[Tickets #13041] Re: Posibillity to diabled the Received from ... (Horde Framework) with HTTP header line injection to the e-Mail header lines.

noreply at bugs.horde.org noreply at bugs.horde.org
Tue Mar 18 20:30:13 UTC 2014 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/13041
------------------------------------------------------------------------------
  Ticket             | 13041
  Updated By         | klaus at tachtler.net
  Summary            | Posibillity to diabled the Received from ... (Horde
                     | Framework) with HTTP header line injection to the
                     | e-Mail header lines.
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Enhancement
  State              | Rejected
  Priority           | 2. Medium
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


klaus at tachtler.net (2014-03-18 20:30) wrote:

>> is there a possibility, or could this be realized, to diabled the
>> Received from ... (Horde Framework) with HTTP ... header line
>> injection to the e-Mail header lines.
>
> This is a terrible idea.  It is explicitly prohibited against RFCs.

Maybe the is a missunderstanding or my first desciption of my problem
was not so good.

I don't want to disable ALL Recived: from lines, only the first line  
which insert
the Horde Framework HTTP header line from the client/Desktop PC.

In Roundcube or in LotusNotes you can configure this, to hide the  
client/Desktop PC
Received: from line!

I remember, that the Received: from line for the sender MTA must be in  
the header lines,
but not from which client/Desktop PC the e-Mail was sent to the first MTA.

>> This could be good for security reason, because sometime I use a
>> browser at a place, and I don't want to get lines like the following
>> in my e-Mail-Header:
>
> If you are worried about privacy, then don't send e-mail messages.

If you worried to die while you cross the street, did you stop walking?

> Otherwise, if you remove those headers, it becomes a security issue  
> from the *recipient's* side, since they can no longer effectively  
> track the message in the case of abuse.  So these headers are for  
> the benefit of the recipient, not the sender.  You start removing  
> tracking headers and you become at risk of being put on various  
> RBLs, for example.

No I think that the sender MTA must be reachable for abuse, note the  
client/desktop PC!

With postfix header_checks, I realized "header stripping" for that  
line, but I think when
Roundcube and other client software/webmailer could do this, why not  
Horde too?

Thank you, hope we can discuss this, and sorry, when I didn't explaind  
my problem very well
in my first post.

Klaus.

More information about the bugs mailing list