Re: security vulnerability : SMTP daemon supports EHLO

* Roger Goh gpro...@gmail.com: Hi, During a VA scan, it's reported that my postfix server has a security vulnerability : EhloCheck: SMTP daemon supports EHLO That is NOT a vulnerability. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin

security vulnerability : SMTP daemon supports EHLO

Hi, During a VA scan, it's reported that my postfix server has a security vulnerability : EhloCheck: SMTP daemon supports EHLO 1. How can I disable EHLO still send/receive mails? 2. Or is there a later version of postfix (let me know the version) that addresses this or any patch to

Re: security vulnerability : SMTP daemon supports EHLO

1 more question: if there's a way to disable EHLO or fixing it via a patch, how do I verify (without running VA scan) that this EHLO vulnerability has been fixed? TIA Roger

Re: security vulnerability : SMTP daemon supports EHLO

On May 3, 2011, at 8:42 AM, Roger Goh wrote: 1 more question: if there's a way to disable EHLO or fixing it via a patch, how do I verify (without running VA scan) that this EHLO vulnerability has been fixed? What vulnerability?! Who doesn't use EHLO?!?! Perhaps you should use a

Re: security vulnerability : SMTP daemon supports EHLO

On 5/3/2011 10:34 AM, Roger Goh wrote: Hi, During a VA scan, it's reported that my postfix server has a security vulnerability : EhloCheck: SMTP daemon supports EHLO EHLO is not a security vulnerability, rather it is a standard feature of SMTP (not just postfix, but all mail servers).

Re: security vulnerability : SMTP daemon supports EHLO

Am 03.05.2011 17:34, schrieb Roger Goh: Hi, During a VA scan, it's reported that my postfix server has a security vulnerability : EhloCheck: SMTP daemon supports EHLO where exactly is the security hole? you should not trust the output of every tool blind without try to understand

Re: security vulnerability : SMTP daemon supports EHLO

On May 3, 2011, at 8:49 AM, Reindl Harald wrote:Am 03.05.2011 17:34, schrieb Roger Goh:Hi,During a VA scan, it's reported that my postfix server hasa security vulnerability : EhloCheