Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: kryptos on June 03, 2013, 08:47:36 AM
-
Hello,
I have observed this from v6 to v7 that when I send and email the recipient if he check on source message it display some information below.
Received: from pc-00016.mydomain.com (HELO pcname) (192.168.0.16)
(smtp-auth username user1, mechanism login)
by mydomain.com (qpsmtpd/0.83) with ESMTPA; Mon, 03 Jun 2013 08:59:11 +0800
As you can it displays my local IP address and my username. For security concern how could I not include this information when I want to send an email.
Regards,
Rocel
-
this is not a security problem as long as your password are strong..
and I would add that changing the headers of an email is not a good thing..
if you search the forums you'll find other posts on the same topic..
-
I have observed this from v6 to v7 that when I send and email the recipient if he check on source message it display some information below.
Received: from pc-00016.mydomain.com (HELO pcname) (192.168.0.16)
(smtp-auth username user1, mechanism login)
by mydomain.com (qpsmtpd/0.83) with ESMTPA; Mon, 03 Jun 2013 08:59:11 +0800
As you can it displays my local IP address and my username. For security concern how could I not include this information when I want to send an email.
The authenticated username is usually not secret, since it is usually the username of the sender of the message. However, others have expressed security concern about that information leakage, and there is a patch for qpsmtpd in the debian bug tracker:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684571
The local IP address shouldn't have any security consequences. Your local network is protected from remote access already by SME server software. Knowing your local IP addresses doesn't create any weakness in the protection. Those addresses are generally guessable anyway, and need to be listed in Received headers in order for you to trace any internal email problems or misuse.
-
kryptos
This was answered many years ago, so search the Forums & go back a long way.
I do not know if the fix or workaround provided then is still applicable, but it probably/possibly may be.
-
Hi,
Thanks for the heads up. Actually this is not really a concern for me but my higher boss also a technical person gives attention and comparing non sme mail servers or hosted server email headers dont have this. That i have thought there could be a way to hide this information being broadcasted.
Anyway I will search on the forums for that solution as said by other that there is and will read further on your link provided. Thanks
The authenticated username is usually not secret, since it is usually the username of the sender of the message. However, others have expressed security concern about that information leakage, and there is a patch for qpsmtpd in the debian bug tracker:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684571
The local IP address shouldn't have any security consequences. Your local network is protected from remote access already by SME server software. Knowing your local IP addresses doesn't create any weakness in the protection. Those addresses are generally guessable anyway, and need to be listed in Received headers in order for you to trace any internal email problems or misuse.
-
kryptos
This was answered many years ago, so search the Forums & go back a long way.
I do not know if the fix or workaround provided then is still applicable, but it probably/possibly may be.
Thanks Janet I will search for that.