Supposedly user info could be removed from received header regardless of edit_identity setting, but this was not the case - now it is; Also add one more clarifying note to config script.

class/deliver/Deliver.class.php

@@ -590,7 +590,7 @@ class Deliver {
           } else {
             // use default received headers
             $header[] = "Received: from $received_from" . $rn;
-            if ($edit_identity || ! isset($hide_auth_header) || ! $hide_auth_header)
+            if (!isset($hide_auth_header) || !$hide_auth_header)
                 $header[] = "        (SquirrelMail authenticated user $username)" . $rn;
             $header[] = "        by $SERVER_NAME with HTTP;" . $rn;
             $header[] = "        $date" . $rn;

config/conf.pl

@@ -2578,6 +2578,11 @@ sub command311b {
   this setting will make it difficult to determine who sent what where.
   Use at your own risk.
 
+  Note: If you have defined a header encryption key in your SMTP or
+  Sendmail settings (see the \"Server Settings\" option page), this
+  setting is ignored because all user information in outgoing messages
+  is encoded.
+
   ";
 
     if ( lc($hide_auth_header) eq "true" ) {