• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved how to hide IP in mail header and google SPF?

qtwrk

Basic Pleskian
how to hide IP in mail header and google SPF?

Hi , as we know , hiding true server IP is a necessary measure to ensure server's security.

so I use Cloudflare to hide my web server ip , I set up mail into different provider.

so only problem i got right now is:

I have Opencart in my server , so it has to send mail , when client make order and such.

and , the mail header contains server IP.

so how can I hide this ?

I google'd around , find something about modify postfix , /etc/postfix/main.cf, header_check, master.cf and something like that

but , didn't have much luck.
however , before editing , there was 3 or 4 lines showing true IP, but with mod i found , it downs to 1.

what other thing troubles me is this line:
111.JPG

I was sending from my site to my gmail

and orignal mail shows this line: spf=neutral (google.com: XXX.XXX.XXX.XXX is neither permitted nor denied by ...etc

directly exposing my IP.

I also found something like mailgrid, mailgun and such , but it seems require PHP code modification to achieve the goal which is I am incapable of ...

any idea how to hide server IP in mail please ?

or any way to relay mail from original to proxy and then to client ? so maybe original IP will be covered by proxy ? but I think it could still be traceable ...
 
okay...

by use relay like mailgun, I managed to get rid of that google spf thing

now my problem is like this :

Code:
Received: from mydomain.com (mydomain.com [123.456.789.123]) by mxa.mailgun.org with ESMTP id 59190b1c.7f16e0194260-smtp-out-n02; Mon, 15 May 2017 01:57:48 -0000 (UTC)

I googled around and try to get rid of that "Received" header , but no matter what mod I have done to /etc/postfix/master.cn , main.cf and header_checks, it just stick there...
 
Hello there @qtwrk,

First off, you can do whatever but the IP address is based off of the smtp_bind_address that's in main.cf (by default it uses any IP addresses that's on the server). Problem is that if you change that it needs to be a valid IP address that can get out otherwise you're emails will not get sent out. This is assuming that the server is not behind a hardware firewall but instead connected directly to the internet (server has public IP address configured instead of NAT'd private IP addresses).

In all honestly, trying to hide the IP address is a moot point considering that there's ways to get the servers real IP even if it goes through services such as cloudflare. If somebody really wants to know they'll find out.

Only thing I can suggest is to use a Smart Host (also known as an email gateway) service to route your outgoing emails through which will change the IP address in the header as it gets routed through the service. Added benefit with a Smart Host is that it can also add an extra layer of protection by scanning all outbound mails for viruses/malware and, if properly configured, makes sure that the mailbox is valid so people doesn't try to spoof it.

And there's plenty of Smart Host services available, just need to find one that works for you. Just search for SMTP relay service, email gateway service, keywords like that and you'll find a lot of different services that offers relays of a sort.
 
A normal smart host will publish the originating IP in its mail header. So you would need a smart host that's hiding that as well...
 
That is true, either way, the IP address is going to show up, just how much digging does someone wants to go through to find it is the real question ;)
 
Hello there @qtwrk,

First off, you can do whatever but the IP address is based off of the smtp_bind_address that's in main.cf (by default it uses any IP addresses that's on the server). Problem is that if you change that it needs to be a valid IP address that can get out otherwise you're emails will not get sent out. This is assuming that the server is not behind a hardware firewall but instead connected directly to the internet (server has public IP address configured instead of NAT'd private IP addresses).

In all honestly, trying to hide the IP address is a moot point considering that there's ways to get the servers real IP even if it goes through services such as cloudflare. If somebody really wants to know they'll find out.

Only thing I can suggest is to use a Smart Host (also known as an email gateway) service to route your outgoing emails through which will change the IP address in the header as it gets routed through the service. Added benefit with a Smart Host is that it can also add an extra layer of protection by scanning all outbound mails for viruses/malware and, if properly configured, makes sure that the mailbox is valid so people doesn't try to spoof it.

And there's plenty of Smart Host services available, just need to find one that works for you. Just search for SMTP relay service, email gateway service, keywords like that and you'll find a lot of different services that offers relays of a sort.

well , actually , I have set up with Mailgu as SMTP relay , but it doesn't work , original IP still shows.

I am thinking , I have few idling VPS around , which isn't importante as main server , Can I use other VPS to be postfix server and send mail from there ?

I will try to edit "smtp_bind_address that's in main.cf"
 
Yes you can configure another server as your email server but if you're using a web script (like an email form) it's still going to show your original IP address not matter what. That second VPS will need to be configured as an web server as well hosting your contacts page if you want that VPS IP to be the only IP address to show. Also you will not be able to use plesk to manager any email accounts if you're planning on using it for normal email accounts as well (everything would need to be done manually).

