Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Oct 18, 2017 5:16 pm


MTA, MUA, Qmail, Exchange, Exim, Postfix, Sendmail, Courier, Mirapoint, Vpopmail, pop3, smtp, imap

Author Message
mandrei99
Post  Post subject: Postfix MTA - How to hide real ip in mail headers.  |  Posted: Mon Jan 19, 2015 7:24 pm

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

Postfix MTA - How to hide real ip in mail headers.

This is a regular problem that companies are facing specially when they want a degree of anonimity that protects their services from being denial of service attacked.Every CDN network out there offers anonimity and protection for web services, this means HTTP and HTTPS, but not for mail services.

This means that all your web clients will connect to the CDN edge servers and these servers provide the content. If your website is under attack, the CDNs take the hit (and some of them charge you).

When it comes to inboud mail services, you can protect your organization by using gmail or outlook or other hosted services. But outbound mail is different. Why ?

Because, by default, each smtp reley server (MTA - mail transfer agent) will add a line in the mime header ending up to unmask your SMTP server's IP address (public - reachable via internet or private IP) that can show an internal traceroute like information to malicious parties. You can see them by opting to show the original message or show the hears in pretty much every web interface and mail client. Here is an example:
Code:
Received: from [192.168.3.103] (unknown [192.168.3.103])

These headers will reveal the client IP address (mail user angent) if he's using a Thunderbird or Apple mail and they will also reveal the smtp servers in your organization's network.

Enterprises should be cautious and require this as a mandatory feature when choosing an smtp relay provider (to hide your organization public IP that relays mail to their servers for further distribution) and also should do this at their edge.

Postfix can filter mime headers based on regular expressions using "header_checks" content inspection feature.



More on "header_checks" on postfix man page.

Open postfix configuration "main.cf" (in Linux - /etc/postfix/main.cf) and add the following line:
Code:
header_checks = regexp:/etc/postfix/header_checks.conf


Now open the header_checks configuration and add one or all of the following lines:
Code:
/^Received:.*\[127\.0\.0\.1/      IGNORE
/^Received:.*\[10\.[0-9]\.[0-9]\.[0-9]/ IGNORE
#/^Received:.*\[192\.168\.[0-9]\.[0-9]/      IGNORE
#/^Received:.*\[172\.[0-31]\.[0-9]\.[0-9]/      IGNORE
#/^Received:.*/ IGNORE


With the first 4 lines, postfix will filter mime header for lines containing messages sent from loopback or the RFC1918 range of private IP address subnets (usually used in enterprise networks).
The 5th line will instruct an edge smtp server running postfix to delete all lines defining smtp hops from the mime header before sending the message further - if an smtp relay service is used this should be performed at their edge also.
Depending on the level of anonimity, the filters can be configured to be less restrictive.

Final step to activate these mail header filters in postfix is to restart service.





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Postfix MTA - How to hide real ip in mail headers."
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Postfix: Hide MUA (x-mailer|user-agent) information from mail header

mandrei99

0

1880

Mon Jan 26, 2015 6:40 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Postfix change message size limit

debuser

0

511

Tue Aug 10, 2010 6:31 pm

debuser View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO