Privacy Patches for Webmail

  1. Squirrelmail Privacy Patch
    1. 1.4.4
    2. 1.4.5/1.4.6/1.4.7/1.4.8
  2. Horde (IMP) Privacy Patch

Squirrelmail Privacy Patch

Squirrelmail puts the IP address of the user's home computer in every email they send out. Some might consider this a horrible breach of privacy. This patch will prevent this, but still includes the login name of the authenticated user.

1.4.4

You can download squirrelmail-1.4.4-privacy.diff directly from our subversion repository. The code is pretty simple, so it is represented below (copying and pasting this will result in problems, better to download it).

--- ./Deliver.class.php 2004-12-27 07:03:41.000000000 -0800
+++ /var/www/squirrelmail-1.4.4/class/deliver/Deliver.class.php 2005-02-06 15:13:24.000000000 -0800
@@ -380,7 +380,7 @@
         /* This creates an RFC 822 date */
         $date = date('D, j M Y H:i:s ', mktime()) . $this->timezone();
         /* Create a message-id */
+        $message_id = '<' . $REMOTE_PORT . '.' . $username . '.';
-        $message_id = '<' . $REMOTE_PORT . '.' . $REMOTE_ADDR . '.';
         $message_id .= time() . '.squirrel@' . $SERVER_NAME .'>';
         /* Make an RFC822 Received: line */
         if (isset($REMOTE_HOST)) {
@@ -394,7 +394,6 @@
             }
             $received_from .= " (proxying for $HTTP_X_FORWARDED_FOR)";
         }
+        $received_from = "localhost (127.0.0.1)";
         $header = array();
         $header[] = "Received: from $received_from" . $rn;
         $header[] = "        (SquirrelMail authenticated user $username)" . $rn;

1.4.5/1.4.6/1.4.7/1.4.8

This new Squirrelmail version has a so-called "encode_header_key" feature, which actually provides quite poor encryption (especially since the padding string is always the same and stored in /etc/, if you really want to know you can get it there).

The following patch prevents any home IP address to appear in the headers, no matter which way you've set your "encode_header_key" option to.

You can download squirrelmail-1.4.6-privacy.diff directly from our subversion repository (this patch works for 1.4.6, 1.4.7 and 1.4.8 even though it is named 1.4.6). The code is pretty simple, so it is represented below (copying and pasting this will result in problems, better to download it).

--- class/deliver/Deliver.class.php.orig        2006-02-07 13:01:24.000000000 -0800
+++ class/deliver/Deliver.class.php     2006-02-07 13:37:45.000000000 -0800
@@ -399,12 +399,7 @@
         $date = date('D, j M Y H:i:s ', mktime()) . $this->timezone();
         /* Create a message-id */
         $message_id = '<' . $REMOTE_PORT . '.';
-        if (isset($encode_header_key) && trim($encode_header_key)!='') {
-            // use encrypted form of remote address
-            $message_id.= OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key));
-        } else {
-            $message_id.= $REMOTE_ADDR;
-        }
+        $message_id .= $username ;
         $message_id .= '.' . time() . '.squirrel@' . $SERVER_NAME .'>';
         /* Make an RFC822 Received: line */
         if (isset($REMOTE_HOST)) {
@@ -418,6 +413,8 @@
             }
             $received_from .= " (proxying for $HTTP_X_FORWARDED_FOR)";
         }
+        $received_from = "localhost (127.0.0.1)";
+        $REMOTE_ADDR = "127.0.0.1";
         $header = array();
 
         /**

Horde (IMP) Privacy Patch

Horde does a couple things that compromize a user's anonyminity in the IMP webmail client in unnecessary ways:

1. Received: header added with user's home DSL/cable IP. Horde does the same thing that Squirrelmail does. The following patch changes this so it says "localhost (localhost 127.0.0.1)" again.

2. If a user clicks the help button and sends in a problem report, you get the http headers that their UA sends as well as their IP. The IP address is really unnecessary information for debugging problems.

3. Last login data is saved into the database and displayed to the user on login. The display of this data is controlled by a prefs.php setting, however even with this set to off, the data is still collected in the database! With these patches, the last_login will not be displayed at all, and the code that writes this information to the database has been commented out. As a minor speed-up bonus, the code that attempts to read this information from the database has also been commented out, no point in reading data that is always going to be the same!

You can download horde-3.1-privacy.diff or the Debian Sarge version (Thanks to Nadir technik) horde3.0.4-4sarge3-privacy.diff directly from our subversion repository. The code is pretty simple, but longer, so it has been omitted from this page, you can see it by clicking on either of the above links.

If you were running IMP before you might have a handful of data collected already in the database, you will want to anonymize these, you can do this by doing the following:

mysql> UPDATE horde_prefs set pref_value='a:2:{s:4:"time";i:1134251455;s:4:"host";s:30:"anonymized";}' where pref_name='last_login';