The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Remove X-Get-Message-Sender-Via header

Discussion in 'E-mail Discussions' started by LucasMS, Jul 3, 2013.

  1. LucasMS

    LucasMS Registered

    Joined:
    Mar 13, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    I noticed that the e-mails sent from php's mail() function are having the "X-Get-Message-Sender-Via" header added. In this header, the cpanel username is provided. I know this is useful to track the client from a webhost that is sending spam, but I only run my site in my server. How do I disable this header?

    For me, this is a security issue, since everybody now knows my username.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This may be helpful:
    WHM » Server Configuration » Tweak Settings, Mail tab:

     
  3. LucasMS

    LucasMS Registered

    Joined:
    Mar 13, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    That option is already off.
     
  4. Bigwebmaster

    Bigwebmaster Member

    Joined:
    Dec 3, 2003
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    1
    Hi Lukas!

    Unfortunately as far as I can see there is no option to disable this. This line gets added in:

    /etc/exim.pl.local

    around line #1172:

    Code:
    sub check_mail_permissions_headers {
        "X-Get-Message-Sender-Via: " . ( $primary_hostname ||= Exim::expand_string('$primary_hostname') ) . ": " . get_sender_lookup_method();
    }
    and around line #1188:

    Code:
        # SMTP AUTH
        if ( $authenticated_id = Exim::expand_string('$authenticated_id') ) {
            $authenticated_id =~ s/[\r\n\f]//g;
            if ( $authenticated_id eq 'nobody' ) {
                if ($acl_c_vhost_owner) {
                    $authenticated_id = uid2user($acl_c_vhost_owner);
                }
                $sender_lookup_method = 'uid via acl_c_vhost_owner from authenticated_id: ' . $authenticated_id . ' from ' . $acl_c_vhost_owner_url;
            }
            else {
                $sender_lookup_method = 'authenticated_id: ' . $authenticated_id;       
            }
            $sender = $authenticated_id;
            $domain = getdomainfromaddress($authenticated_id);
    
            # If the sender owns the domain they are sending
            # from we can trust it
            ( $sender, $domain, $sender_lookup_method ) = resolve_authenticated_sender( $sender, $domain, $sender_lookup_method ) if $sender !~ tr/\@//;
    
            #Exim::log_write("!DEBUG! get_message_sender() got domain $domain from authenticated_id ($authenticated_id)");
        }
    In there is where it sets the username you are not wanting to be shown. I would probably rewrite that part slightly.

    Looks like you would need to override exim.pl.local if you want to have that removed. You may want to see this post on how to do that:

    http://forums.cpanel.net/f5/how-add-custom-perl-exim-pl-exim-pl-local-44639.html
     
    #4 Bigwebmaster, Jul 7, 2013
    Last edited: Jul 7, 2013
  5. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    NOTE: The below modification is NOT supported, and may break in a future update


    If you are going to do something like this, it would probably be safer to do the following as its LESS likely to break in the future:

    Code:
    echo "sub check_mail_permissions_headers { ''; }" >> /usr/local/cpanel/etc/exim/perl/zzz_custom_overwrites
    /scripts/buildeximconf
    
     
  6. Bigwebmaster

    Bigwebmaster Member

    Joined:
    Dec 3, 2003
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    1
    Awesome Nick. Wasn't aware of the zzz_custom_overwrites. Is there any documentation with regards to zzz_custom_overwrites? Going to test that out now, seems much better way to deal with customization of that exim.pl.local file.
     
  7. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    When you run buildeximconf all the perl code that is not disabled in /usr/local/cpanel/etc/exim/perl gets concatenated into /etc/exim.pl.local in lexicographical order (zzz_custom_overwrites is an arbitrary name that sorts to the end of the list). This isn't documented because its not something we support modifying as we may change how this system works in the future.
     
  8. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    If I may ask, what is the use of having the ability to enable/disable "Track email origin via X-Source email headers" in Tweak Settings -> Mail, if it's going to be enabled and apparently disabling through that setting does nothing?

    I remember going through this issue years and several cPanel versions ago, and that setting was supposed to fix it. In fact I remember at the time it *did* fix it...
     
    #8 MaraBlue, Feb 1, 2014
    Last edited: Feb 1, 2014
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Are you sure it's not the "X-AntiAbuse headers" entry you are seeing in the mail header?

    Thank you.
     
  10. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    Code:
    X-Get-Message-Sender-Via: host.domain.com: redirect/forwarder owner no-reply@domain.com -> my@gmail.com
    It's after the Anti-Abuse headers, but it shows the exact same information as the X-Source did/does, and divulges information I wouldn't want divulged, otherwise I wouldn't have set up a forward in the first place.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The tweak setting option you referenced only governs the additional inclusion of the X-SOURCE headers. You will need to open a feature request if you want to see the option to disable additional information from the message headers:

    Submit A Feature Request

    Thank you.
     
  12. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    I get that they are 2 different things, but you have to admit, it's STUPID to have one "feature" with the ability to be disabled, and yet another that discloses the exact same information unable to be disabled.

    Really, really stupid.

    And suppose I open a feature request. What's to stop cPanel from adding yet something else that discloses the same information?
     
Loading...

Share This Page