starred/nmail
1
0
Fork 0
mirror of https://github.com/d99kris/nmail.git synced 2026-04-26 09:46:01 +03:00
Code Issues Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #96] [Privacy/Security] Agent string and local system hostname in MessageID field of sent e-mails #82

New issue
Closed
opened 2026-03-03 01:19:40 +03:00 by kerem · 7 comments
kerem commented 2026-03-03 01:19:40 +03:00
Owner
Copy link

Originally created by @krackout on GitHub (Mar 31, 2022).
Original GitHub issue: https://github.com/d99kris/nmail/issues/96

Originally assigned to: @d99kris on GitHub.

I've noticed that on e-mails sent by nmail, the content of Message-ID field is:
Message-ID: <nmail.3.62.624368d7.2eb141f2.263@LocalSystemHostName>

Sending from the same account through other MUA,
Message-ID: <da5be6a2-1a3f-a87d-0c10-ae0785653362@Mail_Domain.com>

Privacy and security wise, I suggest to remove the content of this field and substitute it with something generalized or random. Or remove the field completely if possible. It leaks the MUA, its version and the local hostname of the system of the sender.

MUA string is not considered a problem and usually presented, but still it can be hidden as an option on most MUAs (it's an info for a possible attacker). But the local hostname should be removed.

Originally created by @krackout on GitHub (Mar 31, 2022). Original GitHub issue: https://github.com/d99kris/nmail/issues/96 Originally assigned to: @d99kris on GitHub. I've noticed that on e-mails sent by nmail, the content of Message-ID field is: `Message-ID: <nmail.3.62.624368d7.2eb141f2.263@LocalSystemHostName>` Sending from the same account through other MUA, `Message-ID: <da5be6a2-1a3f-a87d-0c10-ae0785653362@Mail_Domain.com>` Privacy and security wise, I suggest to remove the content of this field and substitute it with something generalized or random. Or remove the field completely if possible. It leaks the MUA, its version and the local hostname of the system of the sender. MUA string is not considered a problem and usually presented, but still it can be hidden as an option on most MUAs (it's an info for a possible attacker). But the local hostname should be removed.
kerem closed this issue 2026-03-03 01:19:40 +03:00
kerem commented 2026-03-03 01:19:41 +03:00
Author
Owner
Copy link

@d99kris commented on GitHub (Mar 31, 2022):

Ok, will take a look at this. The current Message-ID was based, like a lot of other things, on the alpine email client.

<!-- gh-comment-id:1084502495 --> @d99kris commented on GitHub (Mar 31, 2022): Ok, will take a look at this. The current `Message-ID` was based, like a lot of other things, on the `alpine` email client.
kerem commented 2026-03-03 01:19:41 +03:00
Author
Owner
Copy link

@d99kris commented on GitHub (Mar 31, 2022):

Btw, short-term you can override sender hostname using the sender_hostname config parameter. The email client name and version will still be visible though.

<!-- gh-comment-id:1084505413 --> @d99kris commented on GitHub (Mar 31, 2022): Btw, short-term you can override sender hostname using the `sender_hostname` config parameter. The email client name and version will still be visible though.
kerem commented 2026-03-03 01:19:41 +03:00
Author
Owner
Copy link

@krackout commented on GitHub (Mar 31, 2022):

I tried sender_hostname, it works fine. It's ok for me, you can close this if you like, leaving user agent as is. I'll change the text describing the issue.

<!-- gh-comment-id:1084531608 --> @krackout commented on GitHub (Mar 31, 2022): I tried `sender_hostname`, it works fine. It's ok for me, you can close this if you like, leaving user agent as is. I'll change the text describing the issue.
kerem commented 2026-03-03 01:19:41 +03:00
Author
Owner
Copy link

@d99kris commented on GitHub (Apr 3, 2022):

I checked Thunderbird and it generates (as an example) 305687c5-17fa-e4b1-aad8-3832799e8a21@gmail.com when sending from a gmail account. I think nmail could be changed to follow a similar format.

<!-- gh-comment-id:1086841598 --> @d99kris commented on GitHub (Apr 3, 2022): I checked `Thunderbird` and it generates (as an example) `305687c5-17fa-e4b1-aad8-3832799e8a21@gmail.com` when sending from a gmail account. I think `nmail` could be changed to follow a similar format.
kerem commented 2026-03-03 01:19:41 +03:00
Author
Owner
Copy link

@d99kris commented on GitHub (Apr 10, 2022):

A fix for this has been implemented now in above commit, so nmail generates a uuid.

Take note that nmail still passes its hostname as part of smtp authentication, unless sender_hostname is configured. The mail service provider may choose to include this hostname in the email headers.

<!-- gh-comment-id:1094266679 --> @d99kris commented on GitHub (Apr 10, 2022): A fix for this has been implemented now in above commit, so nmail generates a uuid. Take note that nmail still passes its hostname as part of smtp authentication, unless `sender_hostname` is configured. The mail service provider may choose to include this hostname in the email headers.
kerem commented 2026-03-03 01:19:41 +03:00
Author
Owner
Copy link

@d99kris commented on GitHub (Aug 14, 2022):

The option sender_hostname has been deprecated as of ba2a192 and instead a new option send_hostname has been added, to control whether to send client hostname in SMTP authentication (default enabled). One can disable it and then nmail behaves similarly to Thunderbird, sending [local ipaddress] (ex: [192.168.0.12] as hostname during SMTP authentication.

Message-id generation is unaffected and continous to use a uuid.

<!-- gh-comment-id:1214322731 --> @d99kris commented on GitHub (Aug 14, 2022): The option `sender_hostname` has been deprecated as of ba2a192 and instead a new option `send_hostname` has been added, to control whether to send client hostname in SMTP authentication (default enabled). One can disable it and then `nmail` behaves similarly to `Thunderbird`, sending `[local ipaddress]` (ex: `[192.168.0.12]` as hostname during SMTP authentication. Message-id generation is unaffected and continous to use a uuid.
kerem commented 2026-03-03 01:19:41 +03:00
Author
Owner
Copy link

@d99kris commented on GitHub (Jun 25, 2023):

The option send_hostname has been deprecated and instead send_ip has been added (enabled by default). Enabling this by default is made possible by incorporating a custom version of the underlying libetpan library with improved support for smtp handshake using IP address (instead of hostname).

<!-- gh-comment-id:1605936220 --> @d99kris commented on GitHub (Jun 25, 2023): The option `send_hostname` has been deprecated and instead `send_ip` has been added (enabled by default). Enabling this by default is made possible by incorporating a custom version of the underlying `libetpan` library with improved support for smtp handshake using IP address (instead of hostname).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v5.11.4
v5.10.3
v5.9.2
v5.8.9
v5.7.3
v5.6.3
v5.5.1
v5.4.7
v5.3.5
v5.2.2
v5.1.16
v4.67
v4.54
v4.35
v4.30
v4.23
v4.20
v4.06
v3.89
v3.74
v3.62
v3.53
v3.50
v3.48
v3.42
v3.41
v3.23
v3.10
v2.68
v2.66
v2.56
v2.54
v2.29
v2.21
v2.12
v2.11
v2.10
v1.99
v1.98
v1.97
v1.96
v1.95
v1.94
v1.75
v1.70
v1.53
v1.11
v0.99
Labels
Clear labels   
bug

   
enhancement

   
pull-request

Mirrored from GitHub Pull Request

  
question
No labels
bug
enhancement
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nmail#82
No description provided.