"Received" header contains inappropriate internal network information, such as local IP addresses.
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: davidahillman+moz, Unassigned)
Details
Steps to Reproduce:
-
Installed Thunderbird on Kubuntu 24.04 LTS, on a system that is attached to a Local Area Network, behind firewall. Systems on that LAN are assigned IP addresses from the 192.168/16 private IP range, as per RFC 1918.
-
Send an electronic mail to any address.
-
Inspect the "Received" headers on that message, at its destination.
Observed Result:
The "Received" header contains details about the source's private network address scheme, that are supposed to remain private.
For example:
Received: from [192.168.1.9] ( <valid-internet-ip-address-redacted> )
by smtp.gmail.com with ESMTPSA id <message-id-redacted>
for <recipient-address-redacted>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Expected Result:
The "Received" header should not publicize the source's private network configuration.
For example, a different mail client installed on the same machine generates this header, instead:
Received: from host.localnet ( <valid-internet-ip-address-redacted> )
by smtp.gmail.com with ESMTPSA id <message-id-redacted>
for <recipient-address-redacted>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Description
•