Facebook
TwitterVersion. Parallels Plesk for Unix/Linux 10.2
Operating System: Linux 2.6.18-53.1.21.el5
Affected service: psa-qmail 1.03-cos5.build1011110330.18
Our server is failing PCI Compliance checks because the mail daemon is responding to VRFY or EXPN requests.
Security Metrics say:
"Synopsis : It is possible to enumerate the names of valid users on the remote host. Description : The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information."
According to the control panel the mail daemon operating is qmail. I cannot find any advice online on disabling EXPN and/or VRFY in qmail (in fact, most websites say qmail does not support these in the first place!).
Any advice welcome!
Operating System: Linux 2.6.18-53.1.21.el5
Affected service: psa-qmail 1.03-cos5.build1011110330.18
Our server is failing PCI Compliance checks because the mail daemon is responding to VRFY or EXPN requests.
Security Metrics say:
"Synopsis : It is possible to enumerate the names of valid users on the remote host. Description : The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information."
According to the control panel the mail daemon operating is qmail. I cannot find any advice online on disabling EXPN and/or VRFY in qmail (in fact, most websites say qmail does not support these in the first place!).
Any advice welcome!
