[exim] VRFY and EXPN: need I really them?

Top Page
Delete this message
Reply to this message
Author: Luca Bertoncello
Date:  
To: Exim-Users
Subject: [exim] VRFY and EXPN: need I really them?
Hi list!

I'm installing a new Server and I installed Exim 4.88 (as I wrote yesterday.
BTW: problem solved, thanks!).

The Server is almost ready, so I used OpenVAS to check it and discover if I
forgot some security issue.
OpenVAS said that Exim supports VRFY and EXPN and that this might be a
security issue.
It suggests to disable them, if I don't really need them.

Well, I must say, that I'm really not sure IF I need them or not...
I'm not sure, too, if they are enable, since I can't see them in the
EHLO-answer and trying to verify an address results in:

VRFY lucabert@???
252 Administrative prohibition

The same for EXPN.

So, now the question(s):

1) are these commands enabled? I'd say not, if I understand the answer...
I don't have any smtp_verify nor smtp_expn_hosts in my configure
2) do I need them? I think not, but I'd like to know what can be not working
anymore if I disable them (if they are enabled...)
3) if they are not enabled, could someone explain me WHY OpenVAS says "The
Mailserver on this host answers to VRFY and/or EXPN requests."?

Thanks
Luca Bertoncello
(lucabert@???)