Aki Tuomi
2022-Jan-04 07:39 UTC
feature-request: make received-header on submission optional or at least drop the ip in it
> On 03/01/2022 17:15 dc-ml at dvl.werbittewas.de wrote: > > > Am 03.01.22 um 15:47 schrieb Michael Peddemors: > > > Using your email system IS the reason, simply make sure that you inform > > no, it's not. > > and: > > > (SLA, Terms and Conditions etc) and it has a valid use, eg for security > > purposes. > > for security_reasons it's completly ok, to store this information > *locally* on the server for some time, but not to push this information > together with date+time towards the world. > > sorry, if you don't have an idea of privacy-needs, you should not post > about this topic and then say something about "no flames please"... > > > Oh, but no flames please, this is almost getting off topic as it is. > > well, then let's come back to the origin topic. > > There's an need for it (as I noticed meanwhile at least back to 2019: > https://dovecot.org/pipermail/dovecot/2019-August/116865.html ) and > until it breaks no existing thing (which is expected due to *optional* > settings ), there's no reason to discuss about that need itself. > > ( You won't be forced to enable it for Your mail-server ) > > @others: due to the importance of it for us, I'm currently trying to > implement it, but because that's my first deeper view in dovecots code, > maybe I'll need some help. > > d.Hi! We'll take a look at your patch. Can you please point out to some legal information about the Received header's GDPR incompliance, I would be interested to see it. Aki
dc-ml at dvl.werbittewas.de
2022-Jan-05 13:41 UTC
GDPR/sender-ip (was: make received-header on submission optional or at least drop the ip in it)
Am 04.01.22 um 08:39 schrieb Aki Tuomi:> We'll take a look at your patch. Can you please point out to some legal information about the Received header's GDPR incompliance, I would be interested to see it.thanks for doing so. the GDPR says about personal data: - that only really needed data has to be stored - that this data has to be used only for that declared needs - that any other usage has to be prevented, especially by third-parties the EuGH has judged in 2016 (Patrick Breyer vs. Germany, C-582/14), that an IP-addresses can be personal data, because the person may be identified via this IP, so they have to be handled as such. http://curia.europa.eu/juris/documents.jsf?num=C-582/14 therefore the possibility, that others may for example see when a person was at a place (connected to an IP) has to be prevented at least in europe. if such information is published for people with high email-activity, then it would be possible for everyone, who has access to this email (which might be really everyone on earth for example in archived mailing-lists) to track these people over the whole time. for security-reasons we're logging any submission-request together with the origin-IP in our logs for at least seven days. so any mis-use of our service may be prosecuted even without storing this information in every email. In germany some courts judged, that if the police asks us for the IP, we've to store the log-entry at least as long, as a court needs to judge, that we have to give it to the police. (I think this is a reasonable balance between protection of personal data and legitimate public interest) if there are further questions to this topic I'll try to reply, but you should know, that my english isn't that good, especially to explain juridicial things... regards d.