🇩🇪 Deutsch

10 Apr 2025

Postfix: Sender-IP und Username in der E-Mail verstecken

Per default steht der Username und die IP-Adresse des Senders in der E-Mail. Dieses kann man auch verstecken, da diese Information fü Attacken missbraucht wird.



  • konkrete Attacke im Maillog
Jan 27 00:10:21 myserver dovecot[87032]: auth-worker(73776): conn unix:auth-worker (uid=143): auth-worker<1>: sql(XtraExterminator,111.xx.xx.xx): Password mismatch
Jan 27 00:10:23 myserver postfix/submission/smtpd[73774]: warning: 111-xx-xx-xx.emome-ip.xx.net[111.xx.xx.xx]: SASL PLAIN authentication failed: (reason unavailable), sasl_username=XtraExterminator
  • Header einer Mail mit dieser Information: Feld Authenticated sender
[...]
Received: from [10.1.1.100] (pdxxxx.dip0.t-ipconnect.de [217.xxx.xxx.xxx])
        (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
         key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: XtraExterminator)
        by myserver.de (Postfix) with ESMTPSA id 3898248D893
        for <chris.b@example.com>; Sat, 25 Jan 2025 11:44:17 +0100 (CET)
[...]
  • Abhilfe: (Danke, askubuntu.com)

The standard solution is to use the header_checks option. This will work, however, if we filter received lines on all mail both incoming and outgoing (as this will do), we could potentially lose Received headers on mail sent to us, which can be important for troubleshooting. To get around this problem, we will apply the header_checks only to the mail that could not possibly have been sent to us-mail that was sent to the submission port (you are using the submission port, aren’t you?).

What we need to do is pass the cleanup_service_name option to the submission service so that we can set up a new cleanup service, “subcleanup.” The relevant section of /etc/postfix/master.cf might look like this:

submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o cleanup_service_name=subcleanup

Now we can pass the header_checks option to the new cleanup service. That part of /etc/postfix/master.cf might look like this:

cleanup   unix  n       -       -       -       0       cleanup
subcleanup unix n       -       -       -       0       cleanup
  -o header_checks=regexp:/etc/postfix/submission_header_checks

Finally, we need to create the file /etc/postfix/submission_header_checks, which will contain the regex that filters offending Received header lines. Which regex you put in the file depends on whether you have smtpd_sasl_authenticated_header set.

If smtpd_sasl_authenticated_header is yes, then use:

/^Received:.*\(Authenticated sender:/ IGNORE

Otherwise, use:

/^Received:.*\(Postfix/ IGNORE
  • Nun wird diese Information versteckt
[...]
Received: from myserver.de (81.xx.xx.xx by
 DBxxxx.mail.protection.outlook.com (10.xx.xx.xx) with Microsoft
 SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.xx.xx.14
 via Frontend Transport; Mon, 27 Jan 2025 06:32:18 +0000
[...]
  • Es zeigte sich, dass dies leider nur begrenzt hilft.