I haven’t been able to find any particularly good guidance about this on the Internet so I figured I’d ask those in the trenches for their opinions regarding where they land on this. I know it’s not a Postfix specific matter and if anyone thinks I should be posing this question elsewhere, please let me know where.
One of the fundamental tenets of security is not to give out any information to an adversary you don’t have to, but in the real world, there are operational considerations that need to be balanced against extreme security paranoia. So how does that balance work with message headers? In your average message header there are system names and IPs (both often internal) all along the path of delivery which would, on one hand, seem to be a needless leak of information useful to a hacker but, on the other hand, absolutely critical to troubleshooting mail delivery problems for any individual message. So is there a line or philosophy one follows looking at this? I know inside Postfix there are a number of things you can do to adjust the system names at each hop (and, presumably, suppress the IP but I don’t know how, personally) but I would think each one would add burden to troubleshooting. However, how much burden that is compared to how much security benefit is gained from shielding that information is something I also don’t know. So, assuming most of this list is operational folks with that particular bias, does anyone want to share their thoughts on the balance they have achieved on this that doesn't spin their auditors into a tizzy? Thanks, Scott
