Bad recommendation, it WILL affect delivery if you start removing trace
fields.. (and not going to talk GDPR on list further ;)
On 2022-01-05 10:27 a.m., Sebastian Nielsen wrote:
MUA/browser based things are not considered be in scope for GDPR unless they
are truly unique.
So you do NOT need to hide user-agent/MUA for privacy reasons.
Received lines is only applicable (in scope for GDPR) if they identify the end
user. A good solution to this would be to just scrap every received-line EXCEPT
for the received line *immediately* before receiving the mail (which will be
the remote server connecting).
This will guaranteed protect against mail providers that DO insert their end
user IP or client IP as a Received line.
Example:
If 123.222.123.222 connects to us and sends an email, and you have the
following received lines:
Received: from 127.0.0.1 (localfw-mailscanner) bablabla
Received: from 23.34.56.33 (spamscanner.someservice.com) blablabla
Received: from 123.222.123.222 (remote.mailserver.com) blablabla
Received: from 99.99.99.99 (somecustomer.someisp.com) blabla
Received: from 192.168.1.100 (somerouter.atsomecustomer.local) blabla
Then you scrap the 2 earliest, so you are left with:
Received: from 127.0.0.1 (localfw-mailscanner) bablabla
Received: from 23.34.56.33 (spamscanner.someservice.com) blablabla
Received: from 123.222.123.222 (remote.mailserver.com) blablabla
For X-PHP-Originating-Script I don't think you need to hide that unless it
contains the IP of the web user submitting the form. Same applies here, if
someone sets up a server, they have automatically consented to the processing
of personal details, since they publish things.
-----Ursprungligt meddelande-----
Från: dovecot-boun...@dovecot.org <dovecot-boun...@dovecot.org> För Michael
Kliewe
Skickat: den 5 januari 2022 17:25
Till: dovecot@dovecot.org
Ämne: Re: patch: make received-header on submission optional or optionally drop
the from-part in it
Hi,
Am 03.01.2022 um 20:08 schrieb dc...@dvl.werbittewas.de:
@others: due to the importance of it for us, I'm currently trying to
implement it, but because that's my first deeper view in dovecots
code, maybe I'll need some help.
the patch for 2.3.17.1 is attached.
please let me know, if you're integrating it, because then I'll send
the patch for the old version to the devuan/debian-maintainers for
integration, so that we can update normally again.
Thanks for implementing a patch to be more privacy-aware!
In Postfix many privacy-friendly submission servers do the following:
=======================================
header_checks = pcre:/etc/postfix/header_checks
=======================================
/^Received: from .*? \([\w-.]* \[.*?\]\)(.*)/
REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$1
/^User-Agent:/ IGNORE /^X-Enigmail:/ IGNORE /^X-Mailer:/ IGNORE
/^X-Originating-IP:/ IGNORE /^X-PHP-Originating-Script:/ IGNORE
=======================================
The Received-Header is still there, so you can see the receiving server and the
date+time of the server, but the IP address has been anonymized by replacing it
with 127.0.0.1, so the format of the Received:-line is still valid for parsers.
And some fingerprintable headers have been removed, because an "X-Mailer" or "User-Agent"
could tell the recipients if you are at work or at home for example, or they could learn that you use an
outdated vulnerable MUA... It would be cool if the Dovecot-submission-server would also be able to remove
headers like the ones above (or for example "X-Authenticated" which sometimes contains IP addresses
or auth-usernames...).
Michael
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
