Remove X-Get-Message-Sender-Via header

LucasMS

Registered
Mar 13, 2008
4
0
51
Hi

I noticed that the e-mails sent from php's mail() function are having the "X-Get-Message-Sender-Via" header added. In this header, the cpanel username is provided. I know this is useful to track the client from a webhost that is sending spam, but I only run my site in my server. How do I disable this header?

For me, this is a security issue, since everybody now knows my username.
 

Bigwebmaster

Active Member
Dec 3, 2003
32
9
158
Hi Lukas!

Unfortunately as far as I can see there is no option to disable this. This line gets added in:

/etc/exim.pl.local

around line #1172:

Code:
sub check_mail_permissions_headers {
    "X-Get-Message-Sender-Via: " . ( $primary_hostname ||= Exim::expand_string('$primary_hostname') ) . ": " . get_sender_lookup_method();
}
and around line #1188:

Code:
    # SMTP AUTH
    if ( $authenticated_id = Exim::expand_string('$authenticated_id') ) {
        $authenticated_id =~ s/[\r\n\f]//g;
        if ( $authenticated_id eq 'nobody' ) {
            if ($acl_c_vhost_owner) {
                $authenticated_id = uid2user($acl_c_vhost_owner);
            }
            $sender_lookup_method = 'uid via acl_c_vhost_owner from authenticated_id: ' . $authenticated_id . ' from ' . $acl_c_vhost_owner_url;
        }
        else {
            $sender_lookup_method = 'authenticated_id: ' . $authenticated_id;       
        }
        $sender = $authenticated_id;
        $domain = getdomainfromaddress($authenticated_id);

        # If the sender owns the domain they are sending
        # from we can trust it
        ( $sender, $domain, $sender_lookup_method ) = resolve_authenticated_sender( $sender, $domain, $sender_lookup_method ) if $sender !~ tr/\@//;

        #Exim::log_write("!DEBUG! get_message_sender() got domain $domain from authenticated_id ($authenticated_id)");
    }
In there is where it sets the username you are not wanting to be shown. I would probably rewrite that part slightly.

Looks like you would need to override exim.pl.local if you want to have that removed. You may want to see this post on how to do that:

http://forums.cpanel.net/f5/how-add-custom-perl-exim-pl-exim-pl-local-44639.html
 
Last edited:

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider

Bigwebmaster

Active Member
Dec 3, 2003
32
9
158
Awesome Nick. Wasn't aware of the zzz_custom_overwrites. Is there any documentation with regards to zzz_custom_overwrites? Going to test that out now, seems much better way to deal with customization of that exim.pl.local file.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
Awesome Nick. Wasn't aware of the zzz_custom_overwrites. Is there any documentation with regards to zzz_custom_overwrites? Going to test that out now, seems much better way to deal with customization of that exim.pl.local file.
When you run buildeximconf all the perl code that is not disabled in /usr/local/cpanel/etc/exim/perl gets concatenated into /etc/exim.pl.local in lexicographical order (zzz_custom_overwrites is an arbitrary name that sorts to the end of the list). This isn't documented because its not something we support modifying as we may change how this system works in the future.
 

MaraBlue

Well-Known Member
May 3, 2005
334
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
If I may ask, what is the use of having the ability to enable/disable "Track email origin via X-Source email headers" in Tweak Settings -> Mail, if it's going to be enabled and apparently disabling through that setting does nothing?

I remember going through this issue years and several cPanel versions ago, and that setting was supposed to fix it. In fact I remember at the time it *did* fix it...
 
Last edited:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
If I may ask, what is the use of having the ability to enable/disable "Track email origin via X-Source email headers" in Tweak Settings -> Mail, if it's going to be enabled and apparently disabling through that setting does nothing?.
Are you sure it's not the "X-AntiAbuse headers" entry you are seeing in the mail header?

Thank you.
 

MaraBlue

Well-Known Member
May 3, 2005
334
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
Code:
X-Get-Message-Sender-Via: host.domain.com: redirect/forwarder owner [email protected] -> [email protected]
It's after the Anti-Abuse headers, but it shows the exact same information as the X-Source did/does, and divulges information I wouldn't want divulged, otherwise I wouldn't have set up a forward in the first place.
 

MaraBlue

Well-Known Member
May 3, 2005
334
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
I get that they are 2 different things, but you have to admit, it's STUPID to have one "feature" with the ability to be disabled, and yet another that discloses the exact same information unable to be disabled.

Really, really stupid.

And suppose I open a feature request. What's to stop cPanel from adding yet something else that discloses the same information?