Web page archived as of 2018-05-22. Some links & features might not work.

Suppress IP of authenticated senders in Sendmail

Messages sent by our users got sometimes caught in spam filters due to the fact that Sendmail (like any other reasonable MTA) adds a "Received: from" header with the IP address of the client who submitted the message. This quickly becomes a problem if the IP address is dynamically assigned, e.g. to a user's smartphone, but was previously abused, and is still listed on blacklists.

I was already aware of this problem, and I had it "fixed" on my Postfix installations long ago. I thought, it should be easy to do the same with Sendmail, i.e. suppress the IP address, or if need be the complete header. Much to my surprise I could hardly find any instruction for how to do this. And I thought that should be an FAQ!? Especially, since Sendmail is well established and way older than most other major MTAs.

I could find a few discussions, some 10 years old, of people who wondered how to suppress information that was revealing internal/Intranet network structures. I found practically nobody who was looking for how to surpass the spam filter issue. BTW, I did use more than 1 search engine ;-) Still, I am afraid that now that I am writing this people will send me lmgtfy links.

Anyway, what I did find was, for instance, Removing Sender’s IP Address From Email’s Received: From Header. This page popped up frequently when I searched for how to suppress headers, and it seems to be one of very few indeed. It even addresses my main problem. The author's approach is totally valid, and s/he explains things well and gives pointers. However, I did feel comfortable with completely removing the "from" part, and with redefining confRECEIVED_HEADER without honoring the defaults. I was also afraid that this might even break some other things (like our own spam filter rules).

Another solution that I could find about 2 times goes 1 big step furhter: It suggested to remove the HReceived line(s) from submit.cf altogether. This does work, and it does make some sense for submit.cf, however, only if 2 sendmail daemons are used where 1 is running with the submit.cf and listens to port 587. But, my server is a Debian box with only 1 daemon, and I thought there should be no need for a 2nd.


Joel's Compendium of Total Knowledge (search for Received:) is the only page I found that suggests what I thought was reasonable, i.e. introduce an if-then ($?…$|…$.) evaluating the variable {auth_type} to check whether the client has been authenticated:

define(`confRECEIVED_HEADER', `$?{auth_type}...

By the time I found Joel's advice I was already refreshing my sendmail.cf skills (The whole scoop of the configuration file was a valuable reintroduction). So, eventually, I tried to come up with my own version for confRECEIVED_HEADER.

On Debian, confRECEIVED_HEADER is originally defined in /usr/share/sendmail/cf/m4/cfhead.m4:

define(`_REC_AUTH_', `$.$?{auth_type}(authenticated')
define(`_REC_FULL_AUTH_', `$.$?{auth_type}(user=${auth_authen} $?{auth_author}author=${auth_author} $.mech=${auth_type}')
define(`_REC_HDR_', `$?sfrom $s $.$?_($?s$|from $.$_)')
define(`_REC_END_', `for $u; $|;
define(`_REC_TLS_', `(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})$.$?u')
define(`_REC_BY_', `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}')
define(`confRECEIVED_HEADER', `_REC_HDR_
        _REC_AUTH_$?{auth_ssf} bits=${auth_ssf}$.)

So, even if you don't understand the sendmail.cf syntax you can see that confRECEIVED_HEADER is actually built by concatenating other variables. I wanted to stick to this format in order to re-use the defaults, _REC_HDR_ should be kept (to the best of my knowledge this is also an RFC requirement), nevertheless, it should be rewritten for authenticated senders.

So, in /etc/mail/sendmail.mc I added

dnl # suppress IP of authenticated sender
define(`confRECEIVED_HEADER',`$?{auth_type}from auth (localhost []) $|_REC_HDR_$.

Note: The leading spaces are actually 1 TAB!


Authenticated sender

Received: from auth (localhost []) by mail.fam.tuwien.ac.at
   (8.14.4/8.14.4/Debian-4) with ESMTP id sAHCoctq012610
   (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
   Mon, 17 Nov 2014 13:50:38 +0100

Intranet handoff

Received: from wiener.fam.tuwien.ac.at (wienernfs [])   
   by mail.fam.tuwien.ac.at (8.14.4/8.14.4/Debian-4) with ESMTP id
   for <schamane@fam.tuwien.ac.at>; Mon, 17 Nov 2014 17:17:45 +0100
Received: by wiener.fam.tuwien.ac.at (Postfix, from userid 501)   
   id AB3F9461; Mon, 17 Nov 2014 17:17:45 +0100 (CET)


Andreas Schamanek, 2014-11-18 22:46

By means of this approach we are suppressing an IP that might indeed be abused by the authenticated client. However, I don't think that this is of any concern. In such cases, the relaying mail server will be blacklisted anyway. I'll get notified, and I'll be able to stop the abuse. Besides, I have hourly and daily limits set for outgoing mail.

blog/141118_suppress_ip_of_authenticated_senders_in_sendmail.txt · Last modified: 2014-11-18 22:31 by andreas