6.0.0-git
2019-07-20

[#13041] Posibillity to diabled the Received from ... (Horde Framework) with HTTP header line injection to the e-Mail header lines.
Summary Posibillity to diabled the Received from ... (Horde Framework) with HTTP header line injection to the e-Mail header lines.
Queue Horde Framework Packages
Queue Version Git master
Type Enhancement
State Rejected
Priority 2. Medium
Owners
Requester klaus (at) tachtler (dot) net
Created 2014-03-12 (1956 days ago)
Due
Updated 2016-10-06 (1017 days ago)
Assigned
Resolved 2014-03-18 (1950 days ago)
Milestone
Patch No

History
2016-10-06 16:09:57 guenter (at) zamia (dot) org Comment #7 Reply to this comment
Thank you for the detailed RFC desciption. I will read it in the
whole to understand it right.

You can close this enhancement, and thank you for the advise.
@ Klaus,

did you find a solution?
just for the record: we solved this problem by using postfix's 
header_checks feature to remove the Horde Frame Received header line:

append to /etc/postfix/header_checks:

# remove horde web frontend received header (hide dynamic IP to 
prevent spam filters from blocking the email)
/^Received: from .* by <your mailserver fqdn> \(Horde Framework\) with 
HTTPS/   IGNORE

and enable header checks in postfix's /etc/postfix/main.cf:

header_checks = regexp:/etc/postfix/header_checks

2016-10-06 12:44:37 samuel (dot) wolf (at) wolf-maschinenbau (dot) de Comment #6 Reply to this comment
Thank you for the detailed RFC desciption. I will read it in the 
whole to understand it right.

You can close this enhancement, and thank you for the advise.
@ Klaus,

did you find a solution?

2014-03-18 21:54:12 klaus (at) tachtler (dot) net Comment #5 Reply to this comment

[Show Quoted Text - 11 lines]
Thank you for the detailed RFC desciption. I will read it in the whole 
to understand it right.

You can close this enhancement, and thank you for the advise.

Klaus.
2014-03-18 21:48:37 Michael Slusarz Comment #4 Reply to this comment

[Show Quoted Text - 16 lines]
This is explicitly against the RFC.  **ALL** hops have to be accounted 
for.  Webmail is a mail user agent ... skipping the MUA -> HTTP server 
step (which is really acting as a mail server in this instance) is 
probably the most important step in the whole process!
I remember, that the Received: from line for the sender MTA must be 
in the header lines,
but not from which client/Desktop PC the e-Mail was sent to the first MTA.
Why not?  That's where the potential abuse (the purpose behind 
Received) is initiated.  It's the most important information in there.
This could be good for security reason, because sometime I use a
browser at a place, and I don't want to get lines like the following
in my e-Mail-Header:
If you are worried about privacy, then don't send e-mail messages.
If you worried to die while you cross the street, did you stop walking?
I don't know what this means.

[Show Quoted Text - 9 lines]
#1: you absolutely cannot assume the sending MTA is going to help you, 
or that they will archive this information (they almost certainly will 
not).

#2: RFC 5321:

7.6. Information Disclosure in Trace Fields

    In some circumstances, such as when mail originates from within a LAN
    whose hosts are not directly on the public Internet, trace
    ("Received") header fields produced in conformance with this
    specification may disclose host names and similar information that
    would not normally be available.  This ordinarily does not pose a
    problem, but sites with special concerns about name disclosure should
    be aware of it.
With postfix header_checks, I realized "header stripping" for that 
line, but I think when
Roundcube and other client software/webmailer could do this, why not 
Horde too?
They are simply wrong.  Just because "XYZ" does something doesn't make 
it right.
2014-03-18 20:30:13 klaus (at) tachtler (dot) net Comment #3 Reply to this comment
is there a possibility, or could this be realized, to diabled the
Received from ... (Horde Framework) with HTTP ... header line
injection to the e-Mail header lines.
This is a terrible idea.  It is explicitly prohibited against RFCs.
Maybe the is a missunderstanding or my first desciption of my problem
was not so good.

I don't want to disable ALL Recived: from lines, only the first line 
which insert
the Horde Framework HTTP header line from the client/Desktop PC.

In Roundcube or in LotusNotes you can configure this, to hide the 
client/Desktop PC
Received: from line!

I remember, that the Received: from line for the sender MTA must be in 
the header lines,
but not from which client/Desktop PC the e-Mail was sent to the first MTA.
This could be good for security reason, because sometime I use a
browser at a place, and I don't want to get lines like the following
in my e-Mail-Header:
If you are worried about privacy, then don't send e-mail messages.
If you worried to die while you cross the street, did you stop walking?
Otherwise, if you remove those headers, it becomes a security issue 
from the *recipient's* side, since they can no longer effectively 
track the message in the case of abuse.  So these headers are for 
the benefit of the recipient, not the sender.  You start removing 
tracking headers and you become at risk of being put on various 
RBLs, for example.
No I think that the sender MTA must be reachable for abuse, note the 
client/desktop PC!

With postfix header_checks, I realized "header stripping" for that 
line, but I think when
Roundcube and other client software/webmailer could do this, why not 
Horde too?

Thank you, hope we can discuss this, and sorry, when I didn't explaind 
my problem very well
in my first post.

Klaus.
2014-03-18 19:47:17 Michael Slusarz Comment #2
State ⇒ Rejected
Reply to this comment
is there a possibility, or could this be realized, to diabled the 
Received from ... (Horde Framework) with HTTP ... header line 
injection to the e-Mail header lines.
This is a terrible idea.  It is explicitly prohibited against RFCs.
This could be good for security reason, because sometime I use a 
browser at a place, and I don't want to get lines like the following 
in my e-Mail-Header:
If you are worried about privacy, then don't send e-mail messages.

Otherwise, if you remove those headers, it becomes a security issue 
from the *recipient's* side, since they can no longer effectively 
track the message in the case of abuse.  So these headers are for the 
benefit of the recipient, not the sender.  You start removing tracking 
headers and you become at risk of being put on various RBLs, for 
example.
2014-03-12 14:00:25 klaus (at) tachtler (dot) net Comment #1
Type ⇒ Enhancement
State ⇒ New
Priority ⇒ 2. Medium
Summary ⇒ Posibillity to diabled the Received from ... (Horde Framework) with HTTP header line injection to the e-Mail header lines.
Queue ⇒ Horde Framework Packages
Milestone ⇒
Patch ⇒ No
Reply to this comment
Hi,

is there a possibility, or could this be realized, to diabled the 
Received from ... (Horde Framework) with HTTP ... header line 
injection to the e-Mail header lines.

This was done in: .../Horde/Mime/Headers.php - Line 278

...
$this->addHeader('Received', $received);
...

This could be good for security reason, because sometime I use a 
browser at a place, and I don't want to get lines like the following 
in my e-Mail-Header:

Received: from place.domain.tld (place.domain.tld [xxx.xxx.xxx.xxx]) by
  my.domain.tld (Horde Framework) with HTTP; Tue, 11 Mar 2014 10:31:16
  +0100

Thank you!

Saved Queries