Remove/modify received headers in Interscan Messaging Security Virtual Appliance (IMSVA)

Product / Version includes:

Interscan Messaging Security Virtual ApplianceAll

Last updated: 2022/03/09

Solution ID: KA-0011604

Category: Configure

Summary

When message is processed by IMSVA there are multiple Received headers inserted into the message, as shown below:

Received: from parent.hostname.com (192.168.1.11) by ex1.trend.local
 (192.168.1.9) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.669.32 via Frontend
 Transport; Thu, 25 Feb 2021 14:38:06 +0000
Received: from parent.hostname.com (unknown [127.0.0.1])
    by IMSVA (Postfix) with ESMTP id 716A220F1
    for <administrator@trend.local>; Thu,  25 Feb 2021 14:38:06 +0000 (GMT)    
Received: from parent.hostname.com (unknown [127.0.0.1])
    by IMSVA (Postfix) with ESMTP id 5F67820D8
    for <administrator@trend.local>; Thu,  25 Feb 2021 14:38:06 +0000 (GMT)   
Received: from pc1.trend.local (unknown [192.168.1.10])
    by parent.hostname.com (Postfix) with ESMTP
    for <administrator@trend.local>; Thu,  25 Feb 2021 14:38:06 +0000 (GMT)
From: <test@trend.local>

The reason for the multiple headers is the message routing within each IMSVA: Postfix --> Scanner --> Postfix.
Each time the message passes through Postfix there it adds a Received header.

For various reasons, it may be necessary to modify or remove some of the headers. For example:

to mask sensitive information
to remove unnecessary clutter from the headers
to remove the word 'unknown' which can cause deliverability issues in certain environments

In IMSVA the header_checks parameter can be used to check for RegEx patterns in the headers and either remove the entry entirely or modify it.

Go to /opt/trend/imss/postfix/etc/postfix.
Create a backup of the main.cf file by running the following command:
cp main.cf main.cf.bak
Create a new header_check file.
- Run the following commands:
  - touch header_check
  - vi header_check
- Enter the required regular expression to match and modify the desired headers:
Open the main.cf file and add the following line below header_check:
- header_checks = regexp:/opt/trend/imss/postfix/etc/postfix/header_check
Save the changes and close the file.
Run the following commands to restart Postfix:
- postfix restart

There are 2 operators we can use in the header_check file:

IGNORE will remove the matched line from the email header
REPLACE will replace the matched pattern with the pattern following the REPLACE operator

EXPAND ALL

Example 1 - Remove Headers with 127.0.0.1

To remove only the “Received” headers that contain the localhost 127.0.0.1 IP address:

#Header Checks File

/^Received:.*127\.0\.0\.1.*/ IGNORE

To remove headers that contain the domain trend.local and 127.0.0.1, you would use:

/^Received:.*\.trend\.local.*127\.0\.0\.1.*/ IGNORE

Example 2 - Remove 'Unknown' from headers

Some customers have found that the presence of 'unknown' in the Received headers can cause certain environments to reject incoming messages. To remove the word unknown from the header

Received: from parent.hostname.com (unknown [127.0.0.1])
    by IMSVA (Postfix) with ESMTP id 5F67820D8
    for <administrator@trend.local>; Thu,  25 Feb 2021 14:38:06 +0000 (GMT)

you could add the line below to the header_check file:

/^Received: from (.*\.hostname\.com) \(unknown (.*)/ REPLACE Received: from $1 ($2

This would replace the above header with

Received: from parent.hostname.com ([127.0.0.1])
     by IMSVA (Postfix) with ESMTP id 5F67820D8     
     for <administrator@trend.local>; Thu,  25 Feb 2021 14:38:06 +0000 (GMT)

Example 3 - Remove Private information from header

In some environments the client hostname of the sender could be included in the header, and this is of course private information, which the sender may wish to withhold. The header could be removed with the IGNORE operator as already shown, but the first Received header after the From header has significance for DKIM signing so it may be necessary to maintain the header, but remove the sensitive data. The RegEx below will replace pc.trend.local

/^Received:.*trend\.local.*(Mon|Tue|Wed|Thu|Fri|Sat|Sun)(.*)/ REPLACE Received: from NotAPC.trend.local (NotAPC.trend.local [10.10.10.10]) by mx1.trend.local; $1$2

This would replace the header:
Received: from pc1.trend.local (unknown [192.168.1.10])
   by parent.hostname.com (Postfix) with ESMTP
   for <administrator@trend.local>; Thu, 25 Feb 2021 14:38:06 +0000 (GMT)
With
Received: from NotAPC.trend.local (NotAPC.trend.local [10.10.10.10])
   by mx1.trend.local;
   for <administrator@trend.local>; Thu, 25 Feb 2021 14:38:06 +0000 (GMT)

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Remove/modify received headers in Interscan Messaging Security Virtual Appliance (IMSVA)

Example 1 - Remove Headers with 127.0.0.1

Example 2 - Remove 'Unknown' from headers

Example 3 - Remove Private information from header

Remove/modify received headers in Interscan Messaging Security Virtual Appliance (IMSVA)

Product / Version includes:

Summary

Example 1 - Remove Headers with 127.0.0.1

Example 2 - Remove 'Unknown' from headers

Example 3 - Remove Private information from header