current postfix and some related config (partly managed by ISPconfig)

main.cf

# this is most of my /etc/postfix/main.cf file:

inet_protocols = all
inet_interfaces = all
recipient_delimiter = +

smtpd_banner = Blah ESMTP

empty_address_recipient = admin

default_process_limit = 64
default_recipient_limit = 10000
default_minimum_delivery_slots = 4

anvil_rate_time_unit = 60s
smtpd_client_connection_count_limit = 40
smtpd_client_connection_rate_limit = 200
smtpd_client_message_rate_limit = 100
anvil_status_update_time = 1800s

smtpd_helo_required = yes
smtp_helo_timeout = 69s
smtp_connect_timeout = 69s
smtp_destination_concurrency_limit = 18
smtp_destination_recipient_limit = 24
smtpd_recipient_limit = 80
smtpd_recipient_overshoot_limit = 120
local_destination_concurrency_limit = 8
body_checks_size_limit = 102400
header_size_limit = 102400
mailbox_size_limit = 0
queue_minfree = 122880000
qmgr_message_active_limit = 12000
bounce_size_limit = 150000
#in_flow_delay = 1s

# tempfailed adapted to be as fast as possible with requeue:
queue_run_delay = 242s
minimal_backoff_time = 241s
maximal_backoff_time = 3601s
maximal_queue_lifetime = 14d

biff = no
smtpd_delay_reject = yes

# tarpitting stupid spammers
smtpd_error_sleep_time = 2s
smtpd_soft_error_limit = 8
smtpd_hard_error_limit = 16
smtpd_junk_command_limit = 4

disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
non_fqdn_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

maps_rbl_reject_code = 451

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 1h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/some host.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/some host.org/privkey.pem
smtpd_use_tls = yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_tls_security_level = may
smtp_tls_security_level = may

#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
#smtpd_tls_mandatory_ciphers=low
#tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

smtpd_tls_loglevel=1
smtp_tls_loglevel=1
smtp_tls_note_starttls_offer=yes
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION

# SASL settings
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes
#broken_sasl_auth_clients = yes

myhostname = some host.org
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128 x.x.x.x x.x.x.0/24
mailbox_size_limit = 0
message_size_limit = 0
html_directory = /usr/share/doc/postfix/html
virtual_transport = dovecot
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, reject_rbl_client spameatingmonkey.net, reject_rbl_client badconf.rhsbl.sorbs.net, reject_rbl_client truncate.gbudb.net, reject_rbl_client all.spam-rbl.fr, reject_rbl_client dnsbl.inps.de
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
dovecot_destination_recipient_limit = 1
default_destination_concurrency_limit = 4
relay_destination_concurrency_limit = 1

header_checks = regexp:/etc/postfix/header_checks
smtp_header_checks = regexp:/etc/postfix/headers_out
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks

owner_request_special = no
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

# Gmail IPv6 retry:
smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter

My /etc/postfix/header_checks:

/^Received: from mail.*somehost_you_want_to_hide/   IGNORE
/^Received:.*localhost.*somehost/ IGNORE
/^Received:.*127\.0\.0\.1/ IGNORE
/^.*amavisd-new/ IGNORE
/^X-Spam-Level:/ IGNORE
/^X-Spam-Status:/ IGNORE

in /etc/postfix/main.cf:

undisclosed_recipients_header = To: (Probably SPAM or SCAM) undisclosed-recipients:;
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
body_checks_size_limit = 4096

then do:

# postfix reload

If postfix doesn't seem to do the actual header changes, be sure to check if you have receive_override_options = no_header_body_checks in either /etc/postfix/master.cf or /etc/postfix/main.cf
and remove the no_header_body_checks part.

Can I get configuration to append all emails relaying from my postfix with string "NOTICE: bla bla"