Sv: patch: make received-header on submission optional or optionally drop the from-part in it

Michael Peddemors michael at linuxmagic.com
Wed Jan 5 18:44:28 UTC 2022 

Bad recommendation, it WILL affect delivery if you start removing trace 
fields.. (and not going to talk GDPR on list further ;)

On 2022-01-05 10:27 a.m., Sebastian Nielsen wrote:
> MUA/browser based things are not considered be in scope for GDPR unless they are truly unique.
> So you do NOT need to hide user-agent/MUA for privacy reasons.
> 
> Received lines is only applicable (in scope for GDPR) if they identify the end user. A good solution to this would be to just scrap every received-line EXCEPT for the received line *immediately* before receiving the mail (which will be the remote server connecting).
> This will guaranteed protect against mail providers that DO insert their end user IP or client IP as a Received line.
> 
> Example:
> 
> If 123.222.123.222 connects to us and sends an email, and you have the following received lines:
> 
> Received: from 127.0.0.1 (localfw-mailscanner) bablabla
> Received: from 23.34.56.33 (spamscanner.someservice.com) blablabla
> Received: from 123.222.123.222 (remote.mailserver.com) blablabla
> Received: from 99.99.99.99 (somecustomer.someisp.com) blabla
> Received: from 192.168.1.100 (somerouter.atsomecustomer.local) blabla
> 
> Then you scrap the 2 earliest, so you are left with:
> 
> Received: from 127.0.0.1 (localfw-mailscanner) bablabla
> Received: from 23.34.56.33 (spamscanner.someservice.com) blablabla
> Received: from 123.222.123.222 (remote.mailserver.com) blablabla
> 
> 
> For X-PHP-Originating-Script I don't think you need to hide that unless it contains the IP of the web user submitting the form. Same applies here, if someone sets up a server, they have automatically consented to the processing of personal details, since they publish things.
> 
> 
> -----Ursprungligt meddelande-----
> Från: dovecot-bounces at dovecot.org <dovecot-bounces at dovecot.org> För Michael Kliewe
> Skickat: den 5 januari 2022 17:25
> Till: dovecot at dovecot.org
> Ämne: Re: patch: make received-header on submission optional or optionally drop the from-part in it
> 
> Hi,
> 
> Am 03.01.2022 um 20:08 schrieb dc-ml at dvl.werbittewas.de:
>>> @others: due to the importance of it for us, I'm currently trying to
>>> implement it, but because that's my first deeper view in dovecots
>>> code, maybe I'll need some help.
>> the patch for 2.3.17.1 is attached.
>>
>> please let me know, if you're integrating it, because then I'll send
>> the patch for the old version to the devuan/debian-maintainers for
>> integration, so that we can update normally again.
>>
> Thanks for implementing a patch to be more privacy-aware!
> 
> In Postfix many privacy-friendly submission servers do the following:
> 
> =======================================
> header_checks = pcre:/etc/postfix/header_checks =======================================
> /^Received: from .*? \([\w-.]* \[.*?\]\)(.*)/
>           REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$1 /^User-Agent:/ IGNORE /^X-Enigmail:/ IGNORE /^X-Mailer:/ IGNORE /^X-Originating-IP:/ IGNORE /^X-PHP-Originating-Script:/ IGNORE =======================================
> 
> The Received-Header is still there, so you can see the receiving server and the date+time of the server, but the IP address has been anonymized by replacing it with 127.0.0.1, so the format of the Received:-line is still valid for parsers.
> 
> And some fingerprintable headers have been removed, because an "X-Mailer" or "User-Agent" could tell the recipients if you are at work or at home for example, or they could learn that you use an outdated vulnerable MUA... It would be cool if the Dovecot-submission-server would also be able to remove headers like the ones above (or for example "X-Authenticated" which sometimes contains IP addresses or auth-usernames...).
> 
> Michael
> 
> 



-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

More information about the dovecot mailing list