1

I'm trying to send mail over proxy (SSH tunnel or SOCKET proxy) by postfix.

I tried to do something like that schema:

I'm using MacOs with no firewall. The receiving client over browser has been omitted to simplify. The last element of the scheme is the mailserver.

I want to replace my IP in the e-mail header, only for privacy (it will be however logged by the SOCKET Proxy or the SSH server).

Here a standard mail header:

Return-Path: <sender@servermailsender.com>
X-Original-To: receiver@servermailreceiver.com
Delivered-To: receiver@servermailreceiver.com
Received: from host.servermailsender.com (unknown [111.111.111.111]) by
mail.servermailreceiver.com (Postfix) with ESMTP id xxxxxxxxxxx for
<receiver@servermailreceiver.com>; Fri, 20 Mar 2020 00:24:34 +0000 (UTC)
Received: by host.servermailsender.com (Postfix, from userid 501) id 6B2xxxxxxD9E;
Fri, 20 Mar 2020 01:24:33 +0100 (CET)
Authentication-Results: mail.servermailreceiver.com; dmarc=none (p=none dis=none)
header.from=servermailsender.com
Authentication-Results: mail.servermailreceiver.com; spf=none
smtp.mailfrom=sender@servermailsender.com
Authentication-Results: mail.servermailreceiver.com; dkim=none
To: receiver@servermailreceiver.com
Subject: Subject
From: A <sender@servermailsender.com>
Reply-To: A <sender@servermailsender.com>
Mime-Version: 1.0
Content-Type: text/html
Message-Id: <20200xxxxxxxB08xxx@servermailsender.com>
.....

I don't want to show 111.111.111.111 (fourth line), i want to change-it and i want to proxify my ip.

What I've done since now it's:

1) Create a tunnel between my machine (127.0.0.1) and the proxy (proxyserver.com) writing on the terminal of my machine

ssh -D 2525 root@proxyserver.com

2) In main.cf I added the line relayhost = [127.0.0.1]:2525

But this configuration don't works.

Nothing arrives to reveiver client.

Help please.

EDIT:

header_checks mods ≠ proxify the IP

"Johannes H." said me to use header_checks with prechecks, but as you can see there are two fields that takes the word Received

This is written locally by 127.0.0.1

Received: by host.servermailsender.com (Postfix, from userid 501) id 6B2xxxxxxD9E; Fri, 20 Mar 2020 01:24:33 +0100 (CET)

This is written remotelly by servermailreceiver.com

Received: from host.servermailsender.com (unknown [111.111.111.111]) by servermailreceiver.com (Postfix) with ESMTP id xxxxxxxxxxx for ; Fri, 20 Mar 2020 00:24:34 +0000 (UTC)

The second it's not editable locally by changing prechecks on my machine (127.0.0.1 in local) and (111.111.111.111 on internet).

It's for this that i want to proxyfy my postifx on 127.0.0.1 over SOCKET proxy v4 or v5 or through SSH tunnel.

Santino Santona
  • 11
  • 3
  • I think `header_checks = pcre:/etc/postfix/header_checks` it's not the answer because **servermailreceiver.com** logs the IP and it ends up in the mail. For this reason i want to use a SSH tunnel or a Socket Proxy. – Santino Santona Mar 20 '20 at 13:32
  • ten months and no response. Think it's a important question... – Santino Santona Feb 08 '21 at 03:29

1 Answers1

0

If all you want is to get rid of the client IP, there is easier ways than a proxy server. You can use header checks to just remove that part in outgoing email:

main.cf

header_checks = pcre:/etc/postfix/header_checks

header_checks

/^(Received:)\s+from.*(by your.hostname.*with ESMTPSA.*)$/   REPLACE $1 $2

If you really want a proxy (I don't quite see why you'd need one in your example though), you need to install a mail server that acts as proxy on the intermediate/proxy server. Postfix can do act as a SMTP proxy, so can NGINX (which is usually a web server / proxy), and a couple of specialized software.

Without any software ont he proxy, all you can do is actually tunnel through it - in that case you need to bind a port on the proxy and forward it to the SMTP server (NOT tunnel from your PC to the proxy), and then direct your MUA to send the email via the proxy instead of your actual SMTP server.

However if the SMTP server is reachable publicly, there is literally no benefit whatsoever in doing so. Literally anything arriving on the proxy will be forwarded through the tunnel, this includes possbiel attacks.

Johannes H.
  • 272
  • 2
  • 11
  • Hi Johhannes H. Excuse-me but I have not completely understood you answer. If i add `/^(Received:)\s+from.*(by camgirltools.net.*with ESMTPSA.*)$/ REPLACE $1 $2` on header_checks in local postfix server over 127.0.0.1 the header doesn't change on the mail (i think because the IP's logged by receiver@servermailreceiver.com). It's for this reason I wanna put a SSH tunnel on the proxy server without using an other SMTP server to deliver mails litterally [you made me smile with camgirltools.net :)]. P.S. Attacks are solvable closing the tunnel after the mail's sent. – Santino Santona Mar 20 '20 at 13:05
  • Yeah I kind of forgot to adjust the regular expression ;D I copied that form my server config. I'll edit my post. – Johannes H. Mar 20 '20 at 15:05
  • However reading your edit in your qeustion above, I am not entirely sure I understand what exactly you are trying to achieve. DO you try to hide the IP address of the server your postifx is running to? It mifght be helpful if you describe your current setup a bit more and explain which server is suppsoed to send mail to which other server and so on. – Johannes H. Mar 20 '20 at 15:08
  • Johannes H. -> I'm using the MacOs you see on the base of the image on what there is postfix installed up (by default). I use this postfix to send mail with my own mail client (thunderbolt on the same machine). The servermail you see up all it's **mail.server-receiver.com** that uses also postfix (like you can see in my "Edit") of witch i don't have access to configs files. **mail.server-receiver.com logs my ip 111.111.111.111** and i want to hide that using a proxy like SSH or SOCKET. Using regular expression on 127.0.0.1 in header_checks in useless because it copy my IP in logs. – Santino Santona Mar 20 '20 at 16:50