We've recently added an Exim-based (MailCleaner) MTA in our DMZ that sends and receives email to and from our LAN email server. It works great, but I'm a little wary of one of the headers it places in outgoing messages sent to external recipients.
Specifically, its the 'Received' header for the delivery from our LAN email server to the MTA in the DMZ, and it looks like:
Received: from [192.168.XX.XX] (helo=mailserver.localdomain.local) by mail.senderdomain.com stage1 with esmtp with id SomeMessageID for <[email protected]> from sendername <[email protected]>; Tue, 24 Nov 2009 13:06:58
Where 192.168.XX.XX is the DMZ interface of the LAN mail server, localdomain.local is our LAN domain name, and senderdomain.com is the externally-resolvable domain name for our organization.
Is it possible to modify this header so it doesn't divulge our local domain name and DMZ address range on every outgoing message? I assume we can't simply remove it, since out of the several 'Received' headers in the delivered messages I've been able to examine it's the only line that contains the 'from Sendername ' portion identifying the sender's email address in our organization.
Any hints about how to modify or mask this would be appreciated.
The content of the
Received:
header is defined in Exim by the configuration optionreceived_header_text
. The default setting, from which you can see how your example is constructed, is:As for changing or remove the header. Beware some best practice advice lies ahead..
Are you sure that you want to remove this information? It's presence allows you to track abuse reports much more easily. The exposure of your internal IP addresses is actually of fairly limited risk.
Technically you can remove this first received header by using
headers_remove
but it's certainly not RFC friendly and there is a chance of creating mail loops.If you must mask the information then you would be best to do so by modifying
received_header_text
. For maintainability and the principle of least surprise, even if the MTA isn't performing any other functions, you probably want to make your changes as specific as possible. This would involve putting some additional conditions in thoseif
statements for facts that you know will always be true, such as whether the sender has authenticated themselves.