Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> wrote:

> Andrzej Adam Filip wrote:
>> >> > However, I vaguely remember some firewall products which remove
>> >> > certain fields from outbound E-mail and even HTTP requests. Perhaps it
>> >> > makes sense under certain circumstances. And I cannot think of any
>> >> > good use of the private Received: headers to the outsider.
>> >
>> >> Received: headers are likely of very little use to the outside, but may
>> >> be very useful for insiders who are trying to diagnose mail loop
>> >> problems.
>> >
>> > I rather doubt the insiders will diagnose internal mail loop problems
>> > from the outside. If there is a mail loop within the corporate
>> > network, the mail is unlikely to leave it.
>
>> The subject states "remove". Removing received: header in full *WILL*
>> lead to creation of possibility of *nasty* email loops going undetected.
>
> Provided the said headers are removed at the very edge of the network,
> not before the message leaves the corporate network, I see no
> possibility of loop creation. What is a possible loop scenario in this
> setup?

Have you ever seen two hops loops?
[ e.g. smart host sends back to sending host ]

>> Rewriting "internal" received: headers (removing "private" parts) avoids
>> *this* risk.
>
> But this is equally wrong from the point of view of the RFC which
> states: "it MUST NOT alter in any way a Received: line that is already
> in the header".

IMHO full removal does alter the header :-)

I can see no reason to break the above "MUST NOT" on nets/servers under
my control. I can see reasons why some people want to break in very
specific case when the header has been generated by "internal server"
also under their control.


--
[pl>en: Andrew] Andrzej Adam Filip anfi@xl.wp.pl sip:896530@fwd.pulver.com
Open-Sendmail: http://open-sendmail.sourceforge.net/
"I shall expect a chemical cure for psychopathic behavior by 10 A.M. tomorrow,
or I'll have your guts for spaghetti."
-- a comic panel by Cotham