-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>> Hi >>> >>> I am running squirrelmail with postfix on debian sarge. As far as I >>> can see squirrelmail appends the IP address of the client machine >>> (The >>> one sending the email thoung the webinterface). >>> >>> Is it possible to prevent this or do I have to modify the source? If >>> I >>> have to modify the source can anyone point me to the function that >>> appends the IP adress? >> >> check squirrelmail 1.4.5 changelog and SquirrelMail bug tracker 847107 >> 'security hole squirrelmail mails real userid'. >> >> >> https://sourceforge.net/tracker/index.php?func=detail&aid=847107&group_ >> id=311&atid=423679 >> >> This header violates users' privacy, but protects SquirrelMail admins >> (you). >> > > I am the only user of the system so I feel pretty safe. It would be > nice if ssquirrelmail at least scrampled the information. > > But from the info in the bug report I think I can modify the source > not to include it.
If information is scrambled or encoded with publicly known key or method by default, it is not secret. Security by obscurity does not secure things. class/deliver/Deliver.class.php prepareRFC822_Header() function starts at line 364. Address is stored in message id and Received header. Received header can be removed, if you want. you can't remove IP address information from message id. Message ID must be unique for mail system. I think you can disable message id header completely and first smtp server will create different message id. Received header might cause problems with antispam scanners only if you have web server running in dynamic dialup/broadband address range. Message ID should not cause problems with antispam scanners. They should not assume that message id contains ip address. RFC states that id must be unique and uses client's ip address only as example. SquirrelMail 1.4.5 should be released in July. It contains configuration options, that allow to increase users' privacy without painting big red target mark on admin's back :). Remember that you are living in wild internet world and your email account can be hijacked. Client's IP address in email headers might provide some information about attacker. - -- Tomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iEYEARECAAYFAkLL3PgACgkQ+cs+8aEMofDWtACgtMmMjwmWMBTvauf6J6KzqBh6 m2gAn0nunbT6k5DpwxnUZMDLmlde94zT =yfHr -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar -- squirrelmail-users mailing list Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines List Address: [email protected] List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
