Re: [exim] VRFY and EXPN: need I really them?

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Kurt Jaeger
Ημερομηνία:  
Προς: Luca Bertoncello
Υ/ο: exim-users
Αντικείμενο: Re: [exim] VRFY and EXPN: need I really them?
Hi!

> Heiko Schlittermann <hs@???> schrieb:
> > > > http://exim.org/exim-html-current/doc/html/spec_html/ch-smtp_processing.html#SECID237


> > > First, maybe you can write some words, too, isn't it? :)


> > Why. If the answer is given already?
>
> Politeness? ;)


There are very few people having the time to answer questions,
don't take terseness as unpolitness 8-}

> Or maybe because maybe the person with the problem is not sure about the
> meaning of the page?


Maybe, but guessing takes time, too 8-)

> > > Then to my problem...
> > > OK, now I know why Exim answer the commands and that they are NOT enabled.
> > >
> > > Am I right to say that there are NO security issue in my Exim (4.88)
> > > regarding VRFY and EXPN?
> >
> > Yes. There is no security issue in Exim at all, if you configure it
> > right or if you use the default example configuration. All other
>
> Well, I would NOT be so sure...
> If Exim has no security issue at all it's not needed to develop it forward...


Don't be so pedantic 8-) 4.88 was just released, so we're all
happy and think we have all bases covered.

> > security issues are due to configuration errors. (Thus you *can* run
> > commands on VRFY or EXPN via acl expansions. This *can* create security
> > issues.)
>
> Could you please explain your last sentence? I really don't understand it...


Well, in theory you can execute any kind of command if you
set some acl_smtp_vrfy/expn, even insecure commands -- so
nobody is save from shooting one's foot if one configures
things like that.

-- 
pi@???            +49 171 3101372                         3 years to go !