From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Fri, 17 Oct 2025 07:53:57 +0000 (+0100)
Subject: [Fix] Remove Authentication-Results and anonymize envelope-from in Received headers
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=70385aa5875681c032e69a7e4be04be3389fb4dc;p=thirdparty%2Frspamd.git

[Fix] Remove Authentication-Results and anonymize envelope-from in Received headers

- Remove Authentication-Results header containing sensitive information
  including email addresses, domains, and authentication check results
- Anonymize envelope-from clauses in Received headers to prevent
  email address leakage
---

diff --git a/lualib/lua_mime.lua b/lualib/lua_mime.lua
index ddf4a539ed..bb72c64938 100644
--- a/lualib/lua_mime.lua
+++ b/lualib/lua_mime.lua
@@ -1055,6 +1055,8 @@ exports.anonymize_message = function(task, settings)
     processed = string.gsub(processed, '%x+:%x+:%x+:%x+:%x+:%x+:%x+:%x+', 'x:x:x:x:x:x:x:x')
     -- Anonymize email addresses in "for <email@domain.com>" clauses
     processed = string.gsub(processed, 'for%s+<([^@>]+)@([^>]+)>', 'for <anonymous@%2>')
+    -- Anonymize email addresses in "envelope-from <email@domain.com>" clauses
+    processed = string.gsub(processed, 'envelope%-from%s+<([^@>]+)@([^>]+)>', 'envelope-from <anonymous@%2>')
     return processed
   end
 
@@ -1081,6 +1083,7 @@ exports.anonymize_message = function(task, settings)
     ['arc-seal'] = remove_header,
     ['arc-message-signature'] = remove_header,
     ['arc-authentication-results'] = remove_header,
+    ['authentication-results'] = remove_header,
     ['x-spamd-result'] = remove_header,
     ['x-rspamd-server'] = remove_header,
     ['x-rspamd-queue-id'] = remove_header,