Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Remove X-Get-Message-Sender-Via header

Discussion in 'E-mail Discussion' started by LucasMS, Jul 3, 2013.

  1. LucasMS

    LucasMS Registered

    Joined:
    Mar 13, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    51
    Hi

    I noticed that the e-mails sent from php's mail() function are having the "X-Get-Message-Sender-Via" header added. In this header, the cpanel username is provided. I know this is useful to track the client from a webhost that is sending spam, but I only run my site in my server. How do I disable this header?

    For me, this is a security issue, since everybody now knows my username.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,352
    Likes Received:
    402
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This may be helpful:
    WHM » Server Configuration » Tweak Settings, Mail tab:

     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. LucasMS

    LucasMS Registered

    Joined:
    Mar 13, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    51
    That option is already off.
     
  4. Bigwebmaster

    Bigwebmaster Active Member

    Joined:
    Dec 3, 2003
    Messages:
    31
    Likes Received:
    9
    Trophy Points:
    158
    Hi Lukas!

    Unfortunately as far as I can see there is no option to disable this. This line gets added in:

    /etc/exim.pl.local

    around line #1172:

    Code:
    sub check_mail_permissions_headers {
        "X-Get-Message-Sender-Via: " . ( $primary_hostname ||= Exim::expand_string('$primary_hostname') ) . ": " . get_sender_lookup_method();
    }
    and around line #1188:

    Code:
        # SMTP AUTH
        if ( $authenticated_id = Exim::expand_string('$authenticated_id') ) {
            $authenticated_id =~ s/[\r\n\f]//g;
            if ( $authenticated_id eq 'nobody' ) {
                if ($acl_c_vhost_owner) {
                    $authenticated_id = uid2user($acl_c_vhost_owner);
                }
                $sender_lookup_method = 'uid via acl_c_vhost_owner from authenticated_id: ' . $authenticated_id . ' from ' . $acl_c_vhost_owner_url;
            }
            else {
                $sender_lookup_method = 'authenticated_id: ' . $authenticated_id;       
            }
            $sender = $authenticated_id;
            $domain = getdomainfromaddress($authenticated_id);
    
            # If the sender owns the domain they are sending
            # from we can trust it
            ( $sender, $domain, $sender_lookup_method ) = resolve_authenticated_sender( $sender, $domain, $sender_lookup_method ) if $sender !~ tr/\@//;
    
            #Exim::log_write("!DEBUG! get_message_sender() got domain $domain from authenticated_id ($authenticated_id)");
        }
    In there is where it sets the username you are not wanting to be shown. I would probably rewrite that part slightly.

    Looks like you would need to override exim.pl.local if you want to have that removed. You may want to see this post on how to do that:

    http://forums.cpanel.net/f5/how-add-custom-perl-exim-pl-exim-pl-local-44639.html
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 Bigwebmaster, Jul 7, 2013
    Last edited: Jul 7, 2013
  5. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,480
    Likes Received:
    30
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    NOTE: The below modification is NOT supported, and may break in a future update


    If you are going to do something like this, it would probably be safer to do the following as its LESS likely to break in the future:

    Code:
    echo "sub check_mail_permissions_headers { ''; }" >> /usr/local/cpanel/etc/exim/perl/zzz_custom_overwrites
    /scripts/buildeximconf
    
     
  6. Bigwebmaster

    Bigwebmaster Active Member

    Joined:
    Dec 3, 2003
    Messages:
    31
    Likes Received:
    9
    Trophy Points:
    158
    Awesome Nick. Wasn't aware of the zzz_custom_overwrites. Is there any documentation with regards to zzz_custom_overwrites? Going to test that out now, seems much better way to deal with customization of that exim.pl.local file.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,480
    Likes Received:
    30
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    When you run buildeximconf all the perl code that is not disabled in /usr/local/cpanel/etc/exim/perl gets concatenated into /etc/exim.pl.local in lexicographical order (zzz_custom_overwrites is an arbitrary name that sorts to the end of the list). This isn't documented because its not something we support modifying as we may change how this system works in the future.
     
  8. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    334
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    If I may ask, what is the use of having the ability to enable/disable "Track email origin via X-Source email headers" in Tweak Settings -> Mail, if it's going to be enabled and apparently disabling through that setting does nothing?

    I remember going through this issue years and several cPanel versions ago, and that setting was supposed to fix it. In fact I remember at the time it *did* fix it...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 MaraBlue, Feb 1, 2014
    Last edited: Feb 1, 2014
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,713
    Likes Received:
    1,883
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Are you sure it's not the "X-AntiAbuse headers" entry you are seeing in the mail header?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    334
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    Code:
    X-Get-Message-Sender-Via: host.domain.com: redirect/forwarder owner no-reply@domain.com -> my@gmail.com
    It's after the Anti-Abuse headers, but it shows the exact same information as the X-Source did/does, and divulges information I wouldn't want divulged, otherwise I wouldn't have set up a forward in the first place.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,713
    Likes Received:
    1,883
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The tweak setting option you referenced only governs the additional inclusion of the X-SOURCE headers. You will need to open a feature request if you want to see the option to disable additional information from the message headers:

    Submit A Feature Request

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    334
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    I get that they are 2 different things, but you have to admit, it's STUPID to have one "feature" with the ability to be disabled, and yet another that discloses the exact same information unable to be disabled.

    Really, really stupid.

    And suppose I open a feature request. What's to stop cPanel from adding yet something else that discloses the same information?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice