search

haraka / Haraka

A fast, highly extensible, and event driven SMTP server
https://haraka.github.io
MIT License
5.02k stars 662 forks source link

Strip or modify Received-header #1913

Closed bacbos closed 7 years ago

bacbos commented 7 years ago

I'm using Haraka as a private smtp relay/gateway for some server applications, and am currently trying to hide the identity of these hosts (e.g their hostname or IP should not show up in the headers).

I tried hooking into hook_mail as well as hook_pre_send_trans_email to alter or remove the headers (connection.transaction.remove_header()) but they seem to stick around.

Can this even be done or do I need to work with a clone and trigger a new email?

Thanks for any input, much appreciated.

smfreegard commented 7 years ago

You need to do it in hook_data_post (it's possible in hook_queue or hook_queue_outbound as well) using connection.transaction.remove_header().

It's not possible to remove headers in hook_mail as the message hasn't been sent yet - I've never tried to do it in hook_pre_send_trans_email, but I expect that hook isn't run for a message coming in over SMTP.

Finally - a word of caution, if you remove all Received headers, then you might make the message look like it was sent 'direct to MX' depending what other headers are present, and that might make your message be scored higher by anti-spam tests. I personally don't like the removal of Received headers for this purpose (I don't think it's necessary), they're meant as trace headers for a reason.

bacbos commented 7 years ago

You need to do it in hook_data_post (it's possible in hook_queue or hook_queue_outbound as well) using connection.transaction.remove_header().

Perfect, this is working, thank you.

Finally - a word of caution, if you remove all Received headers, then you might make the message look like it was sent 'direct to MX' depending what other headers are present, and that might make your message be scored higher by anti-spam tests. I personally don't like the removal of Received headers for this purpose (I don't think it's necessary), they're meant as trace headers for a reason.

Absolutely legit concern. We're currently facing some heavy DDoS and other attacks that we're trying to mitigate by hiding the identities of our servers behind cloudflare. Unfortunately, some servers that send out mail can't be put behind a firewall and need a public WAN IP, thus stripping away the first received header seems like a valid counter measure.

I noticed that some systems genereate their own message id that still contains the original hostname. Can the message id be forced / re-encoded by haraka?

bacbos commented 7 years ago

Bump :)

I noticed that some systems genereate their own message id that still contains the original hostname. Can the message id be forced / re-encoded by haraka?

msimerson commented 7 years ago

You have add and remove header features available to plugins by Haraka. If you think generating a new Message-ID for [a subset of] messages is appropriate, go ahead and do so.