On Mon, 2010-05-17 at 11:05 -0400, W B Hacker wrote: > Ron White wrote: > > On outbound mail I've noticed this header that, for my needs, is 'a bit > > too much detail' insofar as revealing the internal IP of the client: > > > > Received: from munged.com ([x.x.x.x]:52225 > > helo=[192.168.5.x]) by host.munged.com with esmtpsa > > (TLSv1:AES256-SHA:256) (Exim 4.71) (envelope-from > > <[email protected]>) id 1ODwx4-0000zG-Oy for > > [email protected]; Mon, 17 May 2010 10:49:34 +0100 > > > > > > What is the best approach to removing the header line detailing from > > outbound smtpa/esmpta but not removing similar items from inbound? I've > > had a quick look at filters and 'remove_header' but before I get bogged > > down in this I would like a reassuring 'that's the right way to go' > > nudge :-) > > > > > > The purely technical answer would be to apply [selective] header-stripping to > [one-of] the 'outbound' remote_dns delivery router/transport sets. > > 'Selective' in that you can use a conditional on a sender, destination, > content, > added X-header, acl_m ... or any of many other detectable characteristics to > apply the strip to some subset of all traffic. > > 'one-of' driven by the above selection criteria. > > The broader answer is that this removes information of value in > troubleshooting > or providing such small measure of affirming end-to-end message authenticity > as > smtp has to offer (eg - not much). IOW - makes it harder for you to deny you > have been spoofed. > > After all, if you can and do remove or alter such information, your server no > longer has a claim to credible headers of any other kind. > > Selective credibility is like selective virginity. Rare. > > In any case, hiding the initial-attach IP doesn't really remove a great deal > of > information of value to an entity interested in determining where - or if > and > when - you physically sat when you sent the message. There are far better > means > for that, and you generally wont be able to detect them anyway. > > HTH, > > Bill > Thanks for the reply Bill. The key bit I want to remove is the internal IP address (192.x.x.x). This is really unwelcome in outbound mail and serves no useful purpose other than to potentially identify a host behind a firewall/nat device - this I could do from the logs without letting *the world* know details of the lan host.
I appreciate that it has it's useful places and in part it comes down to how the client HELO's, but it's a bit of a privacy issue for me. The external IP I have no issue with - just the LAN client showing up. >From a troubleshooting perspective logging gives me what I need :-) And very good logging it is too may I add! So I guess I can do this in the accept authenticated * acl stanza somehow? I'll look into it and see how far I get. Thanks again. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
