The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
Obscuring smtp auth headers 2 December 2008
Need more help on this topic? Click here
This article has no comments
Show me similar articles

Privacy is sometimes of concern to mail users. You may be making use of a mail server from a remote location. MTA (Mail Transport Agents), such as Postfix, is often referred as as the outgoing mail server. MTAs include information regarding where you sent this email from. This is standard procedure. Some people prefer not to include such information in their outgoing email. Fortunately, there is an easy way to do this.

I started down this road after reading a thread in the Postfix Users mailing list concerning this issue. I particularly liked the post by Sahil Tandon which point at postfix-anon. The concept is pretty simple: find the header and replace it. That part is pretty simple. What I found hard was customizing and testing the solution.

The issue
The issue can be illustrated by the following header extracted from a recent point I made to the Bacula users mailing list. Some minor details have been changed, but nothing you could not reconstruct if you really wanted to. 
Received: from sfi-mx-2.v28.ch3.sourceforge.com ([172.29.28.122]
	helo=mx.sourceforge.net)
	by 335xhf1.ch3.sourceforge.com with esmtp (Exim 4.69)
	(envelope-from <dan&example.org>) id 1L6TEt-0004c2-3M
	for bacula-users@lists.sourceforge.net; Sat, 29 Nov 2008 17:04:15 +0000
X-ACL-Warn: 
Received: from nyi.example.org ([64.147.113.42])
	by 72vjzd1.ch3.sourceforge.com with esmtp (Exim 4.69)
	id 1L6TEo-0002j5-PZ
	for bacula-users@lists.sourceforge.net; Sat, 29 Nov 2008 17:04:15 +0000
Received: from localhost (localhost [127.0.0.1])
	by nyi.example.org (Postfix) with ESMTP id 3FF2E508D3;
	Sat, 29 Nov 2008 17:04:10 +0000 (GMT)
X-Virus-Scanned: amavisd-new at example.org
Received: from nyi.example.org ([127.0.0.1])
	by localhost (nyi.example.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id V5XyfbslZ92O; Sat, 29 Nov 2008 17:04:08 +0000 (GMT)
Received: from laptop.example.org (c-10.123.45.67.bigcompany.example.net [10.123.45.67])
	by nyi.example.org (Postfix) with ESMTPSA id 3A9B3508C3;
	Sat, 29 Nov 2008 17:04:08 +0000 (GMT)

Armed with this information, you can see what I was at a given IP address at a given time. This might not be what you want everyone to know.

The solution
The solution takes advantage of knowing which Received: headers needs to be altered. That is the one first into your server. This means we need to customize the solution to the name of your mail server. I'm also going to turn on smtpd_sasl_authenticated_header. This directive adds the following to your headers: 
(Authenticated sender: YOUR_NAME_HERE)

You can enable this directive with this line in main.cf (or master.cf if your daemon is defined there): 

smtpd_sasl_authenticated_header=yes

I also added this directive to main.cf: 

header_checks = pcre:/usr/local/etc/postfix/obscure_smtp_auth

The file named above contains the following, all on one line:

/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)(by nyi\.example\.org) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ REPLACE Received: from smtp-auth.example.org (smtp-auth.example.org [10.4.7.7])$2(Authenticated sender: hidden)$4$5 ($6) with $7 id $8 $9

NOTE: the above expression must all be on one line within the file.

In the next section I will show you how I tested this.

Testing

I found the easiest way to test this solution was from the command line. I placed the above expression in one file, and the mail headers in another file. Then I ran this command: 

cat msg | postmap -q - pcre:obscure_smtp_auth

Where the file msg contains the headers. 

