Managing Postfix Headers
Postfix allows you to change headers using header_check [1]. It is relatively simple, however, as always, you (as I do) will mess up the regular expressions required now and again.
However the simple stuff discussed here isn't in that territory.
The overall process
- Configure postfix to enable header_check.
- Edit the header_check file and add the regular expressions needed.
- Run postmap to rebuild the database.
- Restart postfix.
- Troubleshoot.
1. Configure postfix
Add the following line to /etc/postfix/main.cf - if it's not already there.
smtp_header_checks = regexp:/etc/postfix/header_checks.cf
2. Header Check File
Add your regular expressions to the /etc/postfix/header_checks.cf file.
Examples will follow shortly.
3. Rebuild Database
Run postmap hash:path to header checks file, specifically.
# postmap hash:/etc/postfix/header_checks.cf
4. Restart Postfix
As simple as running (if your distro is using the systemd init system).
# systemctl restart postfix
5. Troubleshooting
First make sure that overrides are not specified for postfix, by running.
# grep -Frail receive_override_options /etc/postfix/
if main.cf and/or master.cf contain overrides, modify those accordingly, or comment the respective overrides out.
Use postconf to verify the new setting in main.cf:
# postconf -n | grep header
Should output something similar to this:
smtp_header_checks = regexp:/etc/postfix/header_checks.cf
Always check your regular expressions before deploying them to production. Several tools are available to help with that. I prefer CyberChef [3] [4].
For privacy
Removing the received headers giving away the hostname/IP of the sending client as well as other artifacts is as simple as adding the following to /etc/postfix/header_checks.cf.
/^Received:/ IGNORE
/^User-Agent:/ IGNORE
This will remove internal host-names and IP's from the mail header.
As discussed above, run postmap, then restart postfix.
# postmap hash:/etc/postfix/header_checks.cf
# systemctl restart postfix
# postconf -n | grep header
For Red Teaming: Bypassing mail-filters
Many companies use a third party to perform phishing tests. Some of those use a well-know X-Header to bypass spam filtering [2]. Thus the only thing you have to do to get past that pesky filter is to add that header. Below is an exa--mple taken from [2] below.
/^Subject:/i PREPEND X-PhishTest: KnowBe4
Again, after changing header_checks.cf, run postmap, then restart postfix.
# postmap hash:/etc/postfix/header_checks.cf
# systemctl restart postfix
# postconf -n | grep header
Believe it or not - It really is true. Several vendors really do ask their customers to drill a huge hole in their e-mail defenses [2].
Some other headers useful for shenanigans:
X-ThreatSim-Header: http://whateva
X-ThreatSim-ID: {GUID}
X-Gophish-Contact:
X-Gophish-Signature:
X-PhishMe:
X-PhishMe-Tracking:
X-CanIPhish:
Nevertheless do not use these headers on your production system! Only use it in a pentest/red teaming exercise that you have been given permission to perform.
Other examples
Another example is hiding the specific AV scanner used on your setup, this can be done by specifying.
/^X-Virus-Scanned:/i REPLACE X-Virus-Scanned: Trend Micro
Thereby replacing the actual scanner details with the text "Trend Micro".
The complete header_check.cf
The complete header_check.cf file would contain the following
/^Subject:/i PREPEND X-PHISHTEST: KnowBe4
/^X-Virus-Scanned:/i REPLACE X-Virus-Scanned: Trend Micro
/^Received:/ IGNORE
/^User-Agent:/ IGNORE
References
[1] Postfix Header Checks: http://www.postfix.org/header_checks.5.html
[2] X-PHISHTEST: https://support.knowbe4.com/hc/en-us/articles/212723707-Whitelisting-by-Email-Header-in-Exchange-2013-2016-or-Microsoft-365
[3] CyberChef on GitHub: https://github.com/gchq/CyberChef
[4] How to build CyberChef: https://blog.infosecworrier.dk/2021/12/how-to-build-cyberchef.html