Removing cPanel Username From EXIM Mail Header

[durangod]

Hello,

I have a VPS with almalinux and cPanel on it, and it also uses EXIM. My question is regarding the EXIM header information and changing that information. I will explain

In testing my software i sent myself an email via PHP to test my email process. Looking at the email header information i noticed that there is a email header which has my cPanel username as part of the header and i would like to remove my cPanel username from the mail header. First i dont want my cPanel username to be public for security reasons and second i dont understand why the username is even part of the mail header in the first place.

I did post the question on the cPanel forum but no answer to my question and so i went from there to stackoverflow (and i believe we all know the results there, i could not even get past the front door with my question before being shot down on even posting the question for some BS reason) So i decided to try a linux forum which is why i am here.

The mail header looks like this:

Received: from username by server.example.com with local (Exim 4.98.1) (envelope-from <[email protected]>) id 1tsvww-00000000OKq-2hdG for [email protected]; Fri, 14 Mar 2025 03:23:28 +0000

with username being my cPanel username, that is what i want to remove.

I have found some recources the last few days working on this.

https://stackoverflow.com/questions/33984833/exim-trying-to-change-received-headers-in-email

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html

And then i found some AI offered suggestions, all of which say to modify the EXIM config file or make a custom rule file and modify the "received_header_text" in some way. AI suggested to use this command:

received_header_text = Received: by %{primary_hostname} [%{client_ip}]

or

headers remove Received: from [my actual username]    (no brackets)

or

headers remove Received: from $username

So natually i went looking in the config file, the key is not there. So next i went looking for the actual text in the cPanel files by doing

grep -R received_header_text usr/local/cpanel

and it found nothing but my custom file i created.

So either the key used to be in cPanel or EXIM and is no longer there or its something else. But i really need to get that username removed.

Has anyone ever run into this before and what is the solution to removing the username from the mail header?

Thank you for your time,
dave

 

[KGIII]

Hmm... This is what I get:

Received: from [<IP ADDRESS WAS HERE>] (port=45646 helo=exmple.com)
    by foo.example.com with esmtpsa  (TLS1.3) tls TLS_AES_256_GCM_SHA384
    (Exim 4.98.1)
    (envelope-from <[email protected]>)
    id 1ttaPS-00000003Uhn-241X
    for [email protected];
    Sat, 15 Mar 2025 18:55:13 -0400

Which version of cPanel are you using? I'm fully updated with the most current cPanel/WHM installed. I've not made any changes to anything. The above results are just what I got by default. So, I'm not much help.

You might want to lean on them for support for this, if you don't get an answer here. In the past, I've found the cPanel support to be pretty good and reasonably quick at responding.

(I don't have an answer. I'm merely showing that I have a different result.)

 

[durangod]

Hi, thanks for the reply. I am using cPanel 124.0.30

Here is the cPanel community post just for reference.

https://support.cpanel.net/hc/en-us...r-Assigning-Alias-To-Email-Header-Information

Its only been a few days so i will give them some time, yes i agree they have been great so far.

 

[KGIII]

For the record, it's usually considered bad form to have the same query open at different support sites. We have no way to know what you've already seen/tried and what responses you've had. So, we're duplicating work and we're all volunteers.

That said... You've waited a few days before posting here. That's understandable.

I have some thoughts, but no any real direct help. I do have some suggestions that I'll share as I go along.

What I find odd is that you've only received one reply and it was from a forum moderator who may not even be an actual employee of cPanel. They're usually on top of this sort of question and usually fairly knowledgeable.

I am using cPanel 124.0.30

Hmm... I'm on 126.0.9 with the server I have loaded up in my browser tab and that's the same site I used as the test to see if my headers matched your headers. (They did not.)

I can see why you'd not want the admin's login username in your email headers. That just seems like a security blunder and not something that should be a default. I am not seeing any benefit to this at all.

Yes, cPanel/WHM defaults to using part of the domain name as the username, so it's often easy to guess what the control panel's admin name is, but you don't have to do it that way. You can request a different username when you sign up and you can assign a different username for when you're setting up your own accounts.

Giving away the admin's username seems like a bad choice from a security viewpoint. While security by obscurity isn't a great thing, you can at least make it more challenging if they don't know the username to get started with.

If you're using any sort of web portal, all they have to do is sign up for a newsletter (or similar) to get your site to automatically send them an email. Once they do that and examine the headers, they can go to work on attacking the site with one part of the credentials already in hand.

I wonder if you frame this as a 'major' security blunder will they give your post more attention?

You could also try updating to the most recent version of cPanel/WHM. That's usually painless and pretty quick. You appear to be several versions behind (which is why I asked if you were using a nulled script) and updating may resolve this.

Also, I'm assuming you paid for cPanel and you're not using a nulled script? If you are a paying customer, you're paying for support. Don't let them forget that (though don't be a jerk about it).

 

[durangod]

@KGIII

Hi, thanks for the suggestions. I contacted my VPS provider which is where i get my cPanel install as well, i did find out that it is actually a cPanel default that can be set by some VPS hosts when sending email using php mail function. They did suggest two ways to handle it but i have not tried them yet and i will update this when i find a solution.

It is not something that is a problem when sending SMTP email, only when using php mail function.

 

[KGIII]

It is not something that is a problem when sending SMTP email, only when using php mail function.

Well, there's 'an' answer.

As an aside, they may include that data because the PHP's mail() function is often used for spam.

You'll fail this test if you aren't using SMTP: https://www.mail-tester.com/

(That's a lovely test site, by the way. It's how you get your emails by the various spam filters and into their inbox.)

So, "an" answer would be to use SMTP. That's usually pretty painless and there's a ton of documentation. If you're using something like WordPress, there are a number of free tools that will help you switch over to SMTP. Other content management systems are likely to have similar plugins - or even build-in functionality that you can change via the settings.

But, switching to SMTP won't be too difficult.

 

[durangod]

@KGIII

This is not only for my test server but for my future users as well. Some of them may elect to not use SMTP and so they need to be informed about the additional risk that may exist with not using SMTP. I feel so strongly about everyone knowing about this potential risk than i think it should also be listed on the php mail() function manual page. I would imagine there are alot of developers and users of software that have no idea of this potential risk. Especially with software that gives the optional use of either mail processing system.

 

[KGIII]

I feel so strongly about everyone knowing about this potential risk than i think it should also be listed on the php mail() function manual page.

I am inclined to agree, though I'm not sure if it's PHP adding it or cPanel adding it.