[Postfixbuch-users] disable_vrfy_command = yes

Marc Samendinger marc.samendinger at sp-online.de
Mi Jun 2 13:24:58 CEST 2004 

> -----Original Message-----
> From: postfixbuch-users-bounces at listi.jpberlin.de 
> [mailto:postfixbuch-users-bounces at listi.jpberlin.de] On 
> Behalf Of usenet at deiszner.de
> 
> 
> Hallo,
> 
> ich habe was gefunden: 
> http://icauce.org/proceedings/Devdas%20Bhagat.pdf
> 
> Ich habe mal etwas recherchiert und es hiess, dass man das 
> auf YES setzen sollte, um so BruteForce Angriffe zu erschweren.
> 
> Was macht dieser Befehl?

Deaktiviert den SMTP Befehl VRFY

RFC 2821

4.1.1.6 VERIFY (VRFY)

   This command asks the receiver to confirm that the argument
   identifies a user or mailbox.  If it is a user name, information is
   returned as specified in section 3.5.

   This command has no effect on the reverse-path buffer, the forward-
   path buffer, or the mail data buffer.

   Syntax:
      "VRFY" SP String CRLF


7.3 VRFY, EXPN, and Security

   As discussed in section 3.5, individual sites may want to disable
   either or both of VRFY or EXPN for security reasons.  As a corollary
   to the above, implementations that permit this MUST NOT appear to
   have verified addresses that are not, in fact, verified.  If a site

   disables these commands for security reasons, the SMTP server MUST
   return a 252 response, rather than a code that could be confused with
   successful or unsuccessful verification.

   Returning a 250 reply code with the address listed in the VRFY
   command after having checked it only for syntax violates this rule.
   Of course, an implementation that "supports" VRFY by always returning
   550 whether or not the address is valid is equally not in
   conformance.

   Within the last few years, the contents of mailing lists have become
   popular as an address information source for so-called "spammers."
   The use of EXPN to "harvest" addresses has increased as list
   administrators have installed protections against inappropriate uses
   of the lists themselves.  Implementations SHOULD still provide
   support for EXPN, but sites SHOULD carefully evaluate the tradeoffs.
   As authentication mechanisms are introduced into SMTP, some sites may
   choose to make EXPN available only to authenticated requestors.


> Danke
> 
> Sebastian

hth
marc

Mehr Informationen über die Mailingliste Postfixbuch-users