Question PCI compliance - Postfix EXPN/VRFY issue

[iain]

Server operating system version

Ubuntu 22.04.5

Plesk version and microupdate number

18.0.64 #1

Hi,
I've been sorting out a few PCI compliance issues from their scans but this one I can't fix:

Multiple Mail Server EXPN/VRFY Information Disclosure
The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information.

I'm using Postfix and Dovecot. We do also have sendmail for scripts but I assume remote hosts can't access that.

After a search I checked /etc/postfix/main.cf and found 'disable_vrfy_command=yes' was already set.

The scan still complains..
Any ideas?

 

[iain]

I can close this.
I DID switch off VRFY and EXPN which was verified by telneting into port 25 and EHLO. The issue is our provider has enforced everyone to use a mail relay so they can control spam etc but when they scan users are retrieved from them.. (see below)

nmap -Pn -p25 ###.co.uk --script smtp-enum-users.nse --script-args smtp-enum-users.methods=EXPN,VRFY
Starting Nmap 7.94 ( Nmap: the Network Mapper - Free Security Scanner ) at 2024-10-24 08:49 MDT
Nmap scan report for ##### (######)
Host is up (0.13s latency).
rDNS record for xxxxxxxx.host.secureserver.net

PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test

Those are not our users!

We now have no other choice but to switch off port 25. We don't really use it so no biggy I suppose ..