From: Matt Hayes on
On 6/28/2010 1:07 PM, Rachid Abdelkhalak wrote:
>
> This is not a problem for me, the end customer's IT boss asked me to see
> if it is possible to do it, he dont like to publish theire private IPs
> for 'Security reasons'.
>
> If it is not possible, i have to give him convincing arguments.
>
> Thank you
>
> --
> |-Rachid Abdelkhalak
> |-Network Security Engineer, MTDS
> |-in morocco 080200MTDS
> |-direct +212(0)537278820
> |-mobile +212(0)661173437
> |-14, rue 16 novembre
> |-Rabat 10080 Kingdom of Morocco
>
> On Mon, 28 Jun 2010, Jonathan Tripathy wrote:
>
>> Richid,
>>
>> Why is it a problem that people see your internal IPs?
>>
>> Thanks
>>
>> On 28/06/10 18:03, Rachid Abdelkhalak wrote:
>>>
>>> Thank you Jeroen,
>>>
>>> My need is to prvent peopel seeing my internal IPs, if i can make my
>>> server write on the header 127.0.0.1 instead instead of the
>>> 192.168.0.2 is will be great.
>>>
>>> I see on the header of your mail for example, all Received: tags
>>> indicate 127.0.0.1, i want my server to do the same thing if possible.
>>>
>>> Thank you
>>>
>>> --
>>> |-Rachid Abdelkhalak
>>> |-Network Security Engineer, MTDS
>>> |-in morocco 080200MTDS
>>> |-direct +212(0)537278820
>>> |-mobile +212(0)661173437
>>> |-14, rue 16 novembre
>>> |-Rabat 10080 Kingdom of Morocco
>>>
>>> On Sun, 27 Jun 2010, Jeroen Geilman wrote:
>>>
>>>> On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote:
>>>>>
>>>>> Hello List,
>>>>>
>>>>> I have a mail relay and an internal mail server both under Postfix
>>>>> and behind a firewall (DMZ and LAN), on both segment i'm using a
>>>>> private IP address with NAT.
>>>>>
>>>>> On all outgoing emails headers sent by our users, i can see my
>>>>> servers ip addresses (private).
>>>>>
>>>>> Is there any config that i can do to make postfix write hostname
>>>>> instead of the ip address on the header or replace the private ip
>>>>> address by the public ip address?
>>>>>
>>>>> Thank you
>>>>>
>>>>> Brest regards.
>>>>
>>>> The format and content of Received: headers is described in detail
>>>> in the relevant RFCs.
>>>>
>>>> Make sure you know why you want to mess with them before blundering
>>>> forward.
>>>>
>>>> J.
>>>>
>>>>
>>


I guess I don't see how an internal private IP is a security risk.

-Matt

From: Rachid Abdelkhalak on

Me too Matt, but i have to give him a solution or an answer as i'm the
person who maintain their mail plateforme.

Thank you

--
|-Rachid Abdelkhalak
|-Network Security Engineer, MTDS
|-in morocco 080200MTDS
|-direct +212(0)537278820
|-mobile +212(0)661173437
|-14, rue 16 novembre
|-Rabat 10080 Kingdom of Morocco

On Mon, 28 Jun 2010, Matt Hayes wrote:

