From 70385aa5875681c032e69a7e4be04be3389fb4dc Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Fri, 17 Oct 2025 08:53:57 +0100
Subject: [PATCH] [Fix] Remove Authentication-Results and anonymize
 envelope-from in Received headers

- Remove Authentication-Results header containing sensitive information
  including email addresses, domains, and authentication check results
- Anonymize envelope-from clauses in Received headers to prevent
  email address leakage
---
 lualib/lua_mime.lua | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lualib/lua_mime.lua b/lualib/lua_mime.lua
index ddf4a539ed..bb72c64938 100644
--- a/lualib/lua_mime.lua
+++ b/lualib/lua_mime.lua
@@ -1055,6 +1055,8 @@ exports.anonymize_message = function(task, settings)
     processed = string.gsub(processed, '%x+:%x+:%x+:%x+:%x+:%x+:%x+:%x+', 'x:x:x:x:x:x:x:x')
     -- Anonymize email addresses in "for <email@domain.com>" clauses
     processed = string.gsub(processed, 'for%s+<([^@>]+)@([^>]+)>', 'for <anonymous@%2>')
+    -- Anonymize email addresses in "envelope-from <email@domain.com>" clauses
+    processed = string.gsub(processed, 'envelope%-from%s+<([^@>]+)@([^>]+)>', 'envelope-from <anonymous@%2>')
     return processed
   end
 
@@ -1081,6 +1083,7 @@ exports.anonymize_message = function(task, settings)
     ['arc-seal'] = remove_header,
     ['arc-message-signature'] = remove_header,
     ['arc-authentication-results'] = remove_header,
+    ['authentication-results'] = remove_header,
     ['x-spamd-result'] = remove_header,
     ['x-rspamd-server'] = remove_header,
     ['x-rspamd-queue-id'] = remove_header,
-- 
2.47.3