Re: [exim] Local user enumeration through RCPT

Top Page
Delete this message
Reply to this message
Author: Stephen Gran
Date:  
To: exim-users
Subject: Re: [exim] Local user enumeration through RCPT
On Mon, Dec 17, 2007 at 01:57:05PM +0000, Phill Wood said:
> Hi All
>
> One of the servers we look after was recently "penetration tested" and they
> could find very little wrong so they complained about silly things like it's
> possible to see which users locally exist on the server through the answer
> Exim provides to the RCPT command.
>
> Any way of stopping this happening? I honestly can't see that it's such a
> big problem myself and it looks like Exim is behaving just as it should.


You can start tempfailing after a certain number of failed rcpt to's or
something, but other than that, well , that's how smtp works.
--
--------------------------------------------------------------------------
|  Stephen Gran                  | Gumperson's Law:  The probability of a  |
|  steve@???             | given event occurring is inversely      |
|  http://www.lobefin.net/~steve | proportional to its desirability.       |

--------------------------------------------------------------------------