The issue isn't that the capabilities are displayed - the issue is that information like the host name and the time are displayed. �Here are a couple of examples of why both of these are important:
1) �In this particular instance, I have a server that sits behind a host-based firewall that serves IMAP and POP. �The packets for these services are NATed through the firewall box. �What this means is that if you were to telnet to ports 143 or 110, you would see what the hostname is of the server serving these services which is different from the hostname of the firewall box. �This is an extra piece of information that the hacker can use.
2) �Some time-based security mechanisms can be defeated if you know what the time is on the remote system. �An example of this is the hole located a while back in SSL (which Netscape created) that had the key based on the system clock. �If you could figure out what the time was on the remote system, you could possibly defeat SSL.
These are just two good examples of why I don't want this information displayed. �I don't believe in security through obscurity, but you have to take a holistic approach to security and denying hackers extra information and making it not worth their while might be worthwhile to the system owners. �I really don't have anything serious to protect - I just don't want some bozo bringing my systems down through ignorance or maliciousness and then have to spend the time to get them back up.
BTW, I just modified the code and commented out all these pieces of information and recompiled. �Everything seems to be working fine....
DINH Viet Hoa wrote:
That's exactly what I was concerned about as well as the time information. I found where it is embedded in the code, but is there a way to customize/remove this information (not the capabilities info) using a config file?What is the security issue about it ? I don't really see what is the problem when people know that on your server, you can logon CRAM-MD5, do STARTTLS or login plain-text.
-- Jesse W. Asher [EMAIL PROTECTED]
