How to anonymize SMTP clients (by forging e-mail headers).

1 files changed, 77 insertions, 0 deletions

diff --git a/fripost-docs.org b/fripost-docs.org
index f744c48..6f7cab5 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -780,6 +780,83 @@ emails through the tunnel.
 
 TODO: add the necessary configuration files
 
+*** Configuring the outgoing SMTP
+**** Anonymize the senders
+If RoudCube automatically anonymize the sender (by simply shortening the trace), it's not the case (by default) for SquirrelMail, or when clients connect via ESMTP/ESMTPS/ESMTPA/ESMTPSA. Here are a couple of traces we want to obfuscate, to prevent the recicipient and/or the intermediate SMTP relays to track the sender.
+
+Received: from localhost (machine.example.org [127.0.0.1])
+        by example.org (Postfix) with ESMTP id C9DAB841F4
+        for <guilhem@fripost.org>; Thu, 22 Mar 2012 16:27:56 +0100 (CET)
+Received: from example.org ([127.0.0.1])
+        by localhost (machine.example.org [127.0.0.1]) (amavisd-new, port 10024)
+        with ESMTP id 8onAXWOvImDh for <guilhem@fripost.org>;
+        Thu, 22 Mar 2012 16:27:56 +0100 (CET)
+Received: from webmail.example.org (localhost [IPv6:::1])
+        by example.org (Postfix) with ESMTP id 3ADAB8243D
+        for <guilhem@fripost.org>; Thu, 22 Mar 2012 16:27:56 +0100 (CET)
+Received: from 192.168.1.5
+        (SquirrelMail authenticated user guilhem)
+        by webmail.example.org with HTTP;
+        Thu, 22 Mar 2012 16:27:56 +0100
+
+Received: from localhost (machine.example.org [127.0.0.1])
+        by example.org (Postfix) with ESMTP id 2D1098243D
+        for <guilhem@fripost.org>; Thu, 22 Mar 2012 16:36:36 +0100 (CET)
+Received: from example.org ([127.0.0.1])
+        by localhost (machine.example.org [127.0.0.1]) (amavisd-new, port 10024)
+        with ESMTP id Hr2J-eRTN0jI for <guilhem@fripost.org>;
+        Thu, 22 Mar 2012 16:36:35 +0100 (CET)                                                                                                           
+Received: from client.example.org (client.machine.org [192.168.1.1])                                                                                    
+        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
+        (Client CN "client.machine.org", Issuer "machine.org" (not verified))
+        by machine.org (Postfix) with ESMTPS id DA22981B95
+        for <guilhem@fripost.org>; Thu, 22 Mar 2012 16:36:35 +0100 (CET)
+Received: (nullmailer pid 5057 invoked by uid 0);
+        Thu, 22 Mar 2012 15:36:34 -0000
+
+Received: from localhost (machine.example.org [127.0.0.1])
+        by example.org (Postfix) with ESMTP id DBAFE816BB
+        for <guilhem@fripost.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
+Received: from example.org ([127.0.0.1])
+        by localhost (machine.example.org [127.0.0.1]) (amavisd-new, port 10024)
+        with ESMTP id Upen4QhYpKf4 for <guilhem@fripost.org>;
+        Thu, 22 Mar 2012 14:48:01 +0100 (CET)
+Received: from client.example.org (client.example.org [192.168.1.2])
+        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
+        (Client CN "", Issuer "" (not verified))
+        (Authenticated sender: guilhem)
+        by guilhem.org (Postfix) with ESMTPSA id 40284804F5
+        for <guilhem@fripost.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
+Received: by machine@example.org (Postfix, from userid 1000)
+        id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET)
+
+(The first one was sent using a SquirrelMail; The second using ESMTPS; And the third using ESMTPSA).
+If we are to hide the sender, we could simply clean the trace (like RoundCube does) when the mail leaves the server. However, some aggressive mailfilters may reject the mail since the trace is incomplete (if RoundCube hides the history I guess it doesnt' happen that often, but who knows...).
+
+Another option would be to clean the trace and to simply add a fake field to pretend that the mail is sent from localhost by the user nobody:
+    Received: by example.org (Postfix, from userid 65535)
+            id 2C537816BB; Thu, 22 Mar 2012 14:08:45 +0100 (CET)
+This possible by adding "smtp_header_checks = regexp:$config_directory/smtp_header_checks" in the main.cf, with a suitable file "smtp_header_check" in the Postfix configuration directory.
+
+Yetan other option is not to hide the trace, but rather forge it to pretend that the connections ESMTP/... are coming from localhost. This way we are not hiding the fast that a client has logged in using a valid certificate, and in case of an SMTP relay, the early part of the trace (before it entered our Postfix) remains unchanged. For example, the third trace would become:
+
+Received: from [127.0.0.1] (localhost [127.0.0.1])
+        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
+        (Client CN "", Issuer "" (not verified))
+        (Authenticated sender: guilhem)
+        by example.org (Postfix) with ESMTPSA id 40284804F5
+        for <guilhem@fripost.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
+Received: by client.example.org (Postfix, from userid 1000)
+        id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET)
+
+(the other field remaining unchanged). This is also possible using smtp_header_checks. In that case, the corresponding file would contain the following rexep, forging the header by pretending that the sender has EHLO'ed from localhost:
+
+  /^Received:\s+from (\S+)\s+\(\S+\s+\S+\)(.*\sby example\.org \(Postfix\)\s+with E?SMTP(S|A|SA)\W.*)$/
+    REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}
+
+You can try out the regexp using "postmap -h -q - regexp:smtp_header_checks < email" (email can also be a bunch of traces).
+
+DISCLAIMER: The regexp probably needs tests (especially for multiple hops, in case of relaying SMTPs). Also, note that the hostname of the client has not been obfuscated in the above trace (and that will break the path if the client has a routable hostname that doesn't point to the SMTP server!). However, this line has been added by the client itself, so it's his/her responsability to masquerade it I suppose. In the same way, the CN and Issuer of the client's certificate may help to track him/her down. Maybe we should forge it as well?
 
 ** Configuring the webserver