[imp] RFC 822 - Security hole???
jlewis at lewis.org
jlewis at lewis.org
Fri Jan 10 19:59:55 PST 2003
On Sat, 11 Jan 2003, G G Papazoglou wrote:
> > I thought the whole purpose of mail headers was so that you *could* trace
> > back where a message came from (assuming that the headers not faked).?
>
> You are right. After all, trace fields of a header are defined by RFC
> 822 for this purpose. The thing is, if a message is sent properly by
> my Webmail server, I don't want the machines before this machine to be
> known. I want only my final server (ie. the Webmail server)
> sending the message to appear.
I have a setup in which I do need to mask the actual web browser's address
in the message header for certain virtual domain users (don't ask...it's
probably not whatever you think) and made the change in IMP's compose.php.
Here's a partial diff to give you an idea of what I did. blah.com (used
as an example) is the domain of the virtual domain whos users need
privacy.
--- ../../horde-2.1/imp/compose.php Wed Jun 5 18:49:02 2002
+++ compose.php Sat Aug 10 00:55:01 2002
@@ -746,13 +746,18 @@
// add a Received header for the hop from browser to server.
$remote = (!empty($HTTP_SERVER_VARS['REMOTE_HOST'])) ? $HTTP_SERVER_VARS['REMOTE_HOST'] : $HTTP_SERVER_VARS['REMOTE_ADDR'];
+// privacy hack
+ if ( preg_match("/blah\.com/", $imp['user']) ) {
+ $headers['Received'] = 'from ' . $imp['user'];
+ }
+ else {
$headers['Received'] = 'from ' . $remote . ' (';
if (!empty($HTTP_SERVER_VARS['REMOTE_IDENT'])) $headers['Received'] .= $HTTP_SERVER_VARS['REMOTE_IDENT'] . '@' . $remote;
$headers['Received'] .= ' [' . $remote . '])';
----------------------------------------------------------------------
Jon Lewis *jlewis at lewis.org*| I route
System Administrator | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the imp
mailing list