Re: security issue with smtp-compliant applications

To: debian-security@lists.debian.org
Subject: Re: security issue with smtp-compliant applications
From: Yotam Rubin <yotam@makif.omer.k12.il>
Date: Fri, 16 Nov 2001 21:12:32 +0200
Message-id: <[🔎] 20011116211232.A3048@insomnia17>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 0GMW00HQ1Q6W8C@email.cind.ornl.gov>
References: <[🔎] 0GMW00HQ1Q6W8C@email.cind.ornl.gov>

On Fri, Nov 16, 2001 at 02:01:43PM -0500, James D. Freels wrote:
> My employee scans our machines for security problems.  A potential 
> security problem has been uncovered for both "exim" and "smail" 
> packages.  A solution is provided for sendmail if it were the MTA, but 
> since it is not, I need help with an equivalent configuration.
> 
> Here is the information of the issue:
> 
> smtpexpn: SMTP EXPN command (CAN-1999-0531)
> 
> Simple Mail Transfer Protocol (SMTP)-compliant applications, such as 
> the Sendmail program EXPN, could allow an attacker to determine 
> if an account exists on a system, providing significant assistance to a 
> brute force attack on user accounts. EXPN provides additional 
> information concerning users on the system, such as if they exist and 
> their full names. This information can be useful in further attacks.
> 
>

See the 'smtp_expn_hosts' directive in exim.

	Regards, Yotam Rubin

Reply to:

References:
- security issue with smtp-compliant applications
  - From: "James D. Freels" <freelsjd@ornl.gov>

Prev by Date: security issue with smtp-compliant applications
Next by Date: Re: Re: Root is God? (was: Mutt & tmp files)
Previous by thread: security issue with smtp-compliant applications
Next by thread: MTAs
Index(es):
- Date
- Thread