:
 – setup DNSSEC for your domain (out of scope here on the postfix list)
 – publish TLSA records
e.g. https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-postfix (not everything there is endorsed by several people on this list, specially not the TLS settings in part IV (interoperability vs. “do you really know what you are doing”), what you have to do depends on what you need to protect against (or which checkboxes you have to tick in a report), I provide this link as it gives a good overview about what is involved, not about the particular settings (e.g. you may want to skip large parts of part IV), you may want to use letsencrypt or similar instead of a self-signed cert, you may want to use the PKI cert in the TLSA record (or not), …).

MTA-STS

Incoming (out of scope for the postfix list):
 – setup of webserver which serves the MTA-STS file
 – DNS records
e.g. https://www.digitalocean.com/community/tutorials/how-to-configure-mta-sts-and-tls-reporting-for-your-domain-using-apache-on-ubuntu-18-04 (info: there exist online services and local tools to investigate TLSA reports)

Outgoing:
Postfix doesn’t come with support for this out of the box. There is https://github.com/Snawoot/postfix-mta-sts-resolver but it has drawbacks (pointed out in the docu).