0

We have a security system set up where the first time a sold computer is booted up we get an e-mail from it's destination to show its been received. The police recommend we do this after a number of unfortunate scam attempts - all is working fine with Postfix on macOS, the caveat though is they want the originating IP address of the computer in the header to prove it's not an e-mail we've just sent ourselves.

I tested it with Google's SMTP and that worked just fine with the same settings, however as the delivered computers would appear in different parts of the world, Google's security would kick in and think our password had been stolen, so only 20% of emails were sent.

Postmark gets 100% delivery so far it seems, the problem is, like other SMTP servers we've tested, it doesn't show the originating IP in the header the X-Sf-Originating-Ip is their server.

Is there anyway with Postfix headers we can force the public IP of the sender to be included in the header, or any settings in using Postmark's SMTP server we might have missed?

It seems most Postfix options are to exclude the public IP, not force it to be included.

Danny Shepherd
  • 177
  • 1
  • 12

2 Answers2

1

This is some of the cases where an own SMTP server would be ideal as you

  • get to decide which information you would like to store.
  • avoid any region detection simply by not deploying such (the default).
  • won't reveal your Gmail (or other) password in configuration files.

Since most ISPs block port 25 due to spam, using submission on port 587, as I believe you are already doing with Gmail, would be necessary to get the mail through. However, even submission might be blocked. Certainly, if the abusers get to know how you are tracking them, they could easily block port 587 in their firewall.

Instead of SMTP I'd prefer using HTTPS on port 443 for this, as that's the port that's almost always available and due to wide use of HTTPS seldom gets tampered. A script or a program could try to load some web page after startup / by cron, e.g. https://example.com/imhere.php?serial=<S/N>.

On the other hand, if you want stick to email, with an own dedicated server you could make SMTPS without STARTTLS to use port 443 instead of default 465. The SMTPS without STARTTLS, like any TLS encrypted traffic, looks just like HTTPS.

Whatever you do, these are purely technical recommendations. Be sure this kind of tracking is not violating any of your local privacy or data protection regulations as well as of the countries of your customers. Don't try to be like Batman. :)

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • I have tried a few SMTP suggestions. Blocking ports isn't too much of an issue as these are normal people, the scammers don't except it to happen so don't preemptively block (and to be honest they're not that smart) and it's only one single e-mail upon first login to prove the actual item has been delivered to it's location (or if it's been stolen on route, that someone has it and what their IP was when they first turned on!) I looked at doing it with EC2, but running an SMTP server through EC2 is really really hard due to all the security measures - hence going for Postmarkapp. – Danny Shepherd Jun 18 '17 at 12:26
0

I work on Postmark. While your solution can work technically, I would recommend against this approach:

When you ship your computers, and have this setup, I think you'd need to include a postmark server token on the machine, and this can be eventually discovered by your customers, and they could end up using it to send email through your account on Postmark.

The server token should be treated just like a password, and shouldn't be shared with unknown parties like this.

An Alternative:

A much simpler approach to this problem would be to configure a webhook that can accept JSON payloads over https. This eliminates the need for postfix, and will generally not end up being blocked by ISPs, since 443 is a standard port that is essentially ubiquitous on the web.

Your webhook could include useful information including

  • The public IP (which you can gather from a service like the following): curl https://api.ipify.org

  • The MAC addresses on the machine: ifconfig | grep 'ether'

  • The machine serial number or other information (https://apple.stackexchange.com/a/40244/15813)

There are a number apps that can accept "JSON dumps" in a webhook that are publicly available, like https://requestb.in/ - I would recommend hosting this on your own server, as this is your record of requests, this would eventually look like the following:

curl -H "Content-Type: application/json" https://your-server-tracking.com/booted -d '{ "IP": "'"$(curl https://api.ipify.org)"'", "SERIAL" : "'"$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')"'", "Date", "'"$(date)"'" }'

Other Notes:

  • You should make sure you're complying with the laws of what you're allowed to include in these machines, this seems like it could conflict with your customers' privacy.
  • You should confirm that this method provides adequate information for the police to investigate these cases. That being said, given that email headers can be added by anyone along the way, the method of adding an IP as outlined above is likely at least as reliable as what you would get with email headers. By the way, headers like X-Sf-Originating-Ip are non-standard, and any sender can put whatever they want to, in there.

Good luck!

Andrew Theken
  • 217
  • 1
  • 3
  • 12
  • Hi Andrew - that is a fantastic suggestion, thank you! A friend said something similar a while back, but when he said webhooks and JSON dumps I got scared, your explanation has made it simple! Even better I can still use Postmark on my own server to forward the JSON dump to my e-mail! Now all thats happening is the computer is doing a HTTP call home upon first setup. Just the same as software devs do for security reasons, it's in our privacy policy and TOS so it should be fine, for legit customers it's nothing more than them signing the package to let us know they have it :) – Danny Shepherd Jun 22 '17 at 23:23