On Monday 20 Aug 2012 14:55:41 Charlie Brady wrote: > On Sun, 19 Aug 2012, Devin Carraway wrote: > > This was reported as Debian bug#684571 (http://bugs.debian.org/684571):
> The patch does more than just excise the "comment". It also removes the > auth information, for privacy/security reasons. Ditto for the encryption > "comment", which has just been deleted, rather than added another way - > e.g. using a suffix rather than infix "comment" as Exim appears to do: ...snips.. > > The proposed Debian patch shouldn't be applied as-is, at least not > without discussion. Thanks to you both for commenting. I'm the original reporter and patch author, and I'd be satisfied if you wanted to amend the patch for the encryption parameters. My opinion is that they don't need to go in the headers - the presence of Received: ... with (E)SMTPS(A) is all that a recipient needs to know about the connection. The encryption details are only of real interest to the administrator, who should have them in his logs. But as well as that, removing them entirely was a bit of a lazy way out for me rather than researching what all $OTHER_MTAs do. The authentication details, on the other hand, I think should be removed. Google will show you many pairs of (server,auth-username) archived on the web as a result of authenticated emails being sent to mailing lists via qpsmtpd. <http://www.google.co.uk/search?num=100&q=%22smtp- auth+username%22+%22mechanism%22> I don't see it as a good idea to give attackers free information about what accounts are valid on what servers. Again, all that a recipient needs to know is encapsulated in the "with (E)SMTP(S)A" clause of the header. Nick
