Michael Kliewe
2022-Jan-05 16:23 UTC
patch: make received-header on submission optional or optionally drop the from-part in it
Hi, Am 03.01.2022 um 20:08 schrieb dc-ml at dvl.werbittewas.de:>> @others: due to the importance of it for us, I'm currently trying to >> implement it, but because that's my first deeper view in dovecots code, >> maybe I'll need some help. > the patch for 2.3.17.1 is attached. > > please let me know, if you're integrating it, because then I'll send the > patch for the old version to the devuan/debian-maintainers for > integration, so that we can update normally again. >Thanks for implementing a patch to be more privacy-aware! In Postfix many privacy-friendly submission servers do the following: ======================================header_checks = pcre:/etc/postfix/header_checks ======================================/^Received: from .*? \([\w-.]* \[.*?\]\)(.*)/ ??????? REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$1 /^User-Agent:/ IGNORE /^X-Enigmail:/ IGNORE /^X-Mailer:/ IGNORE /^X-Originating-IP:/ IGNORE /^X-PHP-Originating-Script:/ IGNORE ====================================== The Received-Header is still there, so you can see the receiving server and the date+time of the server, but the IP address has been anonymized by replacing it with 127.0.0.1, so the format of the Received:-line is still valid for parsers. And some fingerprintable headers have been removed, because an "X-Mailer" or "User-Agent" could tell the recipients if you are at work or at home for example, or they could learn that you use an outdated vulnerable MUA... It would be cool if the Dovecot-submission-server would also be able to remove headers like the ones above (or for example "X-Authenticated" which sometimes contains IP addresses or auth-usernames...). Michael
dc-ml at dvl.werbittewas.de
2022-Jan-05 17:05 UTC
patch: make received-header on submission optional or optionally drop the from-part in it
Am 05.01.22 um 17:23 schrieb Michael Kliewe:> In Postfix many privacy-friendly submission servers do the following:[...] nice feature, unfortunately we're currently not using postfix, because none here has enough experience with it. maybe later... but:> The Received-Header is still there, so you can see the receiving serverfor this the patch offers the option to simply drop the "by X.X.X.X" but not the whole header itself. Because for lmtp there already was an option to remove the complete header, this was also implemented for submission. (we know that information about the accepting system/software might be useful for debugging problems) d.
Sebastian Nielsen
2022-Jan-05 18:27 UTC
Sv: patch: make received-header on submission optional or optionally drop the from-part in it
MUA/browser based things are not considered be in scope for GDPR unless they are truly unique. So you do NOT need to hide user-agent/MUA for privacy reasons. Received lines is only applicable (in scope for GDPR) if they identify the end user. A good solution to this would be to just scrap every received-line EXCEPT for the received line *immediately* before receiving the mail (which will be the remote server connecting). This will guaranteed protect against mail providers that DO insert their end user IP or client IP as a Received line. Example: If 123.222.123.222 connects to us and sends an email, and you have the following received lines: Received: from 127.0.0.1 (localfw-mailscanner) bablabla Received: from 23.34.56.33 (spamscanner.someservice.com) blablabla Received: from 123.222.123.222 (remote.mailserver.com) blablabla Received: from 99.99.99.99 (somecustomer.someisp.com) blabla Received: from 192.168.1.100 (somerouter.atsomecustomer.local) blabla Then you scrap the 2 earliest, so you are left with: Received: from 127.0.0.1 (localfw-mailscanner) bablabla Received: from 23.34.56.33 (spamscanner.someservice.com) blablabla Received: from 123.222.123.222 (remote.mailserver.com) blablabla For X-PHP-Originating-Script I don't think you need to hide that unless it contains the IP of the web user submitting the form. Same applies here, if someone sets up a server, they have automatically consented to the processing of personal details, since they publish things. -----Ursprungligt meddelande----- Fr?n: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> F?r Michael Kliewe Skickat: den 5 januari 2022 17:25 Till: dovecot at dovecot.org ?mne: Re: patch: make received-header on submission optional or optionally drop the from-part in it Hi, Am 03.01.2022 um 20:08 schrieb dc-ml at dvl.werbittewas.de:>> @others: due to the importance of it for us, I'm currently trying to >> implement it, but because that's my first deeper view in dovecots >> code, maybe I'll need some help. > the patch for 2.3.17.1 is attached. > > please let me know, if you're integrating it, because then I'll send > the patch for the old version to the devuan/debian-maintainers for > integration, so that we can update normally again. >Thanks for implementing a patch to be more privacy-aware! In Postfix many privacy-friendly submission servers do the following: ======================================header_checks = pcre:/etc/postfix/header_checks ======================================/^Received: from .*? \([\w-.]* \[.*?\]\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$1 /^User-Agent:/ IGNORE /^X-Enigmail:/ IGNORE /^X-Mailer:/ IGNORE /^X-Originating-IP:/ IGNORE /^X-PHP-Originating-Script:/ IGNORE ====================================== The Received-Header is still there, so you can see the receiving server and the date+time of the server, but the IP address has been anonymized by replacing it with 127.0.0.1, so the format of the Received:-line is still valid for parsers. And some fingerprintable headers have been removed, because an "X-Mailer" or "User-Agent" could tell the recipients if you are at work or at home for example, or they could learn that you use an outdated vulnerable MUA... It would be cool if the Dovecot-submission-server would also be able to remove headers like the ones above (or for example "X-Authenticated" which sometimes contains IP addresses or auth-usernames...). Michael