• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question PCI compliance - Postfix EXPN/VRFY issue

iain

New Pleskian
Server operating system version
Ubuntu 22.04.5
Plesk version and microupdate number
18.0.64 #1
Hi,
I've been sorting out a few PCI compliance issues from their scans but this one I can't fix:

Multiple Mail Server EXPN/VRFY Information Disclosure
The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information.


I'm using Postfix and Dovecot. We do also have sendmail for scripts but I assume remote hosts can't access that.

After a search I checked /etc/postfix/main.cf and found 'disable_vrfy_command=yes' was already set.

The scan still complains..
Any ideas?
 
I can close this.
I DID switch off VRFY and EXPN which was verified by telneting into port 25 and EHLO. The issue is our provider has enforced everyone to use a mail relay so they can control spam etc but when they scan users are retrieved from them.. (see below)

nmap -Pn -p25 ###.co.uk --script smtp-enum-users.nse --script-args smtp-enum-users.methods=EXPN,VRFY
Starting Nmap 7.94 ( Nmap: the Network Mapper - Free Security Scanner ) at 2024-10-24 08:49 MDT
Nmap scan report for ##### (######)
Host is up (0.13s latency).
rDNS record for xxxxxxxx.host.secureserver.net

PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test

Those are not our users!

We now have no other choice but to switch off port 25. We don't really use it so no biggy I suppose ..
 
Back
Top