• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Plesk 10.2 - FAILS PCI - qmail EXPN/VRFY

DickenW

New Pleskian
Version. Parallels Plesk for Unix/Linux 10.2
Operating System: Linux 2.6.18-53.1.21.el5

Affected service: psa-qmail 1.03-cos5.build1011110330.18


Our server is failing PCI Compliance checks because the mail daemon is responding to VRFY or EXPN requests.

Security Metrics say:

"Synopsis : It is possible to enumerate the names of valid users on the remote host. Description : The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information."

According to the control panel the mail daemon operating is qmail. I cannot find any advice online on disabling EXPN and/or VRFY in qmail (in fact, most websites say qmail does not support these in the first place!).

Any advice welcome!
 
No - I didn't read it - I couldn't find it! (Latest I could find was article for v9.5) - it seems impossible to see an index of those documents.

I will read it now, thank you!
 
qmail disable vrfy pci compliance

I got the same problem spoiled a week on qmail and no result.

The link Igor @ proposed do not solve this particular issue with qmail. At least its not yet included. So far i found only feedback for Postfix that is part of Plesk Panel where you can disable it for sure.

So far only Securitymetrics let their clients fail through the PCI Test based on the VRFY commands availability only. (5 Points)

I asked them for some explanations what a email address verification (VRFY) does have in common with Payment Card Industry standards (PCI). It just doesn make sense to connect these 2 things together.
 
Back
Top