Like what @mr-wolf pointed out (which slipped my mind since I didn't bother checking far in the original header when I was configuring my mail filters) that the original IP address still shows, just adds it towards the bottom as the email gets routed. For example:

Code:
ARC-Authentication-Results: i=1; mx.google.com;
      dkim=pass [email protected];
      spf=pass (google.com: domain of [email protected] designates 162.42.212.187 as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from simon-soft.com (mx02.simon-soft.com. [162.42.212.187])
       by mx.google.com with ESMTPS id w27si9121439pgm.391.2017.05.14.21.18.12
       for <[email protected]>
       (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
       Sun, 14 May 2017 21:18:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 162.42.212.187 as permitted sender) client-ip=162.42.212.187;
Authentication-Results: mx.google.com;
      dkim=pass [email protected];
      spf=pass (google.com: domain of [email protected] designates 162.42.212.187 as permitted sender) [email protected]
...
Received: from [(192.168.0.185)] by mx02.simonsoft with Simonsoft SMTP; Sun, 14 May 2017 21:18:11 -0700 (MST)
X-SM_EnvelopeFrom: [email protected]
X-SM_RECEIVED_ON: Sun, 14 May 2017 21:18:11 -0700 (MST)
Received: from exch.simonsoft.local (192.168.0.185) by EXCH (192.168.0.185) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Sun, 14 May 2017 21:18:10 -0700
Received: from exch.simonsoft.local ([::1]) by exch.simonsoft.local ([::1]) with mapi id 15.00.1293.002; Sun, 14 May 2017 21:18:10 -0700

Above shows that it goes from my email server (which is an exchange), going to one of my email gateways (mx02), before hitting google's email servers.

And like I said, even if you do edit smtp_bind_address it needs to be a valid routable address and it's still possible to show the real IP address.
 
Yes you can configure another server as your email server but if you're using a web script (like an email form) it's still going to show your original IP address not matter what. That second VPS will need to be configured as an web server as well hosting your contacts page if you want that VPS IP to be the only IP address to show. Also you will not be able to use plesk to manager any email accounts if you're planning on using it for normal email accounts as well (everything would need to be done manually).

Like what @mr-wolf pointed out (which slipped my mind since I didn't bother checking far in the original header when I was configuring my mail filters) that the original IP address still shows, just adds it towards the bottom as the email gets routed. For example:

Code:
ARC-Authentication-Results: i=1; mx.google.com;
      dkim=pass [email protected];
      spf=pass (google.com: domain of [email protected] designates 162.42.212.187 as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from simon-soft.com (mx02.simon-soft.com. [162.42.212.187])
       by mx.google.com with ESMTPS id w27si9121439pgm.391.2017.05.14.21.18.12
       for <[email protected]>
       (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
       Sun, 14 May 2017 21:18:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 162.42.212.187 as permitted sender) client-ip=162.42.212.187;
Authentication-Results: mx.google.com;
      dkim=pass [email protected];
      spf=pass (google.com: domain of [email protected] designates 162.42.212.187 as permitted sender) [email protected]
...
Received: from [(192.168.0.185)] by mx02.simonsoft with Simonsoft SMTP; Sun, 14 May 2017 21:18:11 -0700 (MST)
X-SM_EnvelopeFrom: [email protected]
X-SM_RECEIVED_ON: Sun, 14 May 2017 21:18:11 -0700 (MST)
Received: from exch.simonsoft.local (192.168.0.185) by EXCH (192.168.0.185) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Sun, 14 May 2017 21:18:10 -0700
Received: from exch.simonsoft.local ([::1]) by exch.simonsoft.local ([::1]) with mapi id 15.00.1293.002; Sun, 14 May 2017 21:18:10 -0700

Above shows that it goes from my email server (which is an exchange), going to one of my email gateways (mx02), before hitting google's email servers.

And like I said, even if you do edit smtp_bind_address it needs to be a valid routable address and it's still possible to show the real IP address.

well well well.
thanks for the help.

I managed to hide it after all by using some provider that hides IP through their server.
 
Good to hear you were able to find a service that modifies it ;)

thanks.

now I am working on next problem...

the service provider seems to have some problem with android device render me unable to send mail in my android phone. yet with all same IMAP and SMTP setting i was able to do so in 10 PC mail client, and in iOS mail , but I just can't get it working with Android.

WTF...

see, the funny thing on one-man operation is that , every time i worked out 1 problem , I got 10 more problems come in ...

argggggg , this project is just driving me nuts...
 
Back
Top