Remove X-Get-Message-Sender-Via header

[LucasMS]

Hi

I noticed that the e-mails sent from php's mail() function are having the "X-Get-Message-Sender-Via" header added. In this header, the cpanel username is provided. I know this is useful to track the client from a webhost that is sending spam, but I only run my site in my server. How do I disable this header?

For me, this is a security issue, since everybody now knows my username.

 

[Infopro]

This may be helpful:
WHM » Server Configuration » Tweak Settings, Mail tab:

Track email origin via X-Source email headers [?]
Track the origin of messages sent through the mail server by adding the X-Source headers (exim 4.34+ required)

 

[LucasMS]

That option is already off.

 

[Bigwebmaster]

Hi Lukas!

Unfortunately as far as I can see there is no option to disable this. This line gets added in:

/etc/exim.pl.local

around line #1172:

sub check_mail_permissions_headers {
    "X-Get-Message-Sender-Via: " . ( $primary_hostname ||= Exim::expand_string('$primary_hostname') ) . ": " . get_sender_lookup_method();
}

and around line #1188:

    # SMTP AUTH
    if ( $authenticated_id = Exim::expand_string('$authenticated_id') ) {
        $authenticated_id =~ s/[\r\n\f]//g;
        if ( $authenticated_id eq 'nobody' ) {
            if ($acl_c_vhost_owner) {
                $authenticated_id = uid2user($acl_c_vhost_owner);
            }
            $sender_lookup_method = 'uid via acl_c_vhost_owner from authenticated_id: ' . $authenticated_id . ' from ' . $acl_c_vhost_owner_url;
        }
        else {
            $sender_lookup_method = 'authenticated_id: ' . $authenticated_id;       
        }
        $sender = $authenticated_id;
        $domain = getdomainfromaddress($authenticated_id);

        # If the sender owns the domain they are sending
        # from we can trust it
        ( $sender, $domain, $sender_lookup_method ) = resolve_authenticated_sender( $sender, $domain, $sender_lookup_method ) if $sender !~ tr/\@//;

        #Exim::log_write("!DEBUG! get_message_sender() got domain $domain from authenticated_id ($authenticated_id)");
    }

In there is where it sets the username you are not wanting to be shown. I would probably rewrite that part slightly.

Looks like you would need to override exim.pl.local if you want to have that removed. You may want to see this post on how to do that:

http://forums.cpanel.net/f5/how-add-custom-perl-exim-pl-exim-pl-local-44639.html

 

[cPanelNick]

http://forums.cpanel.net/f5/how-add-custom-perl-exim-pl-exim-pl-local-44639.html

NOTE: The below modification is NOT supported, and may break in a future update


If you are going to do something like this, it would probably be safer to do the following as its LESS likely to break in the future:

echo "sub check_mail_permissions_headers { ''; }" >> /usr/local/cpanel/etc/exim/perl/zzz_custom_overwrites
/scripts/buildeximconf

 

[Bigwebmaster]

Awesome Nick. Wasn't aware of the zzz_custom_overwrites. Is there any documentation with regards to zzz_custom_overwrites? Going to test that out now, seems much better way to deal with customization of that exim.pl.local file.

 

[cPanelNick]

Awesome Nick. Wasn't aware of the zzz_custom_overwrites. Is there any documentation with regards to zzz_custom_overwrites? Going to test that out now, seems much better way to deal with customization of that exim.pl.local file.

When you run buildeximconf all the perl code that is not disabled in /usr/local/cpanel/etc/exim/perl gets concatenated into /etc/exim.pl.local in lexicographical order (zzz_custom_overwrites is an arbitrary name that sorts to the end of the list). This isn't documented because its not something we support modifying as we may change how this system works in the future.

 

[MaraBlue]

If I may ask, what is the use of having the ability to enable/disable "Track email origin via X-Source email headers" in Tweak Settings -> Mail, if it's going to be enabled and apparently disabling through that setting does nothing?

I remember going through this issue years and several cPanel versions ago, and that setting was supposed to fix it. In fact I remember at the time it *did* fix it...

 

[cPanelMichael]

If I may ask, what is the use of having the ability to enable/disable "Track email origin via X-Source email headers" in Tweak Settings -> Mail, if it's going to be enabled and apparently disabling through that setting does nothing?.

Are you sure it's not the "X-AntiAbuse headers" entry you are seeing in the mail header?

Thank you.

 

[MaraBlue]

X-Get-Message-Sender-Via: host.domain.com: redirect/forwarder owner [email protected] -> [email protected]

It's after the Anti-Abuse headers, but it shows the exact same information as the X-Source did/does, and divulges information I wouldn't want divulged, otherwise I wouldn't have set up a forward in the first place.

 

[cPanelMichael]

The tweak setting option you referenced only governs the additional inclusion of the X-SOURCE headers. You will need to open a feature request if you want to see the option to disable additional information from the message headers:

Submit A Feature Request

Thank you.

 

[MaraBlue]

I get that they are 2 different things, but you have to admit, it's STUPID to have one "feature" with the ability to be disabled, and yet another that discloses the exact same information unable to be disabled.

Really, really stupid.

And suppose I open a feature request. What's to stop cPanel from adding yet something else that discloses the same information?

 

[dag]

I realize it's an old thread, but the workaround still works, and saved me a ton of time. Thank you @cPanelMichael .