On Thu, 2007-03-22 at 08:19 -0500, Gary Bowling wrote: > > Seems a security risk because it shows both the internal address and > the external address of the client, not the server. Which gives a > hacker an easy way to start discovering outside/inside address pairs. > > Finding who the user that sent the message is, is identified by the > sending email address. I don't have a problem with that being in the > header, but the IP address pairs of the client machine I'm not all > that comfortable with. > > Gary > > ____________________ > Gary Bowling > GBCO.US > [EMAIL PROTECTED] > ____________________
You do realise that NAT will identify the internal (private) IP address anyway dont you? If your that worried, then get yourself a PIX firewall or similar to protect your network or hack the source yourself to remove it because I think thats about the only way your going to remove that line. Or maybe if those clients are directly routed by you, let them through without smtp auth by adding a line to the tcp.smtp file? As for the users email address being in the header, that could be forged if you turn off smtp auth. Shane
