Get APLawrence.com by RSSSendmail VRFY
Sun Sep 19 14:11:23 2004 Sendmail
VRFY
Posted by Tony Lawrence
Search Keys: security,mail
In the process of doing some testing of a mail server, I noticed a piece of spam mail delivered to an address that no one should have known about. This disturbed me greatly, because the only place that address appeared was in the mail alias file on my server. Had my server been compromised?
Well, no, but as they say "mistakes had been made". After I had checked everything I could, I was reasonably sure that I hadn't been hacked, which meant that sendmail had to have coughed up that information through a VRFY command. But I have VRFY turned off.. or did I?
Well, no, I didn't. I THOUGHT I had, but I misunderstood the configuration on my hosted server and had put the options in the wrong file. Amazingly, that was a long, long time ago and I swear I remember testing this, but when I tried it again, my sendmail happily spit back alias addresses.
Ooops. Well, easily fixed. I replaced
O PrivacyOptions=authwarnings
in sendmail.cf with
O PrivacyOptions=goaway,restrictmailq,restrictqrun
"goaway" expands to "authwarnings, noexpn, novrfy, needmailhelo, needexpnhelo,needvrfyhelo".
Test your server by telneting to it on port 25 and try "vrfy yourname". If it doesn't reject you, you don't have these options set.
[root@kerio bin]# telnet aplawrence.com 25
Trying 64.226.42.29...
Connected to aplawrence.com (64.226.42.29).
Escape character is '^]'.
220 vps.pcunix.com ESMTP SMTP Ready; Sun, 19 Sep 2004 14:32:19 GMT
vrfy tony
252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger)
expn root
502 5.7.0 Sorry, we do not allow this operation
quit
221 2.0.0 vps.pcunix.com closing connection
Connection closed by foreign host.
Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)
| Views for this page | ||||
|---|---|---|---|---|
| Today | This Week | This Month | This Year | Overall |
| 3 | 3 | 42 | 970 | 4,489 |
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Your ad here - $24.00 yearly!
http://www.schewanick.com SCO Unix, Solaris, Linx (various), PHP, MySQL, Apache, uniBasic, dL4, Perl, System Administration and more....
http://www.m3ipinc.com Security, firewalls, ids, audits, vulnerability assesments, BS7799, HIPAA, GLB, incident handling
SCO, OpenServer, UnixWare, software, servers, security, networks, installation, administration, troubleshooting, maintenance, Watchguard, firewalls, VPNs, e-mail. Visit us at http://opensystemscomputing.com and www.go2unix.com.
Related Posts
Publish your articles, comments, book reviews or opinions here!
CommentsBlog1091 :
It seems that this sort of configuration oversite is more common than one might suspect.
I log everything that goes through my mailserver (the info helps me to fine-tune the antispam features). Often, in perusing the log, I have run across entries where a remote server, responding to my server's EHLO command, has anounced that EXPN, VRFY, etc., are active. And this is on servers run by folks who really should know better!
--BigDumbDinosaur
Add your comments
Lone-Tar Backup and Disaster Recovery
for Linux and Unix