• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk 10.2 - FAILS PCI - qmail EXPN/VRFY

DickenW

New Pleskian
Version. Parallels Plesk for Unix/Linux 10.2
Operating System: Linux 2.6.18-53.1.21.el5

Affected service: psa-qmail 1.03-cos5.build1011110330.18


Our server is failing PCI Compliance checks because the mail daemon is responding to VRFY or EXPN requests.

Security Metrics say:

"Synopsis : It is possible to enumerate the names of valid users on the remote host. Description : The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information."

According to the control panel the mail daemon operating is qmail. I cannot find any advice online on disabling EXPN and/or VRFY in qmail (in fact, most websites say qmail does not support these in the first place!).

Any advice welcome!
 
No - I didn't read it - I couldn't find it! (Latest I could find was article for v9.5) - it seems impossible to see an index of those documents.

I will read it now, thank you!
 
qmail disable vrfy pci compliance

I got the same problem spoiled a week on qmail and no result.

The link Igor @ proposed do not solve this particular issue with qmail. At least its not yet included. So far i found only feedback for Postfix that is part of Plesk Panel where you can disable it for sure.

So far only Securitymetrics let their clients fail through the PCI Test based on the VRFY commands availability only. (5 Points)

I asked them for some explanations what a email address verification (VRFY) does have in common with Payment Card Industry standards (PCI). It just doesn make sense to connect these 2 things together.
 
Back
Top