by Tykling
04. mar 2020 22:09 UTC
Today I set out to make my mailserver a bit better privacy-wise. I wanted to remove certain headers from client-submitted email (meaning ports 465 (smtps) or 587 (submission), authenticated email from clients, not MX mail from other servers).
The headers I wanted to remove were primarily the first Received: header (which contains the clients IP, both before and after NAT), and the X-Originating-IP header (if added by the MUA) which contains the same info.
Now that I'm here I also wanted to remove the X-Mailer: and User-Agent: headers if present, they reveal the MUA used by the client, which could lead to targeted attacks.
Postfix has a cleanup(8) service which takes care of a lot of stuff like address rewriting and content inspection before placing the email on the queue. The content inspection features include header_checks which uses a regexp: lookup table to inspect mail headers and act on them. This means I can define a new cleanup(8) service for my clients which can remove the headers matching some regular expression.
My regexp: lookup table looks like this:
# Remove Received: header showing clients ip for authenticated locally submitted email /^Received:.* with ESMTPSA id/ IGNORE # Remove X-Originating-IP /^X-Originating-IP:/ IGNORE # Remove X-Mailer and User-Agent /^X-Mailer:/ IGNORE /^User-Agent:/ IGNORE
The first regex removes any line beginning with Received: if it also later contains with ESMTPSA id. Since the header_checks will only be applied to locally submitted mail (ports 465 and 587) this means we remove the Received: header with the clients IP.
The second regex removes any header beginning with X-Originating-IP. Some clients add it, and we can remove it without further ado.
The third and fourth regexes remove information about the MUA contained in the X-Mailer: and User-Agent: headers.
I save the file as /usr/local/etc/postfix/privacy_header_checks.regexp.
Since header_checks are performed by cleanup(8) I need a new one of those which implements my new lookup table. A few lines in main.cf to make the changes to master.cf less verbose:
privacy_cleanup_service_name = privacy_cleanup privacy_header_checks = regexp:/usr/local/etc/postfix/privacy_header_checks.regexp
Here the variable privacy_cleanup_service_name is set to the value privacy_cleanup and the variable privacy_header_checks to regexp:/usr/local/etc/postfix/privacy_header_checks.regexp. These variables are not special/known to Postfix, we just define them here so we can use them in master.cf.
Finally I add the new cleanup(8) daemon to master.cf with the name defined in main.cf:
privacy_cleanup unix n - n - 0 cleanup -o header_checks=$privacy_header_checks
And add the cleanup(8) service to my existing submission and smtps entries in master.cf:
smtps inet n - n - - smtpd -o cleanup_service_name=$privacy_cleanup_service_name ...... existing config .....
After issuing a postfix reload I am ready to test the changes. I sent this email from my own personal email to my BornHack email before making the changes, and it clearly shows a couple of headers that could use some privacy enhancement (marked in bold):
