NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-03

Re: About date spoofing

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Fri Mar 14 2008 - 11:18:19 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eddy Beliveau wrote:
> Hi! Ralf,
>
> I'm using postfix 2.5.1, I did the following
> - add the following line to my main.cf file:
> header_checks = regexp:/etc/postfix/maps/header_checks
> - create the file /etc/postfix/maps/header_checks with following content:
> /^Subject:/ WARN Subject
> /^(Date:.*)/ REPLACE X-$1
> - postmap that file
> - postfix reload
>
> Now, when I sent an email to my server,
> - there is NO header X-Date
> - The Date header is still there
>
> Here is an extract of the received email:
> Received: from hidden (unknown [hidden])
> by hidden.hec.ca (Postfix) with ESMTPA id DFB8ABAF13
> for <Eddy.Beliveauhec.ca>; Fri, 14 Mar 2008 10:19:12 -0400 (EDT)
> ...cut...
> Date: Fri, 14 Mar 2008 10:19:05 -0400
>
> Can you reproduce ?
>
> Thanks,
> Eddy
>
> ----- Message d'origine ----- De : "Ralf Hildebrandt"
> <Ralf.Hildebrandtcharite.de>
>>> Is it possible for postfix to write the correct date on the incoming
>>> emails?
>>
>> You could try and remove the Date: Header using header_checks:
>>
>> /^Date:/ DISCARD
>> or
>> /^(Date:.*)/ REPLACE X-$1
>

Works as expected here; check the headers of this message.
I have postfix 2.6-20080216, but that shouldn't matter for
this test.

Do you have any received_override_options defined in master.cf?

Is the Subject warning logged as you defined?

Are you sure your mail had a Date: header to begin with?

my header_checks contains:
/^Subject: / WARN
/^(Date:.*)$/ REPLACE X-Submission-$1

When I send a mail, postfix logs:
Mar 14 11:00:20 mgate2 postfix/cleanup[98038]: EE83A7978A8:
replace: header Date: Fri, 14 Mar 2008 11:00:17 -0500 from
unknown[192.168.70.146]; from=<njonesexample.com>
to=<testexample.com> proto=ESMTP helo=<[192.168.70.146]>:
X-Submission-Date: Fri, 14 Mar 2008 11:00:17 -0500
Mar 14 11:00:20 mgate2 postfix/cleanup[98038]: EE83A7978A8:
warning: header Subject: header test mail from
unknown[192.168.70.146]; from=<njonesexample.com>
to=<testexample.com> proto=ESMTP helo=<[192.168.70.146]>

--
Noel Jones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]