Hello,
I asked about message 252 yesterday and was told that to have the smtp
server not vrfy users was a security feature. I do understand this
perfectly. But shouldn't this be an option for the sysadmin to turn off
and on or to have a deny file to only allow certain people to access the
vrfy command? According to different RFCs (below) this is the recommend
form to handle vrfy. I am not a email guru, only a self taught
mini-sysadmin and I am just trying to figure out what is better, becouse of
lack of guru knowledge I must use the RFCs to see the standards and try to
make sure that my system follows these standards, and to allow for the most
secure system possible. There are times that I need to vrfy users from
remote and in the past the easiest and only form I knew was through the
smtp server, but now using qmail it is impossible. I would just like to
understand why qmail does not allow this to be an option as in sendmail.
-------------------- RFC -----------------------
>RFC2505
>February 1999
>Category: Best Current Practice
>2.11. SMTP VRFY and EXPN
>
> Both SMTP VRFY and EXPN provide means for a potential spammer to test
> whether the addresses on his list are valid (VRFY) and even get more
> addresses (EXPN). Therefore, the MTA SHOULD control who is is allowed
> to issue these commands. This may be "on/off" or it may use access
> lists similar to those mentioned previously.
>
> Note that the "VRFY" command is required according to RFC821, [1].
> The response can, though, be "252 Argument not checked" to represent
> "off" or blocked via an access list. This should be the default.
>
> Default for the "EXPN" command should be "off".
>
>
>RFC1123 MAIL -- SMTP & RFC-822 October 1989
>
> CNAME.
>
> 5.2.3 VRFY and EXPN Commands: RFC-821 Section 3.3
>
> A receiver-SMTP MUST implement VRFY and SHOULD implement EXPN
> (this requirement overrides RFC-821). However, there MAY be
> configuration information to disable VRFY and EXPN in a
> particular installation; this might even allow EXPN to be
> disabled for selected lists.
>
> A new reply code is defined for the VRFY command:
>
> 252 Cannot VRFY user (e.g., info is not local), but will
> take message for this user and attempt delivery.
>
> DISCUSSION:
> SMTP users and administrators make regular use of these
> commands for diagnosing mail delivery problems. With the
> increasing use of multi-level mailing list expansion
> (sometimes more than two levels), EXPN has been
> increasingly important for diagnosing inadvertent mail
> loops. On the other hand, some feel that EXPN represents
> a significant privacy, and perhaps even a security,
> exposure.
>
>
