Package: exim4-config Version: 4.96-16 Severity: normal Tags: patch Dear Maintainer,
Even when dc_hide_mailname is set, mails sent to remote hosts leak the local intranet hostname. This is because of two reasons, which the below patch fixes. 1. Reason #1 is the Received: header added by exim4 as it receives the request from the local MUA via /usr/sbin/sendmail. This patch simply removes this header for mails sent outwards via the smarthost. (It preserves the header for locally-sent mails, or for mails sent outwards when exim4 is configured as an internet facing "regular" SMTP server.) This matches the behaviour of ordinary SMTP clients that send directly to an SMTP server without adding a Received: header, which is what "smarthost" is supposed to emulate as I understand. For this reason, this patch does the rewriting unconditionally, but it's easy to guard it via "ifdef HIDE_MAILNAME" if that is preferred. 2. Reason #2 is the Message-ID. This patch rewrites the Message-ID domain name to the configured DCreadhost, like how other headers are already rewritten. exim4 doesn't support rewriting Message-ID in headers_rewrite, so we do it using headers_add and headers_remove instead. This rewriting is only in effect if HIDE_MAILNAME is on. Patch: ~~~~ --- exim4.conf.template.orig 2023-06-25 21:26:18.964387306 +0100 +++ exim4.conf.template 2023-06-26 02:29:48.362735601 +0100 @@ -1733,6 +1742,12 @@ .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS .endif + # Don't add Received header when acting as a smarthost, to mimic regular SMTP clients + headers_remove = Received +.ifdef HIDE_MAILNAME + headers_remove = Message-Id + headers_add = Message-Id: <${local_part:$h_message-id:}@DCreadhost> +.endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif ~~~~ It will need to be duplicated for the split-config, of course. -- Package-specific info: Exim version 4.96 #2 built 11-Jun-2023 16:20:21 Copyright (c) University of Cambridge, 1995 - 2018 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2022 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 GnuTLS TLS_resume move_frozen_messages DANE DKIM DNSSEC Event I18N OCSP PIPECONNECT PRDR Queue_Ramp SOCKS SRS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd Authenticators: cram_md5 external plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8 Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated Configuration file is /var/lib/exim4/config.autogenerated -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-security'), (300, 'unstable'), (100, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.3.0-1-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages exim4-config depends on: ii adduser 3.134 ii debconf [debconf-2.0] 1.5.82 Versions of packages exim4-config recommends: ii ca-certificates 20230311 exim4-config suggests no packages. -- Configuration Files: /etc/exim4/exim4.conf.template changed [not included] /etc/exim4/passwd.client [Errno 13] Permission denied: '/etc/exim4/passwd.client' -- debconf information excluded