Re: [exim] VRFY and EXPN: need I really them?

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] VRFY and EXPN: need I really them?
Luca Bertoncello <lucabert@???> (So 15 Jan 2017 18:51:33 CET):
> Jeremy Harris <jgh@???> schrieb:
>
> > On 15/01/17 17:28, Luca Bertoncello wrote:
> > > 1) are these commands enabled? I'd say not, if I understand the answer...
> > > I don't have any smtp_verify nor smtp_expn_hosts in my configure
> >
> > http://exim.org/exim-html-current/doc/html/spec_html/ch-smtp_processing.html#SECID237
>
> First, maybe you can write some words, too, isn't it? :)


Why. If the answer is given already?

> Then to my problem...
> OK, now I know why Exim answer the commands and that they are NOT enabled.
>
> Am I right to say that there are NO security issue in my Exim (4.88)
> regarding VRFY and EXPN?


Yes. There is no security issue in Exim at all, if you configure it
right or if you use the default example configuration. All other
security issues are due to configuration errors. (Thus you *can* run
commands on VRFY or EXPN via acl expansions. This *can* create security
issues.)

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -