2 replies to this topic

[Bluesplinter]

Who's the exim expert around here? I've been setting up dkim on my cloud instance (working great, btw), but in the process of studying all those email headers, I also noticed that the return-path is being set to the actual username@host.name.com. That feels a little insecure to me, since it reveals the host server, and the user's login name.

Is there a setting in exim.conf that can force this to the user's domain (ie, user@userdomain.com) or the email sender address? I know this can be set in individual php scripts with the -f flag, but is there somewhere *I* can set it to force it always on?

What's the best practice here?

Thanks
Steve

[CH-Jonathan]

Hi Steve,

http://forums.fedora...hp/t-23670.html may answer your question. However, it would have to list any user name that you want to give those permissions to.

Having said this, I'm not sure if there's any real benefit to hiding your username/server name that way as it could be found very quickly other ways (such as looking in the headers). Thus, personally, I'm not sure there's anything 'safer' about it (it would look asthetically better, for sure though) one way or the other.

Bluesplinter, on 25 June 2010 - 09:26 AM, said:

Who's the exim expert around here? I've been setting up dkim on my cloud instance (working great, btw), but in the process of studying all those email headers, I also noticed that the return-path is being set to the actual username@host.name.com. That feels a little insecure to me, since it reveals the host server, and the user's login name.

Is there a setting in exim.conf that can force this to the user's domain (ie, user@userdomain.com) or the email sender address? I know this can be set in individual php scripts with the -f flag, but is there somewhere *I* can set it to force it always on?

What's the best practice here?

Thanks
Steve

[Bluesplinter]

Hey Jonathan,

It's actually in the headers that I'm talking about. Here's an example (data changed, but still representative) showing the header parts that reveal the username/hostname:

Return-Path: <yoda@academy.jedi.com>
Received: from yoda by academy.jedi.com with local (Exim 4.71)
	(envelope-from <yoda@academy.jedi.com>)
Sender:  <yoda@academy.jedi.com>

However, ol' Yoda is actually sending a message from his own domain, and his email address is sabermaster@yoda.com. SOME php scripts correctly set these headers, so Yoda's real username isn't revealed, but not all scripts do this. I was hoping there was a "default" setting in Exim that would handle this for all local users. I'll check into that trusted users setting you linked to, but at first blush, it appears that just gives users the right to change the setting, it doesn't do it automatically.

From what I can find, this is due to suexec. On other systems, these headers are shown as nobody@hostname or apache@hostname, etc. That's kinda what I'd like to do here, I think, since some folks (me included) like to keep their real control panel username private.

Or, since these php scripts mostly use the php mail() function, which sends via sendmail (yes?), would it fix this issue to change the php.ini from sendmail to smtp? Or something...?

Steve

<added> I found where this can be set in sendmail, so short of another solution, I'll go that route </added>

Edited by Bluesplinter, 25 June 2010 - 12:53 PM.