Re: [Evolution] evolution discloses private information in an email header.

[Eugene <eugene bct bz>]

Hi Pete,

There is nothing to do with the paranoia here but rather a very bad implementation decision in my opinion.
I have nothing against using a hostname _derivative_ to the right of @ in Message-ID.

Let me explain.

Internal Hostname I am using is not exposed via Received: headers because there is
1. a NAT gateway with a different reverse DNS.
2. evolution does not use host name in SMTP handshake.

So the typical evolution yahoo sent email headers appear at the recipient mailbox as

Received: from [internal_IP_numerical] (yahoo_login external_numerical with plain)
by smtp215.mail.gq1.yahoo.com with SMTP; 19 Jan 2013 16:47:02 -0800 PST
Message-ID: <1358642821 23122 1 camel internal_hostname internal_domainname>
Subject: .....
From: yahoo_login yahoo com

Here are Thunderbird headers

Received: from [internal_IP_numerical] (yahoo_login external_numerical with plain)
by smtp109.mail.ne1.yahoo.com with SMTP; 19 Jan 2013 16:43:41 -0800 PST
Message-ID: <50FB3DB8 6030801 yahoo com>
Date: Sat, 19 Jan 2013 19:43:36 -0500
Subject: .....
From: yahoo_login yahoo com

What I am trying to request here is that Message-ID should not use _plain text_ 
internal_hostname.internal_domainname.
The simplest solution in my opinion is to use any kind of one way encryption for the existing right of @ part.
This would preserve all existing Message-ID logic and completely hide internal_hostname.internal_domainname.
Adding sender email domain (after encrypted part) aka Thunderbird is optional...

Is my explanation clear?

Regards,
Eugene.


15.01.2013, 04:40, "Pete Biggs" <pete biggs org uk>:
> >  Comparing Message-Id: header sent while connected to yahoo.com via
> >  imap in messages sent by Evolution and Thunderbird I discovered that
> >  Evolution uses @fqdn or just @hostname if fqdn is not available while
> >  Thunderbird always uses @yahoo.com.
> >
> >  I am using Evolution to access multiple email accounts with different
> >  providers and having my own fqdn in every message headers seems just
> >  plain unacceptable. Is there a way to remove my fqdn from Message-Id:
> >  header and use email domain like Thunderbird?
>
> Isn't the hostname you are using exposed through the Received: headers
> as well? If so, then surely no extra "private" information is disclosed
> by using the hostname in the Message-Id:?
>
> In any case, RFC 2822 has this to say about constructing the Message-Id
> header:
>
>    The message identifier (msg-id) itself MUST be a globally unique
>    identifier for a message.  The generator of the message identifier
>    MUST guarantee that the msg-id is unique.  There are several
>    algorithms that can be used to accomplish this.  Since the msg-id has
>    a similar syntax to angle-addr (identical except that comments and
>    folding white space are not allowed), a good method is to put the
>    domain name (or a domain literal IP address) of the host on which the
>    message identifier was created on the right hand side of the "@", and
>    put a combination of the current absolute date and time along with
>    some other currently unique (perhaps sequential) identifier available
>    on the system (for example, a process id number) on the left hand
>    side.  Using a date on the left hand side and a domain name or domain
>    literal on the right hand side makes it possible to guarantee
>    uniqueness since no two hosts use the same domain name or IP address
>    at the same time.  Though other algorithms will work, it is
>    RECOMMENDED that the right hand side contain some domain identifier
>    (either of the host itself or otherwise) such that the generator of
>    the message identifier can guarantee the uniqueness of the left hand
>    side within the scope of that domain.
>
> So, as usual, Evolution is following the recommendations of the RFC.  On
> the other hand, if Thunderbird uses @yahoo.com, then there is no
> guarantee that the msg-id is unique (unless, of course, they encode your
> host address in the header some other way).
>
> To be honest, if you are paranoid about such information leaking about
> you, then you need to worry about a lot more than how your MUA
> constructs the Message-Id: header.
>
> P.