[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security issue with smtp-compliant applications

On Fri, Nov 16, 2001 at 02:01:43PM -0500, James D. Freels wrote:
> My employee scans our machines for security problems.  A potential 
> security problem has been uncovered for both "exim" and "smail" 
> packages.  A solution is provided for sendmail if it were the MTA, but 
> since it is not, I need help with an equivalent configuration.
> Here is the information of the issue:
> smtpexpn: SMTP EXPN command (CAN-1999-0531)
> Simple Mail Transfer Protocol (SMTP)-compliant applications, such as 
> the Sendmail program EXPN, could allow an attacker to determine 
> if an account exists on a system, providing significant assistance to a 
> brute force attack on user accounts. EXPN provides additional 
> information concerning users on the system, such as if they exist and 
> their full names. This information can be useful in further attacks.

See the 'smtp_expn_hosts' directive in exim.

	Regards, Yotam Rubin

Reply to: