[imp] RFC 822 - Security hole???

[jlewis at lewis.org]

On Sat, 11 Jan 2003, G G Papazoglou wrote:

> > I thought the whole purpose of mail headers was so that you *could* trace
> > back where a message came from (assuming that the headers not faked).?
> 
> You are right. After all, trace fields of a header are defined by RFC
> 822 for this purpose. The thing is, if a message is sent properly by
> my Webmail server, I don't want the machines before this machine to be
> known. I want only my final server (ie. the Webmail server)
> sending the message to appear.

I have a setup in which I do need to mask the actual web browser's address
in the message header for certain virtual domain users (don't ask...it's
probably not whatever you think) and made the change in IMP's compose.php.  
Here's a partial diff to give you an idea of what I did.  blah.com (used
as an example) is the domain of the virtual domain whos users need
privacy.

--- ../../horde-2.1/imp/compose.php     Wed Jun  5 18:49:02 2002
+++ compose.php Sat Aug 10 00:55:01 2002
@@ -746,13 +746,18 @@

          // add a Received header for the hop from browser to server.
          $remote = (!empty($HTTP_SERVER_VARS['REMOTE_HOST'])) ? $HTTP_SERVER_VARS['REMOTE_HOST'] : $HTTP_SERVER_VARS['REMOTE_ADDR'];
+// privacy hack
+  if ( preg_match("/blah\.com/", $imp['user']) ) {
+        $headers['Received'] = 'from ' . $imp['user'];
+  }
+  else {
          $headers['Received'] = 'from ' . $remote . ' (';
          if (!empty($HTTP_SERVER_VARS['REMOTE_IDENT'])) $headers['Received'] .= $HTTP_SERVER_VARS['REMOTE_IDENT'] . '@' . $remote;
          $headers['Received'] .= ' [' . $remote . '])';

 
----------------------------------------------------------------------
 Jon Lewis *jlewis at lewis.org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________