[ On Monday, November 19, 2001 at 14:43:56 (-0500), James D. Freels wrote: ]
> Subject: Re: [Exim] request for help: CAN-1999-0531 expn exploitation
>
> Your advice was similar to what the internal ornl.gov security experts
> said to do (ignore it) because they do not want to support anything
> else beyond sendmail.
I'm not quite sure what you're saying here.... (ignore what?)
> I was hoping I could get some specific help from
> this mailing list to continue to use exim.
Well, the specific advice is: ignore ISS and do continue to run Exim!
ISS is flat-out WRONG. Exim is "secure" by default w.r.t. EXPN and VRFY.
I would even recommend setting 'smtp_verify' -- it is a good and useful
debugging tool for everyone and not in any way a security risk in Exim
where the same information is available in a multitude of ways.
(as for Smail, well you probably would want to add '-smtp_allow_expn' to
the config -- there's no way to disable VRFY in smail as there's no
possible advantage ever to disabling it)
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@???> <woods@???>
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>
