Re: security issue with smtp-compliant applications
On Fri, Nov 16, 2001 at 02:01:43PM -0500, James D. Freels wrote:
> My employee scans our machines for security problems. A potential
> security problem has been uncovered for both "exim" and "smail"
> packages. A solution is provided for sendmail if it were the MTA, but
> since it is not, I need help with an equivalent configuration.
> Here is the information of the issue:
> smtpexpn: SMTP EXPN command (CAN-1999-0531)
> Simple Mail Transfer Protocol (SMTP)-compliant applications, such as
> the Sendmail program EXPN, could allow an attacker to determine
> if an account exists on a system, providing significant assistance to a
> brute force attack on user accounts. EXPN provides additional
> information concerning users on the system, such as if they exist and
> their full names. This information can be useful in further attacks.
See the 'smtp_expn_hosts' directive in exim.
Regards, Yotam Rubin