Replace Private IP by Server Hostname in mail header
in [Postfix]
|
From: mouss on 28 Jun 2010 19:30 Rachid Abdelkhalak a �crit : > > Hello List, > > I have a mail relay and an internal mail server both under Postfix and > behind a firewall (DMZ and LAN), on both segment i'm using a private IP > address with NAT. > > On all outgoing emails headers sent by our users, i can see my servers > ip addresses (private). > so what? everybody knows you're using a private subnet. so at a minimum, we know it's one of three groups (private A, B, C). and most probably, your browser probably shows it. and anyway, who cares? viruses, trojans, .. don't care what IP class you use. they can find it since they run on _your_ hosts. I can tell you that I use the 192.168.1.0/24 subnet. can we get past that now? most attacks nowadays are web based (XSS, ...) or host based (viruses, ...). note that your message shows that you use IMSS (and Alapine). such info is more precious than your IP... (and please use your browser to visit one of the privacy related sites and you'll see what infos your browser shows). > Is there any config that i can do to make postfix write hostname instead > of the ip address on the header or replace the private ip address by the > public ip address? > if you are talking about your own mail (not customer mail), then differentiate between outbound (submitted) mail and inbound mail. for example, use port 587 for outbound mail (ideally enforce SASL/TLS here). Then for such mail, simply remove all received headers: /^Received:/ IGNORE of course, don't do that with other mail.
From: Alexander Moisseev on 2 Jul 2010 03:13 mouss wrote: > if you are talking about your own mail (not customer mail), then > differentiate between outbound (submitted) mail and inbound mail. for > example, use port 587 for outbound mail (ideally enforce SASL/TLS here). > Then for such mail, simply remove all received headers: > /^Received:/ IGNORE > If you don't want to use submission, you may remove headers only for your local networks (but it may affect on some incoming mail): /^Received:.*192\.168\.0\..*/ IGNORE /^Received:.*192\.168\.10\..*/ IGNORE /^Received:.*192\.168\.252\..*/ IGNORE Also you may only replace IP in headers: #/^X-Original-To: .+@(domain1|domain2|domain3)\.tld$/ DUNNO # uncomment line above if you want keep IPs for local mail /^(Received: from ).*\[192\.168\..+\..+\]\)(.*)/ REPLACE ${1}localhost ([127.0.0.1] (may be forged by MTA))${2} P.S. Hiding of sender IP makes more difficult troubleshooting of malware incidents an so on.
From: /dev/rob0 on 2 Jul 2010 09:02 On Fri, Jul 02, 2010 at 11:13:55AM +0400, Alexander Moisseev wrote: > If you don't want to use submission, you may remove headers only > for your local networks (but it may affect on some incoming mail): > /^Received:.*192\.168\.0\..*/ IGNORE > /^Received:.*192\.168\.10\..*/ IGNORE > /^Received:.*192\.168\.252\..*/ IGNORE This block (which could be consolidated into a single expression using a "|" OR operator) would also remove spammer-added headers which happen to have those IP addresses. Also, it could affect legitimate headers from other sites. > Also you may only replace IP in headers: > #/^X-Original-To: .+@(domain1|domain2|domain3)\.tld$/ DUNNO > # uncomment line above if you want keep IPs for local mail > /^(Received: from ).*\[192\.168\..+\..+\]\)(.*)/ REPLACE ${1}localhost ([127.0.0.1] (may be forged by MTA))${2} This block seems to display ignorance of the header_checks(5) mechanics. "DUNNO" is pointless, and ALL listed header checks are evaluated against each [logical] header line. Something similar to what's intended might be done with an if...endif construct, but it would be limited to acting upon a single header. > P.S. Hiding of sender IP makes more difficult troubleshooting > of malware incidents an so on. Absolutely. Received: headers are your friend. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
From: mouss on 2 Jul 2010 18:50 Alexander Moisseev a écrit : > mouss wrote: >> if you are talking about your own mail (not customer mail), then >> differentiate between outbound (submitted) mail and inbound mail. for >> example, use port 587 for outbound mail (ideally enforce SASL/TLS here). >> Then for such mail, simply remove all received headers: >> /^Received:/ IGNORE >> > > If you don't want to use submission, you may remove headers only for > your local networks (but it may affect on some incoming mail): > /^Received:.*192\.168\.0\..*/ IGNORE > /^Received:.*192\.168\.10\..*/ IGNORE > /^Received:.*192\.168\.252\..*/ IGNORE - better use more "precise" checks. the above will remove the header if someone 192.168.0 appears in the header, beying a helo or a from. so use something like /^Received: \S+ \(\S+ \[192\.168\.0\.\d+\])\s+by\s+(myserver\.example\.com\).... - this will remove such headers if they come from outside (either forged or after forwarding. in the case of forgery, you miss a spam sign...). this is why it's better to separate the flows. > > Also you may only replace IP in headers: > #/^X-Original-To: .+@(domain1|domain2|domain3)\.tld$/ DUNNO DUNNO is useless. it is the default. > # uncomment line above if you want keep IPs for local mail doesn't work. > /^(Received: from ).*\[192\.168\..+\..+\]\)(.*)/ REPLACE ${1}localhost > ([127.0.0.1] (may be forged by MTA))${2} bad idea. fix helo in the clients or ignore it completely. > > P.S. Hiding of sender IP makes more difficult troubleshooting of malware > incidents an so on. >
First
|
Prev
|
Pages: 1 2 3 Prev: dyndns adsl port forward Next: SQLITE_README.html (and related) issues |