Bug#1039580: exim4-config: Privacy patches, prevents hostname leaks when dc_hide_mailname='true'

Tue Jun 27 13:19:57 BST 2023

Package: exim4-config
Version: 4.96-16
Severity: normal
Tags: patch

Dear Maintainer,

Even when dc_hide_mailname is set, mails sent to remote hosts leak the local
intranet hostname. This is because of two reasons, which the below patch fixes.

1. Reason #1 is the Received: header added by exim4 as it receives the request
from the local MUA via /usr/sbin/sendmail. This patch simply removes this
header for mails sent outwards via the smarthost. (It preserves the header for
locally-sent mails, or for mails sent outwards when exim4 is configured as an
internet facing "regular" SMTP server.)

This matches the behaviour of ordinary SMTP clients that send directly to an
SMTP server without adding a Received: header, which is what "smarthost" is
supposed to emulate as I understand. For this reason, this patch does the
rewriting unconditionally, but it's easy to guard it via "ifdef HIDE_MAILNAME"
if that is preferred.

2. Reason #2 is the Message-ID. This patch rewrites the Message-ID domain name
to the configured DCreadhost, like how other headers are already rewritten.
exim4 doesn't support rewriting Message-ID in headers_rewrite, so we do it
using headers_add and headers_remove instead.

This rewriting is only in effect if HIDE_MAILNAME is on.

Patch:

~~~~

--- exim4.conf.template.orig	2023-06-25 21:26:18.964387306 +0100
+++ exim4.conf.template	2023-06-26 02:29:48.362735601 +0100
@@ -1733,6 +1742,12 @@
 .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
   tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
 .endif
+  # Don't add Received header when acting as a smarthost, to mimic regular SMTP clients
+  headers_remove = Received
+.ifdef HIDE_MAILNAME
+  headers_remove = Message-Id
+  headers_add = Message-Id: <${local_part:$h_message-id:}@DCreadhost>
+.endif
 .ifdef REMOTE_SMTP_HEADERS_REWRITE
   headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
 .endif
~~~~

It will need to be duplicated for the split-config, of course.


-- Package-specific info:
Exim version 4.96 #2 built 11-Jun-2023 16:20:21
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2022
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS TLS_resume move_frozen_messages DANE DKIM DNSSEC Event I18N OCSP PIPECONNECT PRDR Queue_Ramp SOCKS SRS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 external plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /var/lib/exim4/config.autogenerated

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-security'), (300, 'unstable'), (100, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.3.0-1-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages exim4-config depends on:
ii  adduser                3.134
ii  debconf [debconf-2.0]  1.5.82

Versions of packages exim4-config recommends:
ii  ca-certificates  20230311

exim4-config suggests no packages.

-- Configuration Files:
/etc/exim4/exim4.conf.template changed [not included]
/etc/exim4/passwd.client [Errno 13] Permission denied: '/etc/exim4/passwd.client'

-- debconf information excluded