> On 6/28/2010 1:07 PM, Rachid Abdelkhalak wrote:
>>
>> This is not a problem for me, the end customer's IT boss asked me to see
>> if it is possible to do it, he dont like to publish theire private IPs
>> for 'Security reasons'.
>>
>> If it is not possible, i have to give him convincing arguments.
>>
>> Thank you
>>
>> --
>> |-Rachid Abdelkhalak
>> |-Network Security Engineer, MTDS
>> |-in morocco 080200MTDS
>> |-direct +212(0)537278820
>> |-mobile +212(0)661173437
>> |-14, rue 16 novembre
>> |-Rabat 10080 Kingdom of Morocco
>>
>> On Mon, 28 Jun 2010, Jonathan Tripathy wrote:
>>
>>> Richid,
>>>
>>> Why is it a problem that people see your internal IPs?
>>>
>>> Thanks
>>>
>>> On 28/06/10 18:03, Rachid Abdelkhalak wrote:
>>>>
>>>> Thank you Jeroen,
>>>>
>>>> My need is to prvent peopel seeing my internal IPs, if i can make my
>>>> server write on the header 127.0.0.1 instead instead of the
>>>> 192.168.0.2 is will be great.
>>>>
>>>> I see on the header of your mail for example, all Received: tags
>>>> indicate 127.0.0.1, i want my server to do the same thing if possible.
>>>>
>>>> Thank you
>>>>
>>>> --
>>>> |-Rachid Abdelkhalak
>>>> |-Network Security Engineer, MTDS
>>>> |-in morocco 080200MTDS
>>>> |-direct +212(0)537278820
>>>> |-mobile +212(0)661173437
>>>> |-14, rue 16 novembre
>>>> |-Rabat 10080 Kingdom of Morocco
>>>>
>>>> On Sun, 27 Jun 2010, Jeroen Geilman wrote:
>>>>
>>>>> On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote:
>>>>>>
>>>>>> Hello List,
>>>>>>
>>>>>> I have a mail relay and an internal mail server both under Postfix
>>>>>> and behind a firewall (DMZ and LAN), on both segment i'm using a
>>>>>> private IP address with NAT.
>>>>>>
>>>>>> On all outgoing emails headers sent by our users, i can see my
>>>>>> servers ip addresses (private).
>>>>>>
>>>>>> Is there any config that i can do to make postfix write hostname
>>>>>> instead of the ip address on the header or replace the private ip
>>>>>> address by the public ip address?
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>> Brest regards.
>>>>>
>>>>> The format and content of Received: headers is described in detail
>>>>> in the relevant RFCs.
>>>>>
>>>>> Make sure you know why you want to mess with them before blundering
>>>>> forward.
>>>>>
>>>>> J.
>>>>>
>>>>>
>>>
>
>
> I guess I don't see how an internal private IP is a security risk.
>
> -Matt
>

From: Jonathan Tripathy on
Hi Rachid,

Ahh the good old "end user's boss" problem!

Well I guess the arguments could be that since it's an internal IP
address, there is *no way* it can be accessed from outside. Even if the
boss's firewall left all ports open to the mail server, they couldn't
access it via the internal IP address, as ISP infrastructure doesn't
route private IP addresses.

Another point you could mention to him, is that let him know that when
anybody in the world sends an email via Thunderbird, Outlook etc..,
their private IP is exposed. This has never done anyone any harm. In
fact Rachid, I already know your internal IP address of the machine
you're using at the minute. It ends in 144!

If this is still an issue, put the box either on a public subnet, or put
it in a private subnet which is different from the rest of the office
PCs/servers.

Just my 2 pence

Thanks

Jonathan
On 28/06/10 18:07, Rachid Abdelkhalak wrote:
>
> This is not a problem for me, the end customer's IT boss asked me to
> see if it is possible to do it, he dont like to publish theire private
> IPs for 'Security reasons'.
>
> If it is not possible, i have to give him convincing arguments.
>
> Thank you
>
> --
> |-Rachid Abdelkhalak
> |-Network Security Engineer, MTDS
> |-in morocco 080200MTDS
> |-direct +212(0)537278820
> |-mobile +212(0)661173437
> |-14, rue 16 novembre
> |-Rabat 10080 Kingdom of Morocco
>
> On Mon, 28 Jun 2010, Jonathan Tripathy wrote:
>
>> Richid,
>>
>> Why is it a problem that people see your internal IPs?
>>
>> Thanks
>>
>> On 28/06/10 18:03, Rachid Abdelkhalak wrote:
>>>
>>> Thank you Jeroen,
>>>
>>> My need is to prvent peopel seeing my internal IPs, if i can make my
>>> server write on the header 127.0.0.1 instead instead of the
>>> 192.168.0.2 is will be great.
>>>
>>> I see on the header of your mail for example, all Received: tags
>>> indicate 127.0.0.1, i want my server to do the same thing if possible.
>>>
>>> Thank you
>>>
>>> --
>>> |-Rachid Abdelkhalak
>>> |-Network Security Engineer, MTDS
>>> |-in morocco 080200MTDS
>>> |-direct +212(0)537278820
>>> |-mobile +212(0)661173437
>>> |-14, rue 16 novembre
>>> |-Rabat 10080 Kingdom of Morocco
>>>
>>> On Sun, 27 Jun 2010, Jeroen Geilman wrote:
>>>
>>>> On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote:
>>>>>
>>>>> Hello List,
>>>>>
>>>>> I have a mail relay and an internal mail server both under Postfix
>>>>> and behind a firewall (DMZ and LAN), on both segment i'm using a
>>>>> private IP address with NAT.
>>>>>
>>>>> On all outgoing emails headers sent by our users, i can see my
>>>>> servers ip addresses (private).
>>>>>
>>>>> Is there any config that i can do to make postfix write hostname
>>>>> instead of the ip address on the header or replace the private ip
>>>>> address by the public ip address?
>>>>>
>>>>> Thank you
>>>>>
>>>>> Brest regards.
>>>>
>>>> The format and content of Received: headers is described in detail
>>>> in the relevant RFCs.
>>>>
>>>> Make sure you know why you want to mess with them before blundering
>>>> forward.
>>>>
>>>> J.
>>>>
>>>>
>>
From: Rachid Abdelkhalak on

Thank you Jonathan.

