Re: [exim] VRFY and EXPN: need I really them?

Top Page
Delete this message
Reply to this message
Author: Luca Bertoncello
Date:  
To: exim-users
Subject: Re: [exim] VRFY and EXPN: need I really them?
Heiko Schlittermann <hs@???> schrieb:

> > > http://exim.org/exim-html-current/doc/html/spec_html/ch-smtp_processing.html#SECID237
> >
> > First, maybe you can write some words, too, isn't it? :)
>
> Why. If the answer is given already?


Politeness? ;)
Or maybe because maybe the person with the problem is not sure about the
meaning of the page?

> > Then to my problem...
> > OK, now I know why Exim answer the commands and that they are NOT enabled.
> >
> > Am I right to say that there are NO security issue in my Exim (4.88)
> > regarding VRFY and EXPN?
>
> Yes. There is no security issue in Exim at all, if you configure it
> right or if you use the default example configuration. All other


Well, I would NOT be so sure...
If Exim has no security issue at all it's not needed to develop it forward...
You should say "at the time, no security issues are known in Exim, using the
default configuration or configuring it right"... :)

> security issues are due to configuration errors. (Thus you *can* run
> commands on VRFY or EXPN via acl expansions. This *can* create security
> issues.)


Could you please explain your last sentence? I really don't understand it...

Thanks
Luca Bertoncello
(lucabert@???)