Re: Question regarding VRFY
On 2018-03-01 08:14, John Fawcett wrote: On 01/03/18 05:09, J Doe wrote: Hi John, On Feb 27, 2018, at 3:25 PM, John Fawcett wrote: I can't think of a compelling reason either to enable VRFY or to disable it. Disabling it stops people abusing it, but then they can just use RCPT TO to get the same information in most cases. I disabled it since I can't see any use for it. John That is a valid point - I believe the VRFY RFC observed the same thing: that RCPT TO can be used in a similar fashion. Performing an EHLO to both Gmail and Hotmail/Outlook shows that they both disable it, which I would expect, but do they implement a policy of a certain number of invalid RCPT TO cause the connection to terminate ? I know there is a setting for the number of “junk commands” received in Postfix, but that is different. Is there a method via main.cf for restricting RCPT TO abuse ? Thanks, - J These settings control behaviour of the smtpd server for number of errors (including RCTP TO errors) smtpd_soft_error_limit smtpd_error_sleep_time smtpd_hard_error_limit The following setting controls how many RCPT TO commands can be sent per unit of time smtpd_client_recipient_rate_limit Are there any recommendations or guidelines how to set values for that family of settins? They are all turned off in default as you see here: http://www.postfix.org/TUNING_README.html#conn_limit
Re: Question regarding VRFY
On 01/03/18 05:09, J Doe wrote: > Hi John, > >> On Feb 27, 2018, at 3:25 PM, John Fawcett wrote: >> I can't think of a compelling reason either to enable VRFY or to disable >> it. Disabling it stops people abusing it, but then they can just use >> RCPT TO to get the same information in most cases. I disabled it since I >> can't see any use for it. >> >> John > That is a valid point - I believe the VRFY RFC observed the same thing: that > RCPT TO can be used in a similar fashion. > > Performing an EHLO to both Gmail and Hotmail/Outlook shows that they both > disable it, which I would expect, but do they implement a policy of a certain > number of invalid RCPT TO cause the connection to terminate ? > > I know there is a setting for the number of “junk commands” received in > Postfix, but that is different. Is there a method via main.cf for > restricting RCPT TO abuse ? > > Thanks, > > - J These settings control behaviour of the smtpd server for number of errors (including RCTP TO errors) smtpd_soft_error_limit smtpd_error_sleep_time smtpd_hard_error_limit The following setting controls how many RCPT TO commands can be sent per unit of time smtpd_client_recipient_rate_limit In general you will only be able to slow down recipient verification, not prevent it. Nowadays I don't believe that address verification abuse is a significant problem. John
Re: Question regarding VRFY
Hi John, > On Feb 27, 2018, at 3:25 PM, John Fawcett wrote: > I can't think of a compelling reason either to enable VRFY or to disable > it. Disabling it stops people abusing it, but then they can just use > RCPT TO to get the same information in most cases. I disabled it since I > can't see any use for it. > > John That is a valid point - I believe the VRFY RFC observed the same thing: that RCPT TO can be used in a similar fashion. Performing an EHLO to both Gmail and Hotmail/Outlook shows that they both disable it, which I would expect, but do they implement a policy of a certain number of invalid RCPT TO cause the connection to terminate ? I know there is a setting for the number of “junk commands” received in Postfix, but that is different. Is there a method via main.cf for restricting RCPT TO abuse ? Thanks, - J
Re: Question regarding VRFY
On 27/02/18 20:36, J Doe wrote: > Hi, > > I read in both the Postfix man file (man 5 postconf), and the SMTP RFC > (5321), that VRFY can be disabled on a site-by-site basis. > > I disabled this on my server for port 25 but am wondering if I should leave > this enabled on my Postfix instance that provides submission (587) ? I have > confirmed that by editing main.cf and master.cf it is only available on > submission and requires SASL authentication before working. > > Are there modern MUA’s that authenticated users may use that make use of VRFY > (perhaps by checking e-mail address validity before sending, while the > message body is still being composed), or am I better off leaving it disabled > everywhere ? > > Thanks, > > - J I can't think of a compelling reason either to enable VRFY or to disable it. Disabling it stops people abusing it, but then they can just use RCPT TO to get the same information in most cases. I disabled it since I can't see any use for it. John
Question regarding VRFY
Hi, I read in both the Postfix man file (man 5 postconf), and the SMTP RFC (5321), that VRFY can be disabled on a site-by-site basis. I disabled this on my server for port 25 but am wondering if I should leave this enabled on my Postfix instance that provides submission (587) ? I have confirmed that by editing main.cf and master.cf it is only available on submission and requires SASL authentication before working. Are there modern MUA’s that authenticated users may use that make use of VRFY (perhaps by checking e-mail address validity before sending, while the message body is still being composed), or am I better off leaving it disabled everywhere ? Thanks, - J