Author Topic: Leaking Onion address in headers  (Read 2215 times)

Offline clonmac

  • Newbie
  • *
  • Posts: 2
Leaking Onion address in headers
« on: September 28, 2019, 11:46:36 AM »
OK, so I just can't seem to figure out why Roundcube is leaking my Onion address in email headers when sending emails. I access my Roundcube instance via a Tor Onion service. I have my Roundcube frontend set up in a Docker container.

I've set the "http_received_header" config option in my config.inc.php file to false and it still is putting my Onion address in the headers of sent emails. I've also tried setting the "http_received_header_encrypt" config option to true, false, and also unconfigured and still nothing makes a difference.

Thinking maybe it was something wrong with how my Docker container is set up, I've tried numerous container image builds. Some are built from source pulling Roundcube directly from Github, some are built using Roundcube from a repository. I've tried numerous different Roundcube version from 1.3.10 all the way back to 1.0.9. Nothing seems to stop Roundcube from adding the Received: from <onion> headers in any email I send from it. I've also verified that the variables are being set properly in my config.inc.php file and obviously my Roundcube instance is working and connecting to my mail server, so all other variables are working properly in my config file as well.

I'm at a loss as to why this setting isn't working. If I can't stop Roundcube from leaking my Onion address, then I'm afraid I might have to look for another webmail client, but I really like Roundcube.

Offline clonmac

  • Newbie
  • *
  • Posts: 2
Re: Leaking Onion address in headers
« Reply #1 on: September 30, 2019, 08:47:40 AM »
I just wanted to send an update. I still haven't solved the above issue I'm having with Roundcube, but I have a workaround in place that is currently solving the problem for me. I am having my Postfix SMTP server rewrite all the outgoing headers to strip out the Onion address before sending the email. Not a perfect solution, but it solves the critical issue of having my Onion address leaked on outgoing message, so this will suffice.