aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-08-23 21:24:38 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-08-23 21:24:38 +0200
commit12637d7bde98dba79b326338f01fdef462d7d1a6 (patch)
tree6c73fe6faf163a340757025763c2740ffac865e8
parent68f6905a244ca6324b4db97071de0ea20e1cdf2a (diff)
Updating the header obfuscation.
-rw-r--r--fripost-docs.org20
1 files changed, 11 insertions, 9 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 40d7c0c..76a807a 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -1532,7 +1532,7 @@ to track the sender.
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "", Issuer "" (not verified))
(Authenticated sender: username)
- by fripost.org (Postfix) with ESMTPSA id 40284804F5
+ by smtp.fripost.org (Postfix) with ESMTPSA id 40284804F5
for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
Received: by client.example.org (Postfix, from userid 1000)
id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET)
@@ -1560,8 +1560,9 @@ trace (before it entered our Postfix sever) remains unchanged. For
example, the early part of the third trace would become:
Received: from [127.0.0.1] (localhost [127.0.0.1])
+ (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Authenticated sender: username)
- by fripost.org (Postfix) with ESMTPSA id 40284804F5
+ by smtp.fripost.org (Postfix) with ESMTPSA id 40284804F5
for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
Received: by client.example.org (Postfix, from userid 1000)
id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET)
@@ -1571,20 +1572,21 @@ smtp_header_checks. In that case, the corresponding file would contain
the following rexep, forging the header by pretending that the client
has EHLO'ed from localhost:
- /^Received:\s+from\s+(\S+\s+\([-._[:alnum:]]+\s+\[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender:\s+([^)]+)\).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[A-F[:digit:]]+.*)/
- REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}$4
+ /^Received:\s+from\s+([._[:alnum:]-]+\s+\([._[:alnum:]-]+\s+\[[[:xdigit:].:]{3,39}\]\))(\s+\(using\s+(TLSv1|SSLv[23])\s+with\s+cipher\s+\S+\s+\([\/0-9]+\s+bits\)\)\s+).*(\(Authenticated sender:\s+[^)]+\)\s+).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[[:xdigit:]]+.*)/
+ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${4}${5}
You can try out the regexp using "postmap -h -q - regex:/etc/postfix/smtp_header_checks < email"
(where `email' may also be a bunch of traces).
+We also forge the certificate the client send during the TLS/SSL
+handshake, since its CN and Issuer may help to track him/her down.
+
DISCLAIMER: The regexp probably needs tests (especially for multiple hops,
in case of relaying SMTPs). Also, note that the hostname of the client has
NOT been obfuscated in the above trace (and that will break the relaying path
if the client has a routable hostname that doesn't point to the SMTP server!).
However, this line has been added by the client itself, so it's his/her
-responsability to masquerade it I suppose. In the same way, the CN and Issuer
-of the client's certificate may help to track him/her down. Maybe we should
-forge these as well?
+responsability to masquerade it I suppose.
***** Install packages
@@ -1594,8 +1596,8 @@ forge these as well?
:: /etc/postfix/smtp_anonymize_sender.pcre
- /^Received:\s+from\s+(\S+\s+\([-._[:alnum:]]+\s+\[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender:\s+([^)]+)\).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[A-F[:digit:]]+.*)/
- REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}$4
+ /^Received:\s+from\s+([._[:alnum:]-]+\s+\([._[:alnum:]-]+\s+\[[[:xdigit:].:]{3,39}\]\))(\s+\(using\s+(TLSv1|SSLv[23])\s+with\s+cipher\s+\S+\s+\([\/0-9]+\s+bits\)\)\s+).*(\(Authenticated sender:\s+[^)]+\)\s+).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[[:xdigit:]]+.*)/
+ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${4}${5}
:: /etc/postfix/main.cf