Just for the archives: Occam’s razor applied.

I was able to remove the “Received: from” header in messages by masking it with 
localhost/127.0.0.1. The sender’s EHLO line will still show; in some cases that 
ends up being the IP address (usually NATted), so this shouldn’t be considered 
perfect, but definitely covers the vast majority of the privacy issues around 
leaking the sender’s IP address.

In esmtpd-msa, per Sam’s suggestion, I set PORT as follows:

PORT=“10.1.2.3.25,10.1.2.3.587 /usr/bin/env TCPREMOTEIP=127.0.0.1 
TCPREMOTEHOST=localhost"

(But using our IP address instead of 10.1.2.3).

This works for us because esmtpd-msa is listening on an IP address that’s 
dedicated for authenticated senders; that is, "AUTH_REQUIRED=1”.

Thanks!

-Jeff

On Sep 25, 2014, at 7:05 PM, Sam Varshavchik <mr...@courier-mta.com> wrote:

> Jeff Potter writes:
> 
>> 
>> Hi Sam,
>> 
>> Oh, clever. I wouldn’t have guessed at that, ever.
>> 
>> Here’s the running command after trying that:
>> 
>> /usr/lib/courier/sbin/couriertcpd -stderrlogger=/usr/sbin/courierlogger 
>> -stderrloggername=esmtpd-ssl -maxprocs=80 -maxperip=10 -maxperc=10 
>> -pid=/var/spool/courier/tmp/esmtpd-ssl.pid 
>> -stderrlogger=/usr/sbin/courierlogger -noidentlookup -nodnslookup 
>> -user=daemon -group=daemon -block=zen.spamhaus.org,BLOCK 
>> -block=psbl.surriel.com,BLOCK -block=cbl.abuseat.org,BLOCK 
>> -access=/etc/courier/smtpaccess.dat -address=<real ip here> 465,443 
>> /usr/bin/env TCPREMOTEIP=127.0.0.1 TCPREMOTEHOST=localhost 
>> /usr/lib/courier/bin/couriertls -server -tcpd 
>> /usr/lib/courier/sbin/courieresmtpd
>> 
>> The header, however, is still showing the real IP of the sending user, 
>> instead of taking on the new env ones. Is couriertls re-setting it? (To be 
>> clear, authed users connect over esmtpd-ssl — so I set SSLPORT with your 
>> suggestion.)
>> 
>> Ideas?
> 
> couriertls doesn't do anything with the environment variables.
> 
> This works as expected:
> 
> $ TCPREMOTEIP=192.168.0.1 /usr/bin/env TCPREMOTEIP=127.0.0.1 bash -c 'echo 
> $TCPREMOTEIP'
> 127.0.0.1
> 
> So, Occam's razor suggests either: the server wasn't restarted; or, wrong 
> server instance (since you have multiple instances, I believe).
> 
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________
> courier-users mailing list
> courier-users@lists.sourceforge.net
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to