Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#1676 closed Feature/Enhancement Request (fixed)

Senders' IP is available in outgoing messages

Reported by: Owned by:
Priority: Medium Component: Tech
Keywords: email, smtp Cc:
Sensitive: no


Hi there,

It looks like your SMTP server adds a header for outgoing mail sent through it that records the IP address of the sender's client machine. It even looks like it adds the internal IP address of the machine! This seems to me like dangerous information leakage for an activist mailhost. However, maybe this issue has been discussed and it's a conscious decision? If not, please consider this a formal request not to log that info on outgoing mail.

Change History (5)

comment:1 Changed 10 years ago by

It hasn't been discussed - so thanks for raising it.

I don't think they are any reasonable arguments for keeping that information in the headers of outgoing messages. However - a note to any MFPL members reading this ticket: there are a lot of other ways to trace where a message is sent from - so I don't to give anyone a false sense of security either!

For us, there are two distinct scenarios we should address:

  • Messages sent via webmail
  • Messages sent via authenticated STMP (in other words, for users sending via a desktop email program like Thunderbird).

Riseup has a fix specifically dealing with the second scenario (scroll down to the Postfix 2.3 part). I think that fix can also be applied to webmail without much hassle. The trick is properly writing a pcre line matching our servers.

I think we would want to add to our /etc/postfix/ on the webmail server and all standard servers that handled authenticated smtp:

header_checks = pcre:/etc/postfix/header_checks.pcre

And then add a file /etc/postfix/header_checks.pcre.

riseup offers the following pcre ($HOSTNAME\.$DOMAIN\.$TLD should be changed to the domain of the machine in question):

/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\)).*\(Authenticated sender: ([^)]+)\).*by ($HOSTNAME\.$DOMAIN\.$TLD) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/
  REPLACE Received: from [] (localhost []) (Authenticated sender: $2) with $5 id $6 

Here are examples of my lines to match:

  • Sending from icedove:
    Received: from [] ( [])
            (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
            (No client certificate requested)
            (Authenticated sender:
            by (Postfix) with ESMTP id 6584868088
            for <>; Wed,  7 Jan 2009 09:20:51 -0500 (EST)
  • Sending from mutt (which uses a local postfix installation):
    Received: from (
            []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
            (No client certificate requested) (Authenticated sender:
   by (Postfix) with
            ESMTP id 2D6D88571E for <>; Wed,  7 Jan 2009 09:17:16
            -0500 (EST)
  • And here's the special case for our webmail server:
    Received: from
            ( []) by
            (Horde Framework) with HTTP; Wed, 07 Jan 2009 09:02:02 -0500

As far as I can tell - this should be safe to test - the worst case scenario is that it doesn't match and the original header is sent.

I'm going to leave this open for at least a day for comment before working on it.

comment:2 Changed 10 years ago by

This is now complete on our webmail server.

We had to match both horde and squirrelmail:

Received: from ( []) by (Horde Framework) with HTTP; Wed, 07 Jan 2009 09:02:02 -0500
Received: from (SquirrelMail authenticated user jmcclelland) by with HTTP; Wed, 14 Jan 2009 11:14:23 -0500 (EST)

So, I went with a relatively permissive match:

/^Received: from .*(by webmail\.mayfirst\.org.*with HTTP.*)$/
  REPLACE Received: from [] (localhost []) $1

comment:3 Changed 10 years ago by

Also - this requires the installation of the postfix-pcre package.

comment:4 Changed 10 years ago by

  • Resolution set to fixed
  • Status changed from new to closed

This has now been completed on all servers. Jon - can you test it and re-open if you still see IP addresses of the sender (and re-open if necessary).

comment:5 Changed 10 years ago by

Looks good. My only (very minor) comment is that it lists the authenticated sender (tying my e-mail address to my login) - seems like a minor information leakage compared to my IP address, but I wanted to put it out there.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.