Exim Received header

10_local_received.conf

received_header_text = Received: from ${if or{\
  {eq{$received_protocol}{local}}\
  {eq{$sender_host_address}{127.0.0.1}}\
}{$primary_hostname}{${if def:authenticated_id \
  {SUBMISSION_IDENT}{$sender_rcvhost}}}\
}\n\tby $primary_hostname (Exim)${if and{\
  {def:received_protocol}\
  {!eq{$received_protocol}{local}}\
}{\n\twith ${uc:$received_protocol} ${if \
  def:tls_in_cipher {tls $tls_in_cipher_std (${sg{$tls_in_ver}{TLS}{}})${if \
  match{$tls_in_cipher}{.*DHE_([A-Z0-9]+)__.*}\
  {${lc:${sg{$tls_in_cipher}{.*DHE_([A-Z0-9]+)__.*}{ group \$1}}}}}\n\t}}}{ }\
}id $message_id${if \
  def:received_for {\n\tfor $received_for}}

This is the current Exim header config I'm deploying.

It has the following properties:

• closer to the Trace specification RFC 5321 than the Exim default
• replacing localhost with the primary hostname to make parsing the path more logical
• not adding "with LOCAL" for local submission, since "LOCAL" is not an IANA registered protocol type
• potentially differs from a SHOULD in RFC 5321 in that the hostname used for authenticated mail (e.g. via Submission(s) port 587/465) is an expansion of SUBMISSION_IDENT

This allows an administrator to add to the configuration the ability to keep the conventional user IP address disclosure

SUBMISSION_IDENT = $sender_rcvhost

or, for example, replace it with a hardcoded syntactically valid alternative that prevents disclosure

SUBMISSION_IDENT = submission.local \(\[10.0.0.1\]\)

or, since the RFC makes the TCP-info section optional, just keep it simple:

SUBMISSION_IDENT = submission.local

• added tls and group for recording TLS data as per RFC 8314