PCI-DSS 1.3.8 and Postfix

PCI-DSS requirement 1.3.8 states that you should not disclose private IP addresses or routing information to unauthorized parties. This usually means that you should check your web application, but if your application sends emails to your customers, you should also check the mail headers.

In order to do this with Postfix under a debian like distribution, you need the postfix-pcre package. Then add to main.cf :

header_checks = pcre:/etc/postfix/header_checks

In this file put :

/^(Received: from [.a-z0-9]+ \([a-z0-9]+\.MYDOMAIN \[)10\.\d+\.\d+\.\d+(\]\)\s*by [.a-z0-9]+.*)/   REPLACE ${1}127.0.0.1$2

This should replace all IP addresses in the Received: header corresponding to your machines (from domain MYDOMAIN in this sample, and IP range 10.0.0.0/8) to 127.0.0.1.

All data I found concerning this topic on Google advised you to just drop the header, but I’m afraid it might not go well with some antispam software. In order to do it properly, you should also alter the machine names in at least the following headers:

  • Received: from
  • Received: by
  • From
  • Message-id

Big fat warning

This will alter ALL email going through your SMTP server, including internal diagnostic emails. Loosing headers might reduce the usefulness of such emails.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s