On Mon, 19 Nov 2001, James D. Freels wrote:
> My employee scans our machines for security problems. A potential
> security problem has been uncovered for both "exim" and "smail"
> packages. A solution is provided for sendmail if it were the MTA, but
> since it is not, I need help with an equivalent configuration.
>
> Here is the information of the issue:
>
> smtpexpn: SMTP EXPN command (CAN-1999-0531)
>
> I have read the answer in the EXIM FAQ, but I still do not get a
> solution. I have included in my exim.conf file the following
> parametric options:
>
> no_smtp_verify
> no_expn
> smtp_expn_hosts localhost
>
> but I am still getting the same response from the "Xforce ISS" scanners.
> Since I am not using sendmail, then there appears to be a problem. I
> would appreciate any solution offered.
Are you sure that scanner is trustworthy? As far as I remember, exim does
not activate expn by default. Ok, I just looked it up to be sure:
"The SMTP EXPN command is supported only if the calling host matches
smtp_expn_hosts."
So just do a telnet 127.0.0.1 25 (or from outside using the fq ip) to ask
exim. I bet you'll just get:
550 EXPN not available to localhost (test.de) [127.0.0.1]
NB: it would be 'smtp_verify = false' which is the default, anyway.
hth,
Volker
--
V. T. Mueller UCC Freiburg, Germany vtmue (at) uni-freiburg.de
"problems are just opportunities in work cloth"
