From 12637d7bde98dba79b326338f01fdef462d7d1a6 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 23 Aug 2012 21:24:38 +0200 Subject: Updating the header obfuscation. --- fripost-docs.org | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index 40d7c0c..76a807a 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -1532,7 +1532,7 @@ to track the sender. (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "", Issuer "" (not verified)) (Authenticated sender: username) - by fripost.org (Postfix) with ESMTPSA id 40284804F5 + by smtp.fripost.org (Postfix) with ESMTPSA id 40284804F5 for ; Thu, 22 Mar 2012 14:48:01 +0100 (CET) Received: by client.example.org (Postfix, from userid 1000) id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET) @@ -1560,8 +1560,9 @@ trace (before it entered our Postfix sever) remains unchanged. For example, the early part of the third trace would become: Received: from [127.0.0.1] (localhost [127.0.0.1]) + (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Authenticated sender: username) - by fripost.org (Postfix) with ESMTPSA id 40284804F5 + by smtp.fripost.org (Postfix) with ESMTPSA id 40284804F5 for ; Thu, 22 Mar 2012 14:48:01 +0100 (CET) Received: by client.example.org (Postfix, from userid 1000) id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET) @@ -1571,20 +1572,21 @@ smtp_header_checks. In that case, the corresponding file would contain the following rexep, forging the header by pretending that the client has EHLO'ed from localhost: - /^Received:\s+from\s+(\S+\s+\([-._[:alnum:]]+\s+\[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender:\s+([^)]+)\).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[A-F[:digit:]]+.*)/ - REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}$4 + /^Received:\s+from\s+([._[:alnum:]-]+\s+\([._[:alnum:]-]+\s+\[[[:xdigit:].:]{3,39}\]\))(\s+\(using\s+(TLSv1|SSLv[23])\s+with\s+cipher\s+\S+\s+\([\/0-9]+\s+bits\)\)\s+).*(\(Authenticated sender:\s+[^)]+\)\s+).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[[:xdigit:]]+.*)/ + REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${4}${5} You can try out the regexp using "postmap -h -q - regex:/etc/postfix/smtp_header_checks < email" (where `email' may also be a bunch of traces). +We also forge the certificate the client send during the TLS/SSL +handshake, since its CN and Issuer may help to track him/her down. + DISCLAIMER: The regexp probably needs tests (especially for multiple hops, in case of relaying SMTPs). Also, note that the hostname of the client has NOT been obfuscated in the above trace (and that will break the relaying path if the client has a routable hostname that doesn't point to the SMTP server!). However, this line has been added by the client itself, so it's his/her -responsability to masquerade it I suppose. In the same way, the CN and Issuer -of the client's certificate may help to track him/her down. Maybe we should -forge these as well? +responsability to masquerade it I suppose. ***** Install packages @@ -1594,8 +1596,8 @@ forge these as well? :: /etc/postfix/smtp_anonymize_sender.pcre - /^Received:\s+from\s+(\S+\s+\([-._[:alnum:]]+\s+\[[.[:digit:]]{7,15}\]\)).*?([[:space:]]+).*\(Authenticated sender:\s+([^)]+)\).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[A-F[:digit:]]+.*)/ - REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])$2(Authenticated sender: $3)${2}$4 + /^Received:\s+from\s+([._[:alnum:]-]+\s+\([._[:alnum:]-]+\s+\[[[:xdigit:].:]{3,39}\]\))(\s+\(using\s+(TLSv1|SSLv[23])\s+with\s+cipher\s+\S+\s+\([\/0-9]+\s+bits\)\)\s+).*(\(Authenticated sender:\s+[^)]+\)\s+).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[[:xdigit:]]+.*)/ + REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${4}${5} :: /etc/postfix/main.cf -- cgit v1.2.3