• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Plesk 10.2 - FAILS PCI - qmail EXPN/VRFY

D

DickenW

New Pleskian
Version. Parallels Plesk for Unix/Linux 10.2
Operating System: Linux 2.6.18-53.1.21.el5

Affected service: psa-qmail 1.03-cos5.build1011110330.18


Our server is failing PCI Compliance checks because the mail daemon is responding to VRFY or EXPN requests.

Security Metrics say:

"Synopsis : It is possible to enumerate the names of valid users on the remote host. Description : The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information."

According to the control panel the mail daemon operating is qmail. I cannot find any advice online on disabling EXPN and/or VRFY in qmail (in fact, most websites say qmail does not support these in the first place!).

Any advice welcome!
 
No - I didn't read it - I couldn't find it! (Latest I could find was article for v9.5) - it seems impossible to see an index of those documents.

I will read it now, thank you!
 
qmail disable vrfy pci compliance

I got the same problem spoiled a week on qmail and no result.

The link Igor @ proposed do not solve this particular issue with qmail. At least its not yet included. So far i found only feedback for Postfix that is part of Plesk Panel where you can disable it for sure.

So far only Securitymetrics let their clients fail through the PCI Test based on the VRFY commands availability only. (5 Points)

I asked them for some explanations what a email address verification (VRFY) does have in common with Payment Card Industry standards (PCI). It just doesn make sense to connect these 2 things together.
 
You must log in or register to reply here.

Similar threads

iain
Question PCI compliance - Postfix EXPN/VRFY issue
Replies
1
Views
814
iain
iain
D
Resolved Qmail Cannot Receive Mail: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)
Replies
2
Views
3K
DaveDoesStuff
D
D
Plesk 10.4.4 --> 11/5/3 update fails due to php53-common/php-common issues
Replies
1
Views
2K
Roberto1
R
D
PCI compliance still fails due to SSL Renegotiation DoS vulnerability in Qmail/IMAP
Replies
2
Views
3K
DragonAss
D
J
Broken redirection in Plesk 10.4.4 Linux Postfix - broken pipe, LOG found problem
Replies
1
Views
2K
jorge ceballos
J
Back
Top