• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question PCI compliance - Postfix EXPN/VRFY issue

iain

iain

New Pleskian
Server operating system version
Ubuntu 22.04.5
Plesk version and microupdate number
18.0.64 #1
Hi,
I've been sorting out a few PCI compliance issues from their scans but this one I can't fix:

Multiple Mail Server EXPN/VRFY Information Disclosure
The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information.

I'm using Postfix and Dovecot. We do also have sendmail for scripts but I assume remote hosts can't access that.

After a search I checked /etc/postfix/main.cf and found 'disable_vrfy_command=yes' was already set.

The scan still complains..
Any ideas?
 
I can close this.
I DID switch off VRFY and EXPN which was verified by telneting into port 25 and EHLO. The issue is our provider has enforced everyone to use a mail relay so they can control spam etc but when they scan users are retrieved from them.. (see below)

nmap -Pn -p25 ###.co.uk --script smtp-enum-users.nse --script-args smtp-enum-users.methods=EXPN,VRFY
Starting Nmap 7.94 ( Nmap: the Network Mapper - Free Security Scanner ) at 2024-10-24 08:49 MDT
Nmap scan report for ##### (######)
Host is up (0.13s latency).
rDNS record for xxxxxxxx.host.secureserver.net

PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test

Those are not our users!

We now have no other choice but to switch off port 25. We don't really use it so no biggy I suppose ..
 
You must log in or register to reply here.

Similar threads

Polli
Issue Getting DANE working
2
Replies
33
Views
3K
Polli
Polli
EnriqueR
Question Incoming mail is stored in Junk folder
Replies
6
Views
866
EnriqueR
EnriqueR
W
Issue Mail forwarded on the server in the target mailbox is delivered to the SPAM folder
Replies
0
Views
456
W4ru
W
SamirM
Issue Postfix Issues with Alma Linux 9.4
Replies
7
Views
1K
Maarten
M
E
Issue Several understanding errors in my postfix
Replies
4
Views
6K
estanis
E
Back
Top