security issue with smtp-compliant applications
My employee scans our machines for security problems. A potential
security problem has been uncovered for both "exim" and "smail"
packages. A solution is provided for sendmail if it were the MTA, but
since it is not, I need help with an equivalent configuration.
Here is the information of the issue:
smtpexpn: SMTP EXPN command (CAN-1999-0531)
Simple Mail Transfer Protocol (SMTP)-compliant applications, such as
the Sendmail program EXPN, could allow an attacker to determine
if an account exists on a system, providing significant assistance to a
brute force attack on user accounts. EXPN provides additional
information concerning users on the system, such as if they exist and
their full names. This information can be useful in further attacks.
Remedy:
If you are running Sendmail, add the line Opnoexpn to your Sendmail
configuration file, usually located in /etc/sendmail.cf. For other mail
servers, contact your vendor for information on how to disable the
expand command.
Upgrade to the latest version of Sendmail (8.11.4 or later), available
from the Sendmail Consortium Web site. See References.
--OR--
Apply the appropriate patch for your system, available from the
Sendmail Consortium FTP site. See References.
I am stuck on the last remedy and hope someone from this mailing list
can provide the solution.
Thanks...
--
James D. Freels, P.E._i, Ph.D.
Oak Ridge National Laboratory
freelsjd@ornl.gov - work
jdfreels@home.com - home
Reply to: