Just for the archives: Occam’s razor applied. I was able to remove the “Received: from” header in messages by masking it with localhost/127.0.0.1. The sender’s EHLO line will still show; in some cases that ends up being the IP address (usually NATted), so this shouldn’t be considered perfect, but definitely covers the vast majority of the privacy issues around leaking the sender’s IP address.
In esmtpd-msa, per Sam’s suggestion, I set PORT as follows: PORT=“10.1.2.3.25,10.1.2.3.587 /usr/bin/env TCPREMOTEIP=127.0.0.1 TCPREMOTEHOST=localhost" (But using our IP address instead of 10.1.2.3). This works for us because esmtpd-msa is listening on an IP address that’s dedicated for authenticated senders; that is, "AUTH_REQUIRED=1”. Thanks! -Jeff On Sep 25, 2014, at 7:05 PM, Sam Varshavchik <mr...@courier-mta.com> wrote: > Jeff Potter writes: > >> >> Hi Sam, >> >> Oh, clever. I wouldn’t have guessed at that, ever. >> >> Here’s the running command after trying that: >> >> /usr/lib/courier/sbin/couriertcpd -stderrlogger=/usr/sbin/courierlogger >> -stderrloggername=esmtpd-ssl -maxprocs=80 -maxperip=10 -maxperc=10 >> -pid=/var/spool/courier/tmp/esmtpd-ssl.pid >> -stderrlogger=/usr/sbin/courierlogger -noidentlookup -nodnslookup >> -user=daemon -group=daemon -block=zen.spamhaus.org,BLOCK >> -block=psbl.surriel.com,BLOCK -block=cbl.abuseat.org,BLOCK >> -access=/etc/courier/smtpaccess.dat -address=<real ip here> 465,443 >> /usr/bin/env TCPREMOTEIP=127.0.0.1 TCPREMOTEHOST=localhost >> /usr/lib/courier/bin/couriertls -server -tcpd >> /usr/lib/courier/sbin/courieresmtpd >> >> The header, however, is still showing the real IP of the sending user, >> instead of taking on the new env ones. Is couriertls re-setting it? (To be >> clear, authed users connect over esmtpd-ssl — so I set SSLPORT with your >> suggestion.) >> >> Ideas? > > couriertls doesn't do anything with the environment variables. > > This works as expected: > > $ TCPREMOTEIP=192.168.0.1 /usr/bin/env TCPREMOTEIP=127.0.0.1 bash -c 'echo > $TCPREMOTEIP' > 127.0.0.1 > > So, Occam's razor suggests either: the server wasn't restarted; or, wrong > server instance (since you have multiple instances, I believe). > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
