dc-ml at dvl.werbittewas.de
2022-Jan-03 19:08 UTC
patch: make received-header on submission optional or optionally drop the from-part in it
> @others: due to the importance of it for us, I'm currently trying to > implement it, but because that's my first deeper view in dovecots code, > maybe I'll need some help.okay, perhaps I've a solution for this. because we're using standard-distribution-pkgs, we're checked it with that version (devuan chimaera/debian bullseye) and it works as expected. The port to the currently available version 2.3.17.1 was simple, because only the Macro "DEF(SET_BOOL, ..." has changed to "DEF(BOOL, ..." between that versions, but we only have tested the compilation of this version. because until now I've never really worked with git, I've no possibility to follow that way for integration. Independently from this maybe you won't like the changes and won't integrate them at all. =====================================================================1. added an corresponding option to "lmtp_add_received_header" named "submission_add_received_header" 2. added options "lmtp_add_rcvd_from" and "submission_add_rcvd_from" 3. added another arg to smtp_server_transaction_write_trace_record() to handle the "*rcvd_from"-flags 4. beautified the header-construction within smtp_server_transaction_write_trace_record() a little bit 5. added the options to default-config. (unset default is always keeping old behaviour) ===================================================================== the patch for 2.3.17.1 is attached. please let me know, if you're integrating it, because then I'll send the patch for the old version to the devuan/debian-maintainers for integration, so that we can update normally again. regards d. -------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot-2.3.17.1-rcvd_from-patch.xz Type: application/x-xz Size: 2360 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20220103/3aca3a27/attachment.xz>
Michael Kliewe
2022-Jan-05 16:23 UTC
patch: make received-header on submission optional or optionally drop the from-part in it
Hi, Am 03.01.2022 um 20:08 schrieb dc-ml at dvl.werbittewas.de:>> @others: due to the importance of it for us, I'm currently trying to >> implement it, but because that's my first deeper view in dovecots code, >> maybe I'll need some help. > the patch for 2.3.17.1 is attached. > > please let me know, if you're integrating it, because then I'll send the > patch for the old version to the devuan/debian-maintainers for > integration, so that we can update normally again. >Thanks for implementing a patch to be more privacy-aware! In Postfix many privacy-friendly submission servers do the following: ======================================header_checks = pcre:/etc/postfix/header_checks ======================================/^Received: from .*? \([\w-.]* \[.*?\]\)(.*)/ ??????? REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$1 /^User-Agent:/ IGNORE /^X-Enigmail:/ IGNORE /^X-Mailer:/ IGNORE /^X-Originating-IP:/ IGNORE /^X-PHP-Originating-Script:/ IGNORE ====================================== The Received-Header is still there, so you can see the receiving server and the date+time of the server, but the IP address has been anonymized by replacing it with 127.0.0.1, so the format of the Received:-line is still valid for parsers. And some fingerprintable headers have been removed, because an "X-Mailer" or "User-Agent" could tell the recipients if you are at work or at home for example, or they could learn that you use an outdated vulnerable MUA... It would be cool if the Dovecot-submission-server would also be able to remove headers like the ones above (or for example "X-Authenticated" which sometimes contains IP addresses or auth-usernames...). Michael