Hi,
Am 03.01.2022 um 20:08 schrieb dc-ml@dvl.werbittewas.de:
@others: due to the importance of it for us, I'm currently trying to implement it, but because that's my first deeper view in dovecots code, maybe I'll need some help. the patch for 2.3.17.1 is attached.
please let me know, if you're integrating it, because then I'll send the patch for the old version to the devuan/debian-maintainers for integration, so that we can update normally again.
Thanks for implementing a patch to be more privacy-aware!
In Postfix many privacy-friendly submission servers do the following:
======================================= header_checks = pcre:/etc/postfix/header_checks
/^Received: from .*? \([\w-.]* \[.*?\]\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$1 /^User-Agent:/ IGNORE /^X-Enigmail:/ IGNORE /^X-Mailer:/ IGNORE /^X-Originating-IP:/ IGNORE /^X-PHP-Originating-Script:/ IGNORE
The Received-Header is still there, so you can see the receiving server and the date+time of the server, but the IP address has been anonymized by replacing it with 127.0.0.1, so the format of the Received:-line is still valid for parsers.
And some fingerprintable headers have been removed, because an "X-Mailer" or "User-Agent" could tell the recipients if you are at work or at home for example, or they could learn that you use an outdated vulnerable MUA... It would be cool if the Dovecot-submission-server would also be able to remove headers like the ones above (or for example "X-Authenticated" which sometimes contains IP addresses or auth-usernames...).
Michael