The FreeBSD Diary |
|
(TM) | Providing practical examples since 1998If you buy from Amazon USA, please support us by using this link. |
|
Obscuring smtp auth headers
2 December 2008
|
|
Privacy is sometimes of concern to mail users. You may be making use of a mail server from a remote location. MTA (Mail Transport Agents), such as Postfix, is often referred as as the outgoing mail server. MTAs include information regarding where you sent this email from. This is standard procedure. Some people prefer not to include such information in their outgoing email. Fortunately, there is an easy way to do this. I started down this road after reading a thread in the Postfix Users mailing list concerning this issue. I particularly liked the post by Sahil Tandon which point at postfix-anon. The concept is pretty simple: find the header and replace it. That part is pretty simple. What I found hard was customizing and testing the solution. |
|
The issue
|
The issue can be illustrated by the following header extracted from a recent point I made to
the Bacula users mailing list. Some minor details
have been changed, but nothing you could not reconstruct if you really wanted to.
Received: from sfi-mx-2.v28.ch3.sourceforge.com ([172.29.28.122] helo=mx.sourceforge.net) by 335xhf1.ch3.sourceforge.com with esmtp (Exim 4.69) (envelope-from <dan&example.org>) id 1L6TEt-0004c2-3M for bacula-users@lists.sourceforge.net; Sat, 29 Nov 2008 17:04:15 +0000 X-ACL-Warn: Received: from nyi.example.org ([64.147.113.42]) by 72vjzd1.ch3.sourceforge.com with esmtp (Exim 4.69) id 1L6TEo-0002j5-PZ for bacula-users@lists.sourceforge.net; Sat, 29 Nov 2008 17:04:15 +0000 Received: from localhost (localhost [127.0.0.1]) by nyi.example.org (Postfix) with ESMTP id 3FF2E508D3; Sat, 29 Nov 2008 17:04:10 +0000 (GMT) X-Virus-Scanned: amavisd-new at example.org Received: from nyi.example.org ([127.0.0.1]) by localhost (nyi.example.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5XyfbslZ92O; Sat, 29 Nov 2008 17:04:08 +0000 (GMT) Received: from laptop.example.org (c-10.123.45.67.bigcompany.example.net [10.123.45.67]) by nyi.example.org (Postfix) with ESMTPSA id 3A9B3508C3; Sat, 29 Nov 2008 17:04:08 +0000 (GMT) Armed with this information, you can see what I was at a given IP address at a given time. This might not be what you want everyone to know. |
|
The solution
|
The solution takes advantage of knowing which Received: headers needs to be altered. That is
the one first into your server. This means we need to customize the solution to the name of
your mail server. I'm also going to turn on smtpd_sasl_authenticated_header. This directive
adds the following to your headers:
(Authenticated sender: YOUR_NAME_HERE) You can enable this directive with this line in main.cf (or master.cf if your daemon is defined there): smtpd_sasl_authenticated_header=yes I also added this directive to main.cf: header_checks = pcre:/usr/local/etc/postfix/obscure_smtp_auth The file named above contains the following, all on one line: NOTE: the above expression must all be on one line within the file. In the next section I will show you how I tested this. |
|
Testing
|
|
I found the easiest way to test this solution was from the command line. I placed the above expression in one file, and the mail headers in another file. Then I ran this command: cat msg | postmap -q - pcre:obscure_smtp_auth Where the file msg contains the headers.
Return-Path: <dan&example.org>
X-Original-To: dan&localhost.example.org
Delivered-To: dan&localhost.example.org
Received: from localhost (localhost [127.0.0.1])
by nyi.example.org (Postfix) with ESMTP id CAEED5092B
for <dan&localhost.example.org>; Sun, 30 Nov 2008 18:26:27 +0000 (GMT)
X-Virus-Scanned: amavisd-new at example.org
Received: from nyi.example.org ([127.0.0.1])
by localhost (nyi.example.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id lbf0iH03joEZ for <dan&localhost.example.org>;
Sun, 30 Nov 2008 18:26:27 +0000 (GMT)
Received: from laptop.example.org (c-10.123.45.67.bigcompany.example.net [10.123.45.67])
(Authenticated sender: dan)
by nyi.example.org (Postfix) with ESMTPSA id 36F83508B4
for <dan&example.org>; Sun, 30 Nov 2008 18:26:27 +0000 (GMT)
Message-ID: <4932DA89.4030604&example.org>
Date: Sun, 30 Nov 2008 13:25:13 -0500
From: Dan Langille <dan&example.org>
Organization: The FreeBSD Diary
User-Agent: Thunderbird 2.0.0.18 (X11/20081124)
MIME-Version: 1.0
To: dan&example.org
Subject: testing
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NOTE: when running the test, I had to collapse the relevant Received: header into one line, so it looked like this: Postfix does this [logically] when applying the regex, so there's no sense trying to get all fancy with the testing. When running the test, the output looked like this: Please note: I have copied and pasted from various sources when writing this up. Message IDs, IP addresses, etc, may not be consistent. When viewed as part of an email, it resembles this: Received: from nyi.example.org ([127.0.0.1]) by localhost (nyi.example.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vgaz2Db58gXj for <pat&example.net>; Mon, 1 Dec 2008 04:10:40 +0000 (GMT) Received: from smtp-auth.example.org (smtp-auth.example.org [10.4.7.7]) (Authenticated sender: hidden) by nyi.example.org (Postfix) with ESMTPSA id A96EE5082E for <pat&example.net>; Mon, 1 Dec 2008 04:10:40 +0000 (GMT) You will note the following:
Note that the mail log file will contain something like this: The original mail header has been logged, as well as the transformation. |
|
Enjoy
|
|
I didn't really have a serious reason for implementing this. I saw it. It was a rainy Sunday afternoon. Enjoy |