Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 528
  • Last Modified:

Postfix

Hi!

I was wondering if it's possible to somehow add custom headers to all outgoing mail...

Specifically for tracking spam. In my own php scripts, I use following to identify where the mail was sent from:
$headers .= "X-AnitAbuse: Server : ".$_SERVER['SERVER_NAME'].". Location : ".$_SERVER['PHP_SELF'].".\r\n";

But I need something in case other users on the system might develop or use an insecure php mail form on their site.

Even something like this would be very helpful:
X-AntiAbuse: <SERVERNAME>.
Or anything at all to identify the real hostname (not postfix host) or real userid (not www-data or server's username).

1. Is it possible in general?
2. Is it possible to make the php mail() function use these headers without needing to specify them in the script?

Many thanks in advance!
0
Julian Matz
Asked:
Julian Matz
  • 3
  • 2
  • 2
2 Solutions
 
ravenplCommented:
You could consider http://www.lancs.ac.uk/~steveb/php-mail-header-patch/
Doing it in MTA is little too late, as script/virtualserver info is already lost.
0
 
ahoffmannCommented:
> Or anything at all to identify the real hostname (not postfix host) or real userid (not www-data or server's username).
what is the "real hostname" if not that of the web server?
what is the "real userid" if not that which runs the web server (and your php script)?

Silly question: how do you prove that the php script which you want to add these headers are not used for spamming?
0
 
Julian MatzJoint ChairpersonAuthor Commented:
ravenpl, your suggestion looks promising, thanks. Is this applied to the actual php binary ?

ahoffmann, I may not have used a great choice of terminology. What I meant was the virtual host on which the php form resides, or the userid who owns the script.

<< how do you prove that the php script which you want to add these headers are not used for spamming?
I want to add these headers in case the scripts are used for spamming. What usually happens is that a spammer finds an insecure contact form on one of my servers (uploaded by one of the users on the server) and uses it to send spam to multiple addresses. Usually at least one mail bounces and comes back to me. The problem is that I cannot tell from the headers where the mail was sent from, i.e. which virtual host. If I had these custom headers and was able to tell which server name the form was submitted from, I could remove the form and offer the user a more secure alternative.

Hope this makes sense...
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
ahoffmannCommented:
> What I meant was the virtual host ..
aha, you defined: virtual=real
That's why I asked (I'm not used to such academic definitions;-)

> .. on which the php form resides,
you php form knows on which virtual host it resides, doesn't it?
$_SERVER['SERVER_NAME'] or $_SERVER['HTTP_HOST'] should give you what you want

> .. or the userid who owns the script.
hmm, silly question again: do you mean the user id of the file owner, or the user id which executes the script?

> If I had these custom headers ..
but that requieres that you change *all* your insecure scripts.
Sounds like I still miss something: your question title is "postfix" hence somwthing about MTAs, but we're talking about php scripts in your web server ... could please give me the missing link.
0
 
Julian MatzJoint ChairpersonAuthor Commented:
<< $_SERVER['SERVER_NAME'] or $_SERVER['HTTP_HOST'] should give you what you want
Yes, I know, but I have over 100 virtual users on my server. I make my own scripts as secure as possible, but other users on the server may not be aware of security issues and could upload their own stuff or someone else's script which may turn out to be a spammer's paradise :)

<< do you mean the user id of the file owner, or the user id which executes the script?
I mean the file owner or the owner whos home-directory the script is stored in...

<< but that requieres that you change *all* your insecure scripts.
Yes, but I can't keep track of all insecure scripts that are maintained by other users, but this is basically what I'm trying to do.

<< your question title is "postfix" hence somwthing about MTAs, but we're talking about php
I was hoping that there was a way to configure the mta to add the custom headers depending on which vhost the form was submitted from. It was my understanding that it was not possible to configure php or php.ini to do this. Only from the php script itself.

0
 
ravenplCommented:
> ravenpl, your suggestion looks promising, thanks. Is this applied to the actual php binary ?
Unfortunatelly not. To the source, and then php need to be recompiled/reinstalled.
0
 
ahoffmannCommented:
I guess that all scripts use php's mail() function, then simply disable that and replace with your own one
This wrapper mail() then can add whatever SMTP headers you like.

Then you only have those scripts insecure which write mail directly speaking SMTP on port 25, but that can be restricted too by using some special headers or commands known to your wrapper and postfix only.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now