Postfix

Hi!

I was wondering if it's possible to somehow add custom headers to all outgoing mail...

Specifically for tracking spam. In my own php scripts, I use following to identify where the mail was sent from:
$headers .= "X-AnitAbuse: Server : ".$_SERVER['SERVER_NAME'].". Location : ".$_SERVER['PHP_SELF'].".\r\n";

But I need something in case other users on the system might develop or use an insecure php mail form on their site.

Even something like this would be very helpful:
X-AntiAbuse: <SERVERNAME>.
Or anything at all to identify the real hostname (not postfix host) or real userid (not www-data or server's username).

1. Is it possible in general?
2. Is it possible to make the php mail() function use these headers without needing to specify them in the script?

Many thanks in advance!
LVL 21
Julian MatzJoint ChairpersonAsked:
Who is Participating?
 
ahoffmannCommented:
I guess that all scripts use php's mail() function, then simply disable that and replace with your own one
This wrapper mail() then can add whatever SMTP headers you like.

Then you only have those scripts insecure which write mail directly speaking SMTP on port 25, but that can be restricted too by using some special headers or commands known to your wrapper and postfix only.
0
 
ravenplCommented:
You could consider http://www.lancs.ac.uk/~steveb/php-mail-header-patch/
Doing it in MTA is little too late, as script/virtualserver info is already lost.
0
 
ahoffmannCommented:
> Or anything at all to identify the real hostname (not postfix host) or real userid (not www-data or server's username).
what is the "real hostname" if not that of the web server?
what is the "real userid" if not that which runs the web server (and your php script)?

Silly question: how do you prove that the php script which you want to add these headers are not used for spamming?
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Julian MatzJoint ChairpersonAuthor Commented:
ravenpl, your suggestion looks promising, thanks. Is this applied to the actual php binary ?

ahoffmann, I may not have used a great choice of terminology. What I meant was the virtual host on which the php form resides, or the userid who owns the script.

<< how do you prove that the php script which you want to add these headers are not used for spamming?
I want to add these headers in case the scripts are used for spamming. What usually happens is that a spammer finds an insecure contact form on one of my servers (uploaded by one of the users on the server) and uses it to send spam to multiple addresses. Usually at least one mail bounces and comes back to me. The problem is that I cannot tell from the headers where the mail was sent from, i.e. which virtual host. If I had these custom headers and was able to tell which server name the form was submitted from, I could remove the form and offer the user a more secure alternative.

Hope this makes sense...
0
 
ahoffmannCommented:
> What I meant was the virtual host ..
aha, you defined: virtual=real
That's why I asked (I'm not used to such academic definitions;-)

> .. on which the php form resides,
you php form knows on which virtual host it resides, doesn't it?
$_SERVER['SERVER_NAME'] or $_SERVER['HTTP_HOST'] should give you what you want

> .. or the userid who owns the script.
hmm, silly question again: do you mean the user id of the file owner, or the user id which executes the script?

> If I had these custom headers ..
but that requieres that you change *all* your insecure scripts.
Sounds like I still miss something: your question title is "postfix" hence somwthing about MTAs, but we're talking about php scripts in your web server ... could please give me the missing link.
0
 
Julian MatzJoint ChairpersonAuthor Commented:
<< $_SERVER['SERVER_NAME'] or $_SERVER['HTTP_HOST'] should give you what you want
Yes, I know, but I have over 100 virtual users on my server. I make my own scripts as secure as possible, but other users on the server may not be aware of security issues and could upload their own stuff or someone else's script which may turn out to be a spammer's paradise :)

<< do you mean the user id of the file owner, or the user id which executes the script?
I mean the file owner or the owner whos home-directory the script is stored in...

<< but that requieres that you change *all* your insecure scripts.
Yes, but I can't keep track of all insecure scripts that are maintained by other users, but this is basically what I'm trying to do.

<< your question title is "postfix" hence somwthing about MTAs, but we're talking about php
I was hoping that there was a way to configure the mta to add the custom headers depending on which vhost the form was submitted from. It was my understanding that it was not possible to configure php or php.ini to do this. Only from the php script itself.

0
 
ravenplCommented:
> ravenpl, your suggestion looks promising, thanks. Is this applied to the actual php binary ?
Unfortunatelly not. To the source, and then php need to be recompiled/reinstalled.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.