问题
I'm using CloudFlare to hide original server IP address (preventing from attacks to the server, DDos...), but when I use PHPmailer on site for sending confirmation e-mails to the customers, it is easy for an attacker to get original IP because it is in email headers.
PHPmailer is set to send via Google SMTP relay.
Received: from www.website.com (webhosting2.xxx.cloud. [195.91.163.4])
by smtp-relay.gmail.com with ESMTPS id 88sm967264wrf.7.2018.01.22.12.34.50
for <thomas.cook@customer.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 22 Jan 2018 12:34:50 -0800 (PST)
X-Relaying-Domain: mywebsite.com
Date: Mon, 22 Jan 2018 20:34:50 +0000
To: thomas.cook@customer.com
From: "Website store" <info@mywebsite.com>
Reply-To: "Website store" <info@mywebsite.com>
Subject: Confirmation and payment instructions
Message-ID: <36830818e32b289e8637b8017a4fccf9@www.mywebsite.com>
X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
The problem is in first line "Received: from ... (server hostname and IP)"
Do you have any tips to modify PHPmailer code or other solution to hide originating server where is my website ?
Thanks
回答1:
You can't prevent that appearing because it's added by the receiving server, not the sending one, so it's out of your control.
Because you're relaying though, there's no particular reason that the origin server needs to be internet-accessible at all; the only external connection it needs is outbound SMTP to google's mail servers, so you can block everything else. If that firewalling is done upstream from your server, then it will be nicely insulated and not actually suffer any of the DDoS traffic.
This is more of a security or server fault question.
回答2:
Service PostmarkApp.com is good for this purpose. It is for transactional emails (not for marketing) and it's hiding IP address of the originating server.
来源:https://stackoverflow.com/questions/48390715/phpmailer-disclose-server-ip-address-how-to-hide-it