How to Obscure SMTP auth headers with IPv6
Posted: Wed Feb 24, 2010 10:32 am
The FreeBSD Diary and Riseup labs describe a way to anonymize the first “received from” header with usually contain the IP-address of the computer the mail was sent from. This information is removed by taking advantage of the “Authenticated sender” and the header_checks directive in Postfix.
The “Authenticated sender” is added when a user has been authenticated by the MTA through SASL and the directive smtpd_sasl_authenticated_header have been set to yes. The header_checks directive takes a file containing a regular expression which rewrites the header data and removes sensitive information.
This all works well – with IPv4. The regular expression posted on the pages mentioned above does not take IPv6 addresses into account, I modified it slightly to accept both IPv4 and IPv6 addresses.
Note that this should be one single line.
Put this in a file, for example /usr/local/etc/postfix/obscure_smtp_auth and add the following to your Postfix configuration (assuming you have SASL working).
The first header will now be rewritten, for both IPv4 and IPv6 clients and will look something like this.
instead of
The “Authenticated sender” is added when a user has been authenticated by the MTA through SASL and the directive smtpd_sasl_authenticated_header have been set to yes. The header_checks directive takes a file containing a regular expression which rewrites the header data and removes sensitive information.
This all works well – with IPv4. The regular expression posted on the pages mentioned above does not take IPv6 addresses into account, I modified it slightly to accept both IPv4 and IPv6 addresses.
Code: Select all
/^Received: from (.* \(\[?[-._[:alnum:]]+\]? \[([\.0-9]{7,15}|IPv6[\:a-fA-F0-9]+)\]\))(.*)
\(Authenticated sender: ([^)]+)\)(.*)(by mx1\.example\.com) \(([^)]+)\) with (E?SMTPS?A?) id
([A-F[:digit:]]+)(.*)/ REPLACE Received: from smtp-auth.example.com (smtp-auth.example.com
[127.0.0.1]) (Authenticated sender: hidden)$5$6 ($7) with $8 id $9 $10Put this in a file, for example /usr/local/etc/postfix/obscure_smtp_auth and add the following to your Postfix configuration (assuming you have SASL working).
Code: Select all
header_checks = pcre:/usr/local/etc/postfix/obscure_smtp_auth
smtpd_sasl_authenticated_header = yesCode: Select all
Received: from smtp-auth.example.com (smtp-auth.example.com [127.0.0.1]) 127.0.0.1 (Authenticated sender: hidden)
by mx1.example.com (Postfix) with ESMTPSA id 3677033C6F
for &[email protected]>; Wed, 10 Dec 2008 16:31:51 +0100 (CET)Code: Select all
Received: from [IPv6:2001:xxxx:xxxx:xxxx:xxxx:xxxx:fedd:7914] (unknown [IPv6:2001:xxxx:xxxx:xxxx:xxxx:xxxx::fedd:7914])
(Authenticated sender: [email protected])
by mx1.example.com (Postfix) with ESMTPSA id 3677033C6F
for &[email protected]>; Wed, 10 Dec 2008 16:31:51 +0100 (CET)