On Wed, Nov 29, 2023 at 03:00:24PM +1100, duluxoz via
Postfix-users wrote:
I was reading an on-line guide about hardening Postfix and came across
a line that said that the Verify service could/should be turned off I
the master.cf file.
Is this actually good advice, or is there some sort of
"gotcha" hiding in
the background that'll bite us in the @rse?
On 29/11/2023 15:38, Viktor Dukhovni via Postfix-users wrote:
The advice is largely misguided, but mostly harmless, if you don't use
sender or recipient verification. Leaving the service enabled does
not materially affect the Postfix "attack surface", but it off when
unused is fine too.
On 29.11.23 16:28, duluxoz via Postfix-users wrote:
For what it's worth, it is my opinion that misguided information,
harmless or otherwise, is worse than useless, because it
encourages bad habits which then enter the zeitgeist and
perpetuate (see mandatory rotating passwords every 90 days) :-)
On 29/11/2023 19:45, Matus UHLAR - fantomas via Postfix-users wrote:
I completely agree, perhaps if you sent us a link we could comment.
There is of course security practice of turning off everything you
don't use, but in case of verify, it is only used when you configure
it, so commenting it in master.cf means disabling it, not just
turning it off.
On 29.11.23 19:49, duluxoz via Postfix-users wrote:
As requested :-)
https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
This talks aboud "VRFY" SMTP command, not about "verify service" which is
very different issue.
http://www.postfix.org/postconf.5.html#disable_vrfy_command
Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.
the harvesting is rarely done this way nowadays.
It also won't stop harvesting by issuing "rcpt to:" smtp command.
So, it's useless but harmless as well.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
