On 29 March 2014 06:59, Kevin M. Gallagher <kevin(_at_)ageispolis(_dot_)net>
wrote:
What do people today think of the SMTP RFC's current requirement that
mail programs and servers must not under any circumstances change or
delete Received: headers? Is exposing sender IP addresses to any
attacker who can view e-mail headers, for the purposes of preserving
trace information, really worth it when weighed against considerations
like security and privacy?
http://tools.ietf.org/html/rfc5321#section-4.4
I would note that removal of internal Received headers at the exit boundary
of the sending ADMD is quite common - and I ran into this one just the
other day, where a client wasn't doing this and it caused concern.
Outside of the sending ADMD, the trace fields are of very low value for
debugging, and as discussed in §7.6, may be problematic.
Inside (and at the boundary especially), they are useful, so mandating that
they're added, but may be removed at the exit of the sending ADMD seems
sane. I'm not going to demand any change here for the simple reason that
there's no way to distinguish what's happened externally; therefore this
doesn't strike me an an interoperability concern.
Dave.