Re: [toaster] Headers

Thu, 22 Mar 2007 12:13:42 -0800 

On Mar 22, 2007, at 5:55 AM, Gary Bowling wrote:
When I send a message to someone else, in the headers for the received message, you get the following: 


Received: from unknown (HELO ?192.168.11.10?)  
([EMAIL PROTECTED]@70.240.235.119)

 by 0 with ESMTPA; 22 Mar 2007 11:50:48 -0000



This header line contains the client machine's internal ip address  
(192.168.11.10) which of course is a private address, and also my  
public address 70.240.235.119.



I realize that this has been discussed in some detail, but I thought  
I'd throw in my two cents...



The internal IP (192.168.11.10) was sent by the client's PC when it  
initiated the connection to the web server.  In reality, it probably  
sent [192.168.11.10] and qmail converted the square brackets to  
question marks.



As you are already aware, [EMAIL PROTECTED] comes from the SMTP AUTH (and  
you definitely want to keep that in there -- if a spammer hacks one  
of your server's email accounts to send email out, you need to know  
which account should have its password changed).  And 70.240.235.119  
is the IP address that connected to the mail server.



In your case, 192.168.11.10 is connecting through a NAT/router/ 
firewall of some sort, with a public IP of 70.240.235.119.  There's a  
good chance that multiple IPs on the internal net are sharing that  
same public IP.



I'm not sure how knowing 192.168.11.10 creates a security risk, as  
it's obviously a non-routable IP address.  I can't attack it  
directly, and knowing it doesn't help me attack 70.240.235.119.  If  
you were sending from a computer directly on the Internet, the HELO  
IP would match the IP in the SMTP AUTH section.



You would need to modify qmail-smtpd.c to not log the HELO or IP of  
the connecting machine.  You could probably even do it only for  
authenticated senders so the information would still be there for  
troubleshooting mail problems.



IMHO, you don't open yourself up to any additional security risks by  
that information being out there.  Sure, someone could target your  
internet gateway (70.240.235.119 in this example case) for an attack,  
but that IP is already under attack daily if not hourly by random  
port scans.


--
Tom Collins  -  [EMAIL PROTECTED]
Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/
QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/
























					Reply via email to