1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Plesk 10.2 - FAILS PCI - qmail EXPN/VRFY

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by DickenW, Apr 26, 2011.

  1. DickenW

    DickenW New Pleskian

    20
     
    Joined:
    Dec 20, 2009
    Messages:
    21
    Likes Received:
    0
    Version. Parallels Plesk for Unix/Linux 10.2
    Operating System: Linux 2.6.18-53.1.21.el5

    Affected service: psa-qmail 1.03-cos5.build1011110330.18


    Our server is failing PCI Compliance checks because the mail daemon is responding to VRFY or EXPN requests.

    Security Metrics say:

    "Synopsis : It is possible to enumerate the names of valid users on the remote host. Description : The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information."

    According to the control panel the mail daemon operating is qmail. I cannot find any advice online on disabling EXPN and/or VRFY in qmail (in fact, most websites say qmail does not support these in the first place!).

    Any advice welcome!
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,564
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
  3. DickenW

    DickenW New Pleskian

    20
     
    Joined:
    Dec 20, 2009
    Messages:
    21
    Likes Received:
    0
    No - I didn't read it - I couldn't find it! (Latest I could find was article for v9.5) - it seems impossible to see an index of those documents.

    I will read it now, thank you!
     
  4. MacroP

    MacroP New Pleskian

    12
    80%
    Joined:
    May 18, 2011
    Messages:
    6
    Likes Received:
    0
    qmail disable vrfy pci compliance

    I got the same problem spoiled a week on qmail and no result.

    The link Igor @ proposed do not solve this particular issue with qmail. At least its not yet included. So far i found only feedback for Postfix that is part of Plesk Panel where you can disable it for sure.

    So far only Securitymetrics let their clients fail through the PCI Test based on the VRFY commands availability only. (5 Points)

    I asked them for some explanations what a email address verification (VRFY) does have in common with Payment Card Industry standards (PCI). It just doesn make sense to connect these 2 things together.
     
Loading...