I can tell where you were when you drafted that email. And, so may your boss. Were you in the office, at home or on the go?
Did you know, your IP address is automatically added to the message headers of every email that you send by default, regardless if sent to internal or external recipients. That applies to, but is not limited to, Office 365 and Exchange server, including Exchange Server 2013 and 2016.
It’s one thing if your email contains information about the email server from which the message originated. It’s quite another if your individual workstation or smartphone IP address is also included.
The message header in question is called “X-Originating-IP”. According to http://en.wikipedia.org/wiki/X-Originating-IP, it’s ”a de facto standard for identifying the originating IP address of a client connecting to a mail server”.
In practice, that means if you sent an email from Outlook, Outlook Web App (OWA) or an ActiveSync-connected smartphone while on the Corporate Wi-Fi, your device’s Corporate Wi-Fi IP address will be contained in the email. If you were connected to your home Internet at the time, your (public) home Internet IP address would be in the email.
That may give a recipient, or any party snooping up the email while in transit, good clues of the network you were connected to and the whereabouts of your staff and you.
I’ve written this article for your reference and information. Having the Client IP address in your company-internal emails may not be a big deal. But, as it concerns emails leaving your organization, I do believe it’s a good idea to limit the amount of automated information spread.
How to tell – If you’re leaking your IP Address
Note: If these steps look complicated, you may delegate them to your IT folks…
First, send yourself an email from your corporate email account to an external account that you have access to (like Hotmail/Gmail, etc.).
Open the received message from the external account, and retrieve the message headers (reference steps can be found here https://support.google.com/mail/answer/22454?hl=en).
The message headers look something like this:
Received: from na01-bn1-obe.outbound.protection.outlook.com (207.46.163.183) by mail.willneumann.net (192.168.1.10) with Microsoft SMTP Server (TLS) id 15.0.775.38 via Frontend Transport; Tue, 11 Feb 2014 07:55:37 -0700 Received: from DM2PR07MB544.namprd07.prod.outlook.com (10.141.157.148) by DM2PR07MB544.namprd07.prod.outlook.com (10.141.157.148) with Microsoft SMTP Server (TLS) id 15.0.868.8; Tue, 11 Feb 2014 14:55:34 +0000 …
Browse to https://testconnectivity.microsoft.com/, and click the “Message Analyzer” tab. Paste the message headers from the email into Message Analyzer as shown below, and click “Analyze Headers”.
Scroll down until you find the “x-originating-ip” entry.
Aha, there it is. In this example, it may be my tablets IP address on the Corporate Wi-Fi. But it also could have been your home (public) IP address, directly traceable to your home.
If your email doesn’t contain the X-Originating-IP header, your IT administrators may have already (un)intentionally disabled the header from leaving your organization. Thumbs up!
Removing the X-Originating-IP Header from Outbound Emails
Note: These steps apply to on premise Exchange 2013 and 2016, and Office 365/Exchange Online. You’ll need administrative privileges to the Admin Center/Portal.
In regards to removing the message header, you may think about the message header firewall in Exchange. But not so quick. The so-called message header firewall (which isn’t much more than a permission for sending routing information) is good for removing the “Received” headers in an email, but not exactly useful for the X-Originating-IP header.
A way to accomplish this is with a transport/mail flow rule. I’ll walk you through the steps.
Log in to the Exchange Admin Center (like https://mail.yourcompanyname.com/ecp) with an Exchange Organization Administrator account.
Select “mail flow”. Under “rules”, Click the Plus-Sign, and select “Create a new rule”.
Give her a name, like “Remove X-Originating-IP Header from outbound emails”.
Set the rule to apply if “The recipient is located” -> “Outside the Organization”.
Click “More options”.
Under “Do the following”, select “Modify the message properties”, and “remove a message header”.
Enter the message header as “x-originating-ip” (without quotes), and click OK. If all looks snappy, click “Save”.
There she is, your newly created mail flow rule for removing the device IP addresses from outbound emails.
I suggest you repeat the “How to tell” procedure outlined above confirming if the header in question is indeed no longer included.
One (happy) step closer to more privacy in corporate email.
***
Will Neumann a technical architect specializing on enterprise messaging. He and his team help their clients build and maintain enterprise-level features and services. To learn more, contact Will at +1-780-665-4948 (Mountain Time).