Suppress IP of authenticated senders in Sendmail

Messages sent by our users got sometimes caught in spam filters due to the fact that Sendmail (like any other reasonable MTA) adds a "Received: from" header with the IP address of the client who submitted the message. This quickly becomes a problem if the IP address is dynamically assigned, e.g. to a user's smartphone, but was previously abused, and is still listed on blacklists.

I was already aware of this problem, and I had it "fixed" on my Postfix installations long ago. I thought, it should be easy to do the same with Sendmail, i.e. suppress the IP address, or if need be the complete header. Much to my surprise I could hardly find any instruction for how to do this. And I thought that should be an FAQ!? Especially, since Sendmail is well established and way older than most other major MTAs.

I could find a few discussions, some 10 years old, of people who wondered how to suppress information that was revealing internal/Intranet network structures. I found practically nobody who was looking for how to surpass the spam filter issue. BTW, I did use more than 1 search engine ;-) Still, I am afraid that now that I am writing this people will send me lmgtfy links.

Anyway, what I did find was, for instance, Removing Sender’s IP Address From Email’s Received: From Header. This page popped up frequently when I searched for how to suppress headers, and it seems to be one of very few indeed. It even addresses my main problem. The author's approach is totally valid, and s/he explains things well and gives pointers. However, I did feel comfortable with completely removing the "from" part, and with redefining confRECEIVED_HEADER without honoring the defaults. I was also afraid that this might even break some other things (like our own spam filter rules).

Another solution that I could find about 2 times goes 1 big step furhter: It suggested to remove the HReceived line(s) from submit.cf altogether. This does work, and it does make some sense for submit.cf, however, only if 2 sendmail daemons are used where 1 is running with the submit.cf and listens to port 587. But, my server is a Debian box with only 1 daemon, and I thought there should be no need for a 2nd.


Joel's Compendium of Total Knowledge (search for Received:) is the only page I found that suggests what I thought was reasonable, i.e. introduce an if-then ($?…$|…$.) evaluating the variable {auth_type} to check whether the client has been authenticated:

define(`confRECEIVED_HEADER', `$?{auth_type}...

By the time I found Joel's advice I was already refreshing my sendmail.cf skills (The whole scoop of the configuration file was a valuable reintroduction). So, eventually, I tried to come up with my own version for confRECEIVED_HEADER.

On Debian, confRECEIVED_HEADER is originally defined in /usr/share/sendmail/cf/m4/cfhead.m4:

define(`_REC_AUTH_', `$.$?{auth_type}(authenticated')
define(`_REC_FULL_AUTH_', `$.$?{auth_type}(user=${auth_authen} $?{auth_author}author=${auth_author} $.mech=${auth_type}')
define(`_REC_HDR_', `$?sfrom $s $.$?_($?s$|from $.$_)')
define(`_REC_END_', `for $u; $|;
define(`_REC_TLS_', `(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})$.$?u')
define(`_REC_BY_', `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}')
define(`confRECEIVED_HEADER', `_REC_HDR_
        _REC_AUTH_$?{auth_ssf} bits=${auth_ssf}$.)

So, even if you don't understand the sendmail.cf syntax you can see that confRECEIVED_HEADER is actually built by concatenating other variables. I wanted to stick to this format in order to re-use the defaults, _REC_HDR_ should be kept (to the best of my knowledge this is also an RFC requirement), nevertheless, it should be rewritten for authenticated senders.

So, in /etc/mail/sendmail.mc I added

dnl # suppress IP of authenticated sender
define(`confRECEIVED_HEADER',`$?{auth_type}from auth (localhost []) $|_REC_HDR_$.

Note: The leading spaces are actually 1 TAB!


Authenticated sender

Received: from auth (localhost []) by mail.fam.tuwien.ac.at
   (8.14.4/8.14.4/Debian-4) with ESMTP id sAHCoctq012610
   (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
   Mon, 17 Nov 2014 13:50:38 +0100

Intranet handoff

Received: from wiener.fam.tuwien.ac.at (wienernfs [])   
   by mail.fam.tuwien.ac.at (8.14.4/8.14.4/Debian-4) with ESMTP id
   for <schamane@fam.tuwien.ac.at>; Mon, 17 Nov 2014 17:17:45 +0100
Received: by wiener.fam.tuwien.ac.at (Postfix, from userid 501)   
   id AB3F9461; Mon, 17 Nov 2014 17:17:45 +0100 (CET)


Andreas Schamanek, 2014-11-18 22:46

By means of this approach we are suppressing an IP that might indeed be abused by the authenticated client. However, I don't think that this is of any concern. In such cases, the relaying mail server will be blacklisted anyway. I'll get notified, and I'll be able to stop the abuse. Besides, I have hourly and daily limits set for outgoing mail.

Enter your comment. Wiki syntax is allowed:
blog/141118_suppress_ip_of_authenticated_senders_in_sendmail.txt · Last modified: 2014-11-18 22:31 by andreas