Author Topic: Sender privacy - HELO string private IP revealed  (Read 2258 times)

das1996

  • Newbie
  • *
  • Posts: 26
Sender privacy - HELO string private IP revealed
« on: August 21, 2023, 08:20:23 pm »
While on wifi, sending an email using aquamail reveals the sender's private ip (ie 192.168.1.123).

How can this be disabled, or changed? 

Please, no references to RFC compliance. Many other clients and almost all webmail obfuscate the sender's ip for privacy reasons.

Code: [Select]
Received: from [W.X.Y.Z] (port=55709 helo=[A.B.C.D])
        by smtp.domain.com with esmtpsa  (TLS1.2) tls

W.X.Y.Z = public IP
A.B.C.D = private IP

I understand the public IP cannot be hidden, but the HELO string is definitely a function of the email client.

Thank you

Boga

  • Newbie
  • *
  • Posts: 7
Re: Sender privacy - HELO string private IP revealed
« Reply #1 on: August 24, 2023, 05:11:26 pm »
Interestingly, Apple Mail uses the local machine name ie. [localhost.localdomain] and also adds an X-Mailer header, which together are arguably a more useful data leak...

A private IP address is less to be concerned about since it isn't routable and others' assumption will be that it is dynamically assigned via DHCP, although it does still give an idea of network setup.

The thing about the RFC is that some SMTP servers are configured to reject an invalid HELO or EHLO.

With webmail, there is no local client, as such.

I'm not aware that any config option is exposed by Aqua Mail.

FairEmail does give a choice to "Use local IP address instead of host name" and also provides a dummy hostname of dummy.faircode.eu -- although that is basically the equivalent of adding X-Mailer as well. Of course, you could compile your own version of FairEmail which went completely off piste at your own risk... Depends how big of an issue it is for you.

But Aqua Mail's approach is a not unreasonable implementation choice.

das1996

  • Newbie
  • *
  • Posts: 26
Re: Sender privacy - HELO string private IP revealed
« Reply #2 on: September 14, 2023, 09:09:07 am »
@Boga Fairemail has some other nice privacy based features such as stripping urls of tracking code.  I'm still testing it, but while slow, it seems more featureful.

As for the issue at hand, if im using fairemail then the problem is easily solved by spoofing the HELO header. If I end up using aquamail, I will need to use my own smtp to strip all client headers before sending the message further out.