On Fri, Jan 28, 2000 at 05:15:43PM +0000, Marc Peiser wrote:
> We had some guys test the security on our network and this is what they
> said:
>
> "SMTP daemons on your machine supports features (such as EHLO, RCPT, VRFY
> and EXPN) which my enable hackers to gain information which could be used
> to exploit other vulnerabilities."
>
> Are they been stupid or is there some precautions I can take?
Disabling EXPN for non-trusted hosts is definitely something you
should do. (e.g. smtp_expn_hosts = "*.mydomain.example.com").
With VRFY, someone could see if certain accounts exist or not. But if
you turn it off, you have to receive a message before you can bounce
it. Turn it off if you have the bandwidth. (no_smtp_verify)
EHLO is for negotiating ESMTP. I don't that turning it off is
useful. I don't think Exim supports it.
RCPT is a vital piece of the SMTP protocol. Your mail server has to
support this to be useful.
SRH
--
Steve Haslam, Production Engineer, Excite UK steve.haslam@???
i sit and stare at the gun pointed at my head
and think about all the possibilities