Return-Path: <thomas@gibfest.dk> Delivered-To: tykling@bornhack.org Received: from mail.bornhack.org ([85.235.250.93]) by imap2.servers.bornhack.org with LMTP id JrnCEDkZYF7EbAAA+yNRXw (envelope-from <thomas@gibfest.dk>) for <tykling@bornhack.org>; Wed, 04 Mar 2020 21:10:17 +0000 Received: from smtp2.servers.tyknet.dk (smtp2.servers.tyknet.dk [89.233.43.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.bornhack.org (Postfix) with ESMTPS id 1649C33F5 for <tykling@bornhack.org>; Wed, 4 Mar 2020 21:10:16 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.bornhack.org 1649C33F5 Authentication-Results: mail.bornhack.org; dkim=pass (2048-bit key; unprotected) header.d=gibfest.dk header.i=@gibfest.dk header.b=pRKRHfHX Received: from [10.137.3.13] (gw.tyknet.dk [79.142.232.94]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp2.servers.tyknet.dk (Postfix) with ESMTPSA id BC7BF13435 for <tykling@bornhack.org>; Wed, 4 Mar 2020 21:10:16 +0000 (UTC); DKIM-Filter: OpenDKIM Filter v2.10.3 smtp2.servers.tyknet.dk BC7BF13435 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1583356216; bh=34tKkuLKFx3jY7i6C+NsFozk4Iv52R7X4DZEQJ4JAsw=; h=To:From:Subject:Date; b=pRKRHfHXxSK/2Ge91dsYqQVop3irX2R8giBHELMExXUWB6JK/nvXFpxDfv5sk3Twe s27Tq8Sn5DCMW0MzLi8AlVqL8ln5jEtvoeErjFeqG4toj92LVQwDIfbp8wXessSum0 h1BC3lJB3I/7dX9CcASpHY1cUTrDq0H0TS1zVENHrBinSPE02nhWFDtdJpFTkRGhyC uZ5ECp5c4i1mLyXBlf9L7cJDP293BDAUp3o9+ZatmiSVLhNVf0R5QIZOzZJg1IrX+1 96XWJuaFXCucmeveJSQ8+L8o0wabYm0I5N+aV9a9vgW1jSu4ZaOpZezGSbmapxcFGl jPRQXv1q0z/Ig== To: tykling <tykling@bornhack.org> From: Thomas Steen Rasmussen <thomas@gibfest.dk> Subject: test 4 Message-ID: <526d32f5-66ef-01de-8b2e-0655fa01964b@gibfest.dk> Date: Wed, 4 Mar 2020 22:10:17 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US test 4
After reloading my changes and sending another test email I was happy to see that the headers have been removed:
Return-Path: <thomas@gibfest.dk> Delivered-To: tykling@bornhack.org Received: from mail.bornhack.org ([85.235.250.93]) by imap2.servers.bornhack.org with LMTP id Z52rGUUdYF48PgAA+yNRXw (envelope-from <thomas@gibfest.dk>) for <tykling@bornhack.org>; Wed, 04 Mar 2020 21:27:33 +0000 Received: from smtp2.servers.tyknet.dk (smtp2.servers.tyknet.dk [89.233.43.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.bornhack.org (Postfix) with ESMTPS id 4DEF034C5 for <tykling@bornhack.org>; Wed, 4 Mar 2020 21:27:33 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.bornhack.org 4DEF034C5 Authentication-Results: mail.bornhack.org; dkim=pass (2048-bit key; unprotected) header.d=gibfest.dk header.i=@gibfest.dk header.b=K2acj7Xz To: tykling <tykling@bornhack.org> DKIM-Filter: OpenDKIM Filter v2.10.3 smtp2.servers.tyknet.dk 990C91391B DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1583357252; bh=TngI6sumeanS64q27aVBfuIGCRnJ6/OVsFLLgkHhG9s=; h=To:From:Subject:Date; b=K2acj7XzdEEVGUrE+VW4FyYKVfK3sv19Vcx70iPfg25JmtppivTe9mhHRqVmXKY1G CSGH5J212vcxqi2dPL7xwxuSiEqJqmvSwgc99z59zxvdSjLMXq2v8RglwckNyt995+ ZHTlA9DB0L+F9pZ/vhtMkQsf4InUT4DKsuAFBS0fCEqKM65FtgbNP9nrRl3uG3/NBq lPYF/4DW+Jv/tMUWEtVt3n5bxJsknApse63qGkIxVHFiVElIs4mSqXQrTxEr9Uv/lQ B8vYniW6X8MWZLErcVv+3YOpmd/9VgxT3Np1zrfKvlFZ7teVNundjbO6+K1+CJOPX4 yG6hLZ3vWBEXw== From: Thomas Steen Rasmussen <thomas@gibfest.dk> Subject: test 5 Message-ID: <15cceb83-d884-31cb-5236-e1087181f15e@gibfest.dk> Date: Wed, 4 Mar 2020 22:27:33 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US test 5
Great success!