Return-Path: <dan&example.org>
X-Original-To: dan&localhost.example.org
Delivered-To: dan&localhost.example.org
Received: from localhost (localhost [127.0.0.1])
        by nyi.example.org (Postfix) with ESMTP id CAEED5092B
        for <dan&localhost.example.org>; Sun, 30 Nov 2008 18:26:27 +0000 (GMT)
X-Virus-Scanned: amavisd-new at example.org
Received: from nyi.example.org ([127.0.0.1])
        by localhost (nyi.example.org [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id lbf0iH03joEZ for <dan&localhost.example.org>;
        Sun, 30 Nov 2008 18:26:27 +0000 (GMT)
Received: from laptop.example.org (c-10.123.45.67.bigcompany.example.net [10.123.45.67])
	(Authenticated sender: dan)
	by nyi.example.org (Postfix) with ESMTPSA id 36F83508B4
	for <dan&example.org>; Sun, 30 Nov 2008 18:26:27 +0000 (GMT)
Message-ID: <4932DA89.4030604&example.org>
Date: Sun, 30 Nov 2008 13:25:13 -0500
From: Dan Langille <dan&example.org>
Organization: The FreeBSD Diary
User-Agent: Thunderbird 2.0.0.18 (X11/20081124)
MIME-Version: 1.0
To: dan&example.org
Subject: testing
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

NOTE: when running the test, I had to collapse the relevant Received: header into one line, so it looked like this:

Received: from laptop.example.org (c-10.123.45.67.bigcompany.example.net [10.123.45.67]) (Authenticated sender: dan) by nyi.example.org (Postfix) with ESMTPSA id 36F83508B4 for <dan&example.org>; Sun, 30 Nov 2008 18:26:27 +0000 (GMT)

Postfix does this [logically] when applying the regex, so there's no sense trying to get all fancy with the testing.

When running the test, the output looked like this:

$ cat msg | postmap -q - pcre:obscure_smtp_auth
Received: from laptop.example.org (c-10.123.45.67.bigcompany.example.net [10.123.45.67]) (Authenticated sender: dan) by nyi.example.org (Postfix) with ESMTPSA id 36F83508B4 for <dan&example.org>; Sun, 30 Nov 2008 18:26:27 +0000 (GMT) REPLACE Received: from smtp-auth.example.org (smtp-auth.example.org [10.4.7.7]) (Authenticated sender: hidden) by nyi.example.org (Postfix) with ESMTPSA id 36F83508B4 for <dan&example.org>; Sun, 30 Nov 2008 18:26:27 +0000 (GMT)

Please note: I have copied and pasted from various sources when writing this up. Message IDs, IP addresses, etc, may not be consistent.

When viewed as part of an email, it resembles this: 

Received: from nyi.example.org ([127.0.0.1])
	by localhost (nyi.example.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id vgaz2Db58gXj for <pat&example.net>;
	Mon,  1 Dec 2008 04:10:40 +0000 (GMT)
Received: from smtp-auth.example.org (smtp-auth.example.org [10.4.7.7])
	(Authenticated sender: hidden)
	by nyi.example.org (Postfix) with ESMTPSA id A96EE5082E    
	for <pat&example.net>; Mon,  1 Dec 2008 04:10:40 +0000 (GMT)

You will note the following:

  • The message originated with smtp-auth.example.org at 10.4.7.7
  • The Authenticated sender field is no longer displayed

Note that the mail log file will contain something like this:

Dec 1 04:10:40 nyi postfix/cleanup[78496]: A96EE5082E: replace: header Received: from laptop.example.org (bast.example.org [10.123.45.67])??(Authenticated sender: me)??by nyi.example.org (Postfix) with ESMTPSA id A96EE5082E??for <pat&example.net>; Mon, 1 Dec 2 from bast.example.org[72.94.192.80]; from=<dand&example.org> to=<pat&example.net> proto=ESMTP helo=<laptop.example.org>: Received: from smtp-auth.example.org (smtp-auth.example.org [10.4.7.7])??(Authenticated sender: hidden)??by nyi.example.org (Postfix) with ESMTPSA id A96EE5082E ??for <pat&example.net>; Mon, 1 Dec 2008 04:10:40 +0000 (GMT)

The original mail header has been logged, as well as the transformation.

Enjoy

I didn't really have a serious reason for implementing this. I saw it. It was a rainy Sunday afternoon. Enjoy


Need more help on this topic? Click here
This article has no comments
Show me similar articles
Servers and bandwidth provided by New York Internet and SuperNews Valid HTML, CSS , and RSS.
Copyright © 1997-2008 DVL Software Ltd.
All rights reserved.