On 5/3/2011 10:34 AM, Roger Goh wrote:
Hi,
During a VA scan, it's reported that my postfix server has
a security vulnerability :
EhloCheck: SMTP daemon supports EHLO
EHLO is not a security vulnerability, rather it is a standard
feature of SMTP (not just postfix, but all mail servers).
Further, EHLO is required for features such as STARTTLS and AUTH.
Disregard the report, and be suspect of any other
vulnerabilities reported by that tool.
-- Noel Jones
1. How can I disable EHLO& still send/receive mails?
2. Or is there a later version of postfix (let me know the
version) that addresses this or any patch to apply?
3. Or this vulnerability can be explained off as it's ever
present in all postfix versions?
Below are the current configs of my postfix server:
# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
bounce_size_limit = 65536
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = yyyyyyyy.com
default_privs = nobody
default_transport = smtp
header_size_limit = 32768
html_directory = /usr/share/doc/postfix-2.5.6-documentation/html
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /big_partitn/spool/mail
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost
mydomain = yyyyyyyy.com
myhostname = pfixsvr.yyyyyyyy.com
mynetworks = 172.16.20.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /big_partitn/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6-documentation/readme
relay_domains = $mydestination
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP POSTFIX
smtpd_delay_reject = yes
smtpd_recipient_limit = 500
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_client_access hash:/etc/postfix/rbl_override,
reject_unauth_destination,
reject_rbl_client dsn.rfc-ignorant.org,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_timeout = 360
soft_bounce = no
unknown_local_recipient_reject_code = 550
============================================
# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Thu Mar 17 18:10:18 SGT 2011
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.5.6
System: Red Hat Enterprise Linux ES release 4 (Nahant Update 2)
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x47b72000)
-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
. . . . .
