diff --git a/data/conf/postfix/master.cf b/data/conf/postfix/master.cf
index d4f4b24b..ffd1ac47 100644
--- a/data/conf/postfix/master.cf
+++ b/data/conf/postfix/master.cf
@@ -15,6 +15,7 @@ smtps    inet  n       -       n       -       -       smtpd
   -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
   -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
   -o tls_preempt_cipherlist=yes
+  -o cleanup_service_name=smtp_sender_cleanup
   -o syslog_name=postfix/smtps
   -o smtpd_end_of_data_restrictions=$smtpd_last_auth
 10465    inet  n       -       n       -       -       smtpd
@@ -23,6 +24,7 @@ smtps    inet  n       -       n       -       -       smtpd
   -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
   -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
   -o tls_preempt_cipherlist=yes
+  -o cleanup_service_name=smtp_sender_cleanup
   -o syslog_name=postfix/smtps-haproxy
   -o smtpd_end_of_data_restrictions=$smtpd_last_auth
 
@@ -34,6 +36,7 @@ submission inet n       -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
   -o tls_preempt_cipherlist=yes
+  -o cleanup_service_name=smtp_sender_cleanup
   -o syslog_name=postfix/submission
   -o smtpd_end_of_data_restrictions=$smtpd_last_auth
 10587      inet n       -       n       -       -       smtpd
@@ -43,6 +46,7 @@ submission inet n       -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
   -o tls_preempt_cipherlist=yes
+  -o cleanup_service_name=smtp_sender_cleanup
   -o syslog_name=postfix/submission-haproxy
   -o smtpd_end_of_data_restrictions=$smtpd_last_auth
 
@@ -52,6 +56,7 @@ submission inet n       -       n       -       -       smtpd
   -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
   -o smtpd_tls_auth_only=no
   -o smtpd_sender_restrictions=check_sasl_access,regexp:/opt/postfix/conf/allow_mailcow_local.regexp,reject_authenticated_sender_login_mismatch,permit_mynetworks,permit_sasl_authenticated,reject_unlisted_sender,reject_unknown_sender_domain
+  -o cleanup_service_name=smtp_sender_cleanup
   -o syslog_name=postfix/sogo
   -o smtpd_end_of_data_restrictions=$smtpd_last_auth
 
@@ -70,6 +75,7 @@ smtp_enforced_tls      unix  -       -       n       -       -       smtp
   -o smtp_tls_security_level=encrypt
   -o syslog_name=enforced-tls-smtp
   -o smtp_delivery_status_filter=pcre:/opt/postfix/conf/smtp_dsn_filter
+
 # smtp connector used, when a transport map matched
 # this helps to have different sasl maps than we have with sender dependent transport maps
 smtp_via_transport_maps      unix  -       -       n       -       -       smtp
@@ -103,6 +109,10 @@ scache     unix  -       -       n       -       1       scache
 maildrop   unix  -       n       n       -       -       pipe flags=DRhu
     user=vmail argv=/usr/bin/maildrop -d ${recipient}
 
+# used to anonymize sender IP
+smtp_sender_cleanup unix n - y - 0 cleanup
+  -o header_checks=$smtp_header_checks
+
 # start whitelist_fwd
 127.0.0.1:10027 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/whitelist_forwardinghosts.sh
 127.0.0.1:10028 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/smtpd_last_login.sh
@@ -132,5 +142,4 @@ watchdog_rewrite    unix  -       -       n       -       -       trivial-rewrit
 watchdog_discard    unix  -       -       n       -       -       discard
    -o syslog_facility=local7
    -o syslog_name=watchdog
-
 # end watchdog-specific