Wow! Thanks, I didn't realize this was an option. A really pretty balance of
maintaining the internal routing information for troubleshooting purposes
without sending it to the Internet. Not totally settled on the actual level of
threat posed by leaking this info, but a great option to know I have.
Much obliged,
Scott
________________________________
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> on
behalf of Ralph Seichter <ra...@ml.seichter.de>
Sent: December 13, 2020 6:14 AM
To: postfix-users@postfix.org <postfix-users@postfix.org>
Subject: Re: Security threat posed by names and IPs in SMTP headers
* Scott A. Wozny:
> In your average message header there are system names and IPs (both
> often internal) all along the path of delivery which would, on one
> hand, seem to be a needless leak of information useful to a hacker
> but, on the other hand, absolutely critical to troubleshooting mail
> delivery problems for any individual message.
There are some assumptions I usually make for production systems:
- Organisation A has 0..n Intranet-only Postfix instances which don't
connect to the Internet.
- There are 1..m Postfix instances used as outbound relayhosts, and
only these do connect to MXs using the Internet.
- Troubleshooting can be separated into either the route
Intranet-to-Relayhost or Relayhost-to-Internet.
- Once a message reaches the relayhost(s), existing routing
information is no longer relevant when it comes to debugging
possible mail routing problems.
If these assumptions hold true, I see no harm in removing message
headers you consider sensitive on your relayhosts. Postfix's cleanup[1]
daemon can do it for you, using the header_checks[2] option:
# pcre:/etc/postfix/my_cleanup_header_checks
/^Received: from \w+\.myinternaldomain\.org\b/ STRIP
The STRIP action logs header removal, while the alternative IGNORE would
delete headers silently.
-Ralph
[1] http://www.postfix.org/cleanup.8.html
[2] http://www.postfix.org/header_checks.5.html
