[kwlug-disc] Self-hosted email leaks home IP address
Ron
ron at bclug.ca
Tue Mar 10 17:05:25 EDT 2026
Chris Irwin via kwlug-disc wrote on 2026-03-10 13:37:
> On Tue, Mar 10, 2026 at 01:00:14PM -0700, Ron wrote:
>>
>> Anyone running Postfix to self-host email and notice that their home
>> IP address is leaked in the first "Received: from" header?
>
> Question: What is your mail setup?
>
> I'm assuming:
>
> 1. Self-hosted SMTP on "cloud" somewhere, with a public IP address
This is the setup, yes.
> That SMTP server is public, it's IP is your domain's mx server, etc.
>
> 2. You as a client, sending outbound via (presumably authenticated) SMTP
>
> Your public SMTP server does the "normal" thing of adding a
> "received" header
Also correct.
> In this case, most hosted mail solutions don't do the "received" header
> for authenticated outbound user mail. Gmail (as you tested) or fastmail
> (which I tested), and presumably everything else.
Interesting. I suspect that hosting email for any medium sized org or
larger has given this topic consideration and removes the first Received
header. Which is good, IMHO.
>> I've got a temp work-around via header_checks:
>
> Also, does this only act on mail you're sending? Or will mail you're
> receiving be similarly altered?
All email - and every header of every email gets scanned.
It's suboptimal, I may implement a milter on submissions to change the
first header instead.
> Why not an IGNORE rule to just drop that record entirely?
I did have a STRIP in the past, and it's just come up again so I thought
I'd bring the topic up to see how others handle it.
I kinda like modifying the header, preserving some of the info like
message ID. But it's a work in progress at the moment.
Stalwart email does not add that first Received header, interestingly
enough...
More information about the kwlug-disc
mailing list