--
|-Rachid Abdelkhalak
|-Network Security Engineer, MTDS
|-in morocco 080200MTDS
|-direct +212(0)537278820
|-mobile +212(0)661173437
|-14, rue 16 novembre
|-Rabat 10080 Kingdom of Morocco

On Mon, 28 Jun 2010, Jonathan Tripathy wrote:

> Hi Rachid,
>
> Ahh the good old "end user's boss" problem!
>
> Well I guess the arguments could be that since it's an internal IP address,
> there is *no way* it can be accessed from outside. Even if the boss's
> firewall left all ports open to the mail server, they couldn't access it via
> the internal IP address, as ISP infrastructure doesn't route private IP
> addresses.
>
> Another point you could mention to him, is that let him know that when
> anybody in the world sends an email via Thunderbird, Outlook etc.., their
> private IP is exposed. This has never done anyone any harm. In fact Rachid, I
> already know your internal IP address of the machine you're using at the
> minute. It ends in 144!
>
> If this is still an issue, put the box either on a public subnet, or put it
> in a private subnet which is different from the rest of the office
> PCs/servers.
>
> Just my 2 pence
>
> Thanks
>
> Jonathan
> On 28/06/10 18:07, Rachid Abdelkhalak wrote:
>>
>> This is not a problem for me, the end customer's IT boss asked me to see if
>> it is possible to do it, he dont like to publish theire private IPs for
>> 'Security reasons'.
>>
>> If it is not possible, i have to give him convincing arguments.
>>
>> Thank you
>>
>> --
>> |-Rachid Abdelkhalak
>> |-Network Security Engineer, MTDS
>> |-in morocco 080200MTDS
>> |-direct +212(0)537278820
>> |-mobile +212(0)661173437
>> |-14, rue 16 novembre
>> |-Rabat 10080 Kingdom of Morocco
>>
>> On Mon, 28 Jun 2010, Jonathan Tripathy wrote:
>>
>>> Richid,
>>>
>>> Why is it a problem that people see your internal IPs?
>>>
>>> Thanks
>>>
>>> On 28/06/10 18:03, Rachid Abdelkhalak wrote:
>>>>
>>>> Thank you Jeroen,
>>>>
>>>> My need is to prvent peopel seeing my internal IPs, if i can make my
>>>> server write on the header 127.0.0.1 instead instead of the 192.168.0.2
>>>> is will be great.
>>>>
>>>> I see on the header of your mail for example, all Received: tags indicate
>>>> 127.0.0.1, i want my server to do the same thing if possible.
>>>>
>>>> Thank you
>>>>
>>>> --
>>>> |-Rachid Abdelkhalak
>>>> |-Network Security Engineer, MTDS
>>>> |-in morocco 080200MTDS
>>>> |-direct +212(0)537278820
>>>> |-mobile +212(0)661173437
>>>> |-14, rue 16 novembre
>>>> |-Rabat 10080 Kingdom of Morocco
>>>>
>>>> On Sun, 27 Jun 2010, Jeroen Geilman wrote:
>>>>
>>>>> On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote:
>>>>>>
>>>>>> Hello List,
>>>>>>
>>>>>> I have a mail relay and an internal mail server both under Postfix and
>>>>>> behind a firewall (DMZ and LAN), on both segment i'm using a private IP
>>>>>> address with NAT.
>>>>>>
>>>>>> On all outgoing emails headers sent by our users, i can see my servers
>>>>>> ip addresses (private).
>>>>>>
>>>>>> Is there any config that i can do to make postfix write hostname
>>>>>> instead of the ip address on the header or replace the private ip
>>>>>> address by the public ip address?
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>> Brest regards.
>>>>>
>>>>> The format and content of Received: headers is described in detail in
>>>>> the relevant RFCs.
>>>>>
>>>>> Make sure you know why you want to mess with them before blundering
>>>>> forward.
>>>>>
>>>>> J.
>>>>>
>>>>>
>>>
>

From: Jonathan Tripathy on
No problem at all. If you need more help, let me know, as this is the
kind of stuff that I deal with here (convincing bosses..).

