Postfix MTA - How to hide real ip in mail headers.

This is a regular problem that companies are facing specially when they want a degree of anonimity that protects their services from being denial of service attacked.Every CDN network out there offers anonimity and protection for web services, this means HTTP and HTTPS, but not for mail services.

This means that all your web clients will connect to the CDN edge servers and these servers provide the content. If your website is under attack, the CDNs take the hit (and some of them charge you).

When it comes to inboud mail services, you can protect your organization by using gmail or outlook or other hosted services. But outbound mail is different. Why ?

Because, by default, each smtp reley server (MTA - mail transfer agent) will add a line in the mime header ending up to unmask your SMTP server's IP address (public - reachable via internet or private IP) that can show an internal traceroute like information to malicious parties. You can see them by opting to show the original message or show the hears in pretty much every web interface and mail client. Here is an example:

Code:

Received: from [192.168.3.103] (unknown [192.168.3.103])

These headers will reveal the client IP address (mail user angent) if he's using a Thunderbird or Apple mail and they will also reveal the smtp servers in your organization's network.

Enterprises should be cautious and require this as a mandatory feature when choosing an smtp relay provider (to hide your organization public IP that relays mail to their servers for further distribution) and also should do this at their edge.

Postfix can filter mime headers based on regular expressions using "header_checks" content inspection feature.

More on "header_checks" on postfix man page.

Open postfix configuration "main.cf" (in Linux - /etc/postfix/main.cf) and add the following line:

Code:

header_checks = regexp:/etc/postfix/header_checks.conf

Now open the header_checks configuration and add one or all of the following lines:

Code:

/^Received:.*\[127\.0\.0\.1/      IGNORE
/^Received:.*\[10\.[0-9]\.[0-9]\.[0-9]/ IGNORE
#/^Received:.*\[192\.168\.[0-9]\.[0-9]/      IGNORE
#/^Received:.*\[172\.[0-31]\.[0-9]\.[0-9]/      IGNORE
#/^Received:.*/ IGNORE

With the first 4 lines, postfix will filter mime header for lines containing messages sent from loopback or the RFC1918 range of private IP address subnets (usually used in enterprise networks).
The 5th line will instruct an edge smtp server running postfix to delete all lines defining smtp hops from the mime header before sending the message further - if an smtp relay service is used this should be performed at their edge also.
Depending on the level of anonimity, the filters can be configured to be less restrictive.

Final step to activate these mail header filters in postfix is to restart service.

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

MTA, MUA, Qmail, Exchange, Exim, Postfix, Sendmail, Courier, Mirapoint, Vpopmail, pop3, smtp, imap