* Scott A. Wozny:
> In your average message header there are system names and IPs (both
> often internal) all along the path of delivery which would, on one
> hand, seem to be a needless leak of information useful to a hacker
> but, on the other hand, absolutely critical to troubleshooting mail
> delivery problems for any individual message.
There are some assumptions I usually make for production systems:
- Organisation A has 0..n Intranet-only Postfix instances which don't
connect to the Internet.
- There are 1..m Postfix instances used as outbound relayhosts, and
only these do connect to MXs using the Internet.
- Troubleshooting can be separated into either the route
Intranet-to-Relayhost or Relayhost-to-Internet.
- Once a message reaches the relayhost(s), existing routing
information is no longer relevant when it comes to debugging
possible mail routing problems.
If these assumptions hold true, I see no harm in removing message
headers you consider sensitive on your relayhosts. Postfix's cleanup[1]
daemon can do it for you, using the header_checks[2] option:
# pcre:/etc/postfix/my_cleanup_header_checks
/^Received: from \w+\.myinternaldomain\.org\b/ STRIP
The STRIP action logs header removal, while the alternative IGNORE would
delete headers silently.
-Ralph
[1] http://www.postfix.org/cleanup.8.html
[2] http://www.postfix.org/header_checks.5.html
