2021-12-30

Managing Postfix headers for Privacy and Red Teaming

Managing Postfix Headers

Postfix allows you to change headers using header_check [1]. It is relatively simple, however, as always, you (as I do) will mess up the regular expressions required now and again.
 
However the simple stuff discussed here isn't in that territory.
 
The overall process
 
  1. Configure postfix to enable header_check.
  2. Edit the header_check file and add the regular expressions needed.
  3. Run postmap to rebuild the database.
  4. Restart postfix.
  5. Troubleshoot.



1. Configure postfix

Add the following line to  /etc/postfix/main.cf - if it's not already there.

smtp_header_checks = regexp:/etc/postfix/header_checks.cf

 

2. Header Check File

Add your regular expressions to the /etc/postfix/header_checks.cf file.
Examples will follow shortly.

3. Rebuild Database

Run postmap hash:path to header checks file, specifically.

# postmap hash:/etc/postfix/header_checks.cf

4. Restart Postfix

As simple as running (if your distro is using the systemd init system).
# systemctl restart postfix

5. Troubleshooting

First make sure that overrides are not specified for postfix, by running.
# grep -Frail receive_override_options /etc/postfix/
 
if main.cf and/or master.cf contain overrides, modify those accordingly, or comment the respective overrides out.
Use postconf to verify the new setting in main.cf:
 
# postconf -n | grep header
Should output something similar to this:
smtp_header_checks = regexp:/etc/postfix/header_checks.cf
 
Always check your regular expressions before deploying them to production. Several tools are available to help with that. I prefer CyberChef [3] [4].

For privacy

Removing the received headers giving away the hostname/IP of the sending client as well as other artifacts is as simple as adding the following to /etc/postfix/header_checks.cf.

/^Received:/    IGNORE

/^User-Agent:/    IGNORE 

This will remove internal host-names and IP's from the mail header.

As discussed above, run postmap, then restart postfix.

# postmap hash:/etc/postfix/header_checks.cf

# systemctl restart postfix

# postconf -n | grep header 

 

For Red Teaming: Bypassing mail-filters

Many companies use a third party to perform phishing tests. Some of those use a well-know X-Header to bypass spam filtering [2]. Thus the only thing you have to do to get past that pesky filter is to add that header. Below is an example taken from [2] below.
/^Subject:/i PREPEND X-PHISHTEST: KnowBe4

Again, after changing header_checks.cf, run postmap, then restart postfix.

# postmap hash:/etc/postfix/header_checks.cf

# systemctl restart postfix

# postconf -n | grep header


Believe it or not - It really is true. Several vendors really do ask their customers to drill a huge hole in their e-mail defenses [2].
 
Nevertheless do not use the X-PHISHTEST header on your production system! Only use it in a pentest/red teaming exercise that you have been given permission to perform.

Other examples

Another example is hiding the specific AV scanner used on your setup, this can be done by specifying.
/^X-Virus-Scanned:/i REPLACE X-Virus-Scanned: Trend Micro
 
Thereby replacing the actual scanner details with the text "Trend Micro".

The complete header_check.cf

The complete header_check.cf file would contain the following

/^Subject:/i PREPEND X-PHISHTEST: KnowBe4
/^X-Virus-Scanned:/i REPLACE X-Virus-Scanned: Trend Micro
/^Received:/    IGNORE
/^User-Agent:/    IGNORE



References

[1] Postfix Header Checks: http://www.postfix.org/header_checks.5.html

[2] X-PHISHTEST: https://support.knowbe4.com/hc/en-us/articles/212723707-Whitelisting-by-Email-Header-in-Exchange-2013-2016-or-Microsoft-365

[3] CyberChef on GitHub: https://github.com/gchq/CyberChef

[4] How to build CyberChef: https://blog.infosecworrier.dk/2021/12/how-to-build-cyberchef.html

No comments: