Axel Luttgens wrote:
Le 16 juil. 09 à 23:05, Timo Sirainen a écrit :
The SMTP servers' headers, sure. That's a pretty known issue. And maybe some even filter out some Received headers before going outside.
What shouldn't be allowed wrt RFC rules, unless I'm wrong: at any time, the user should be able to trace the path of a received message (an SMTP server MUST add a Received header, never remove or modify such a header).
Stripping "Received" headers at an outbound SMTP gateway to obscure internal server infrastructure is a common practice, and there is nothing wrong about it. It is of no concern to anybody which servers in a company LAN were involved before an email crosses over into the Internet, and if a mail administrator decides to deprive himself of debugging information, so be it. ;-)
Regarding Timo's question, I believe that disclosing host names to authenticated IMAP users is not a big security issue.
-R