Re: [Exim] vulnerabilities

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Philip Hazel
Date:  
À: Steve Haslam
CC: Marc Peiser, John Burnham, Anand Buddhdev, exim mailing list
Sujet: Re: [Exim] vulnerabilities
On Fri, 28 Jan 2000, Steve Haslam wrote:

> Disabling EXPN for non-trusted hosts is definitely something you
> should do. (e.g. smtp_expn_hosts = "*.mydomain.example.com").


By default EXPN is disabled, because the default host list is empty.

> With VRFY, someone could see if certain accounts exist or not. But if
> you turn it off, you have to receive a message before you can bounce
> it. Turn it off if you have the bandwidth. (no_smtp_verify)


Likewise, VRFY is disabled by default, because no_smtp_verify is the
default.

> EHLO is for negotiating ESMTP. I don't that turning it off is
> useful. I don't think Exim supports it.


Of course Exim supports it! The RFCs mandate that an MTA must support
it. It doesn't have to treat it differently to HELO, though. However,
Exim does treat it differently. It responds with the maximum size
message it will accept (this can save bandwidth if the sender pays
attention and refrains from sending larger messages) and it also says
which authentication mechanisms it supports, if any.

> RCPT is a vital piece of the SMTP protocol. Your mail server has to
> support this to be useful.


Well, a server that accepted messages only via the non-SMTP interface
could still be classed as "useful", IMHO, but it wouldn't be *very*
useful. :-)

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.