Btw, unless you get your users to use webmail, their local internal IP
address of their client machines will always be in the email headers -
even if the server is in a different subnet. You can try and make him
relax by letting him know that this is how GMail and Hotmail work (if
you use their POP/SMTP features)

Thanks

Jonathan
On 28/06/10 18:19, Rachid Abdelkhalak wrote:
>
> Thank you Jonathan.
>
> --
> |-Rachid Abdelkhalak
> |-Network Security Engineer, MTDS
> |-in morocco 080200MTDS
> |-direct +212(0)537278820
> |-mobile +212(0)661173437
> |-14, rue 16 novembre
> |-Rabat 10080 Kingdom of Morocco
>
> On Mon, 28 Jun 2010, Jonathan Tripathy wrote:
>
>> Hi Rachid,
>>
>> Ahh the good old "end user's boss" problem!
>>
>> Well I guess the arguments could be that since it's an internal IP
>> address, there is *no way* it can be accessed from outside. Even if
>> the boss's firewall left all ports open to the mail server, they
>> couldn't access it via the internal IP address, as ISP infrastructure
>> doesn't route private IP addresses.
>>
>> Another point you could mention to him, is that let him know that
>> when anybody in the world sends an email via Thunderbird, Outlook
>> etc.., their private IP is exposed. This has never done anyone any
>> harm. In fact Rachid, I already know your internal IP address of the
>> machine you're using at the minute. It ends in 144!
>>
>> If this is still an issue, put the box either on a public subnet, or
>> put it in a private subnet which is different from the rest of the
>> office PCs/servers.
>>
>> Just my 2 pence
>>
>> Thanks
>>
>> Jonathan
>> On 28/06/10 18:07, Rachid Abdelkhalak wrote:
>>>
>>> This is not a problem for me, the end customer's IT boss asked me to
>>> see if it is possible to do it, he dont like to publish theire
>>> private IPs for 'Security reasons'.
>>>
>>> If it is not possible, i have to give him convincing arguments.
>>>
>>> Thank you
>>>
>>> --
>>> |-Rachid Abdelkhalak
>>> |-Network Security Engineer, MTDS
>>> |-in morocco 080200MTDS
>>> |-direct +212(0)537278820
>>> |-mobile +212(0)661173437
>>> |-14, rue 16 novembre
>>> |-Rabat 10080 Kingdom of Morocco
>>>
>>> On Mon, 28 Jun 2010, Jonathan Tripathy wrote:
>>>
>>>> Richid,
>>>>
>>>> Why is it a problem that people see your internal IPs?
>>>>
>>>> Thanks
>>>>
>>>> On 28/06/10 18:03, Rachid Abdelkhalak wrote:
>>>>>
>>>>> Thank you Jeroen,
>>>>>
>>>>> My need is to prvent peopel seeing my internal IPs, if i can make
>>>>> my server write on the header 127.0.0.1 instead instead of the
>>>>> 192.168.0.2 is will be great.
>>>>>
>>>>> I see on the header of your mail for example, all Received: tags
>>>>> indicate 127.0.0.1, i want my server to do the same thing if
>>>>> possible.
>>>>>
>>>>> Thank you
>>>>>
>>>>> --
>>>>> |-Rachid Abdelkhalak
>>>>> |-Network Security Engineer, MTDS
>>>>> |-in morocco 080200MTDS
>>>>> |-direct +212(0)537278820
>>>>> |-mobile +212(0)661173437
>>>>> |-14, rue 16 novembre
>>>>> |-Rabat 10080 Kingdom of Morocco
>>>>>
>>>>> On Sun, 27 Jun 2010, Jeroen Geilman wrote:
>>>>>
>>>>>> On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote:
>>>>>>>
>>>>>>> Hello List,
>>>>>>>
>>>>>>> I have a mail relay and an internal mail server both under
>>>>>>> Postfix and behind a firewall (DMZ and LAN), on both segment i'm
>>>>>>> using a private IP address with NAT.
>>>>>>>
>>>>>>> On all outgoing emails headers sent by our users, i can see my
>>>>>>> servers ip addresses (private).
>>>>>>>
>>>>>>> Is there any config that i can do to make postfix write hostname
>>>>>>> instead of the ip address on the header or replace the private
>>>>>>> ip address by the public ip address?
>>>>>>>
>>>>>>> Thank you
>>>>>>>
>>>>>>> Brest regards.
>>>>>>
>>>>>> The format and content of Received: headers is described in
>>>>>> detail in the relevant RFCs.
>>>>>>
>>>>>> Make sure you know why you want to mess with them before
>>>>>> blundering forward.
>>>>>>
>>>>>> J.
>>>>>>
>>>>>>
>>>>
>>