[horde] Supress Received: header added by Horde?
Rick Romero
rick at havokmon.com
Thu Nov 14 15:55:33 UTC 2019
Quoting Rick Romero <rick at havokmon.com>:
> Quoting Arjen de Korte <build+horde at de-korte.org>:
>
>> Citeren Frank Richter <frank.richter at hrz.tu-chemnitz.de>:
>>
>>> Hello,
>>>
>>> for privacy reasons we would like to suppress the Received: header
>>> added by Horde/IMP
>>
>> This is not a good idea.
>>
>>> Received: from XXX by xxx.tu-chemnitz.de (Horde Framework)
>>> with HTTPS; Thu, 14 Nov 2019 13:16:58 +0100
>>>
>>> At least we'd like to suppress the host/IP of the sending host in
>>> the header.
>>
>> See https://lists.horde.org/archives/imp/Week-of-Mon-20071126/048125.html
>>
>> You can probably filter out this line in your mailserver, but you
>> really shouldn't. If one of your user accounts is compromised,
>> you'll want to know which one.
>>
>>> Is there any way to configure this?
>>>
>>> Regards,
>>> Frank
>
> I manually yoink it everytime I upgrade Horde. Since I use SMTP
> Auth, and mask the credentials via the SMTP Server, the Horde Header
> is redundant and leaks too much info.
>
> My notes say:
>
> Fix SMTP Received:
> vi /usr/share/php/Horde/Mime/Headers.php (now
> /usr/share/php/HordeMime/Headers/Deprecated.php
>
> in function public function addReceivedHeader(
> // $this->addHeader('Received', $received);
>
> Looks like it's now the $this->_headers->addHeaderOb(new
> Horde_Mime_Headers_Element_Multiple(
> that you'll have to remove
>
> Rick
I should add before purists go on the attack, that I do add the remote
IP (masked) via custom headers. Not that I ever need or use it, but
it's still there.
The primary issue is that the Horde Received: header is readable by
everyone, and we only want it to be easily readable by the ESP.
Rick
More information about the horde
mailing list