Re: [exim] Hidden Exim version number

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Hidden Exim version number
Dennis Davis wrote:
> On Thu, 16 Sep 2010, W B Hacker wrote:
>
>> From: W B Hacker <wbh@???>
>> To: exim users <exim-users@???>
>> Date: Thu, 16 Sep 2010 10:39:18
>> Subject: Re: [exim] Hidden Exim version number
>>
>> Michael Chung wrote:
>>> Dear All,
>>>
>>> I want to hidden the version number of my exim SMTP server. I am using Exim
>>> 4.70 now. But I does not want any one to know the for security reason.
>>>
>>> When I telnet to my SMTP server with port 25, I got the following
>>>
>>> 220 mai.xxx.com ESMTP Exim 4.70 Wed, 15 Sep 2010 18:33:07 +0800
>>>
>>> Can I hidden the version number?
>>>
>>> Thank you very much!
>>>
>>> Michael
>> Michael,
>>
>> See other responses in re using a banner that does not reveal the
>> software.
>>
>> conducive.org/net answer to a telnet conenction with TOD only, for
>> example.
>>
>> But therein lies a tale - that is only a part of the battle, and
>> possibly the least important part.
>>
>> Outgoing traffic will still carry the Exim and version
>> identification you 'may' be seeking to conceal.
>>
>> Note my own posts to this list show:
>>
>> '...by conducive.net with esmtp (Exim 4.69 (FreeBSD)) '
>>
>> I've never looked at where THAT needs to be customized, but
>> obviously, customizing the smtp banner alone is not enough.
>
> It's the received_header_text in the main configuration that needs
> to be modified to remove the exim version number etc.


'Yes', 'No' and 'Maybe'. See (also) code example below.

Yes: As far as concealing prior information on traffic traversing your *own*
MTA, - it could, as mentioned, hide the initial connection info so as to reduce
risk of badly-conceived BL hammering traffic on the basis of what first-mile ISP
or IP-pool was used.

No: It won't make a change in the case I cited. Check the full headers of this
post. It is tahini adding that last header that ID's my server by Exim version
(and OS). (tahini is running Exim 4.72 and AFAIK on Linux, not BSD)

I don't control tahini, and would not alter that line (at tahini) if I did do.

Maybe: We are all looking in the wrong place.

- telnet will show my smtp greeting banner as bland

- tahini sees the full info anyway

- Ergo, I suspect it is my 'outbound' handshake when submitting TO tahini that
is providing the info.

...and no one has yet mentioned how to alter that.

Not sure I agree a need, so am too lazy to research it further.

But I will test it and report results if soemone else finds the code.

Bill


>
>> ...hopefully one of the wiser folks will chip in....
>
> A long time ago, when I thought I was far more paranoid, I used to
> change both the received_header_text and the SMTP greeting. Here's
> the appropriate snippet from the configuration I used:
>
> # A multi-line response is said to confuse some ratware.  So, as
> # it's cheap, we'll buy into this.  We'll also lie about who we are.
> smtp_banner = Greetings from MMDF-2.44.\n\
>               I'm pleased to meet you.\n\
>               ${primary_hostname} SMTP Server ready.

>
> # We'll also be shy about announcing who we are on the Received
> # lines we generate.  Also hide the IP addresses of authenticated
> # users.  No need to expose their home machines to the unwashed
> # masses.  The information is in the logs if we ever need it.
> received_header_text = Received: \
>   ${if and {{def:sender_host_address}{def:authenticated_id}}\
>     {from authenticated user }\
>     {${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
>      {${if def:sender_ident {from ${quote_local_part:$sender_ident} }}\
>      ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}}}\
>   by $primary_hostname \
>   ${if def:received_protocol {with $received_protocol}} \
>   ${if def:tls_cipher {($tls_cipher)}}\
>   \n\t\
>   ${if def:sender_address \
>   {(envelope-from <$sender_address>)\n\t}}\
>   id $message_exim_id\
>   ${if def:received_for {\n\tfor $received_for}}

>
> I'm not sure that all this is necessary now my paranoia is partially
> cured. But I'd still hide the IP address of authenticated users.
> It's a small snippet of information that I see no reason to leak to
> the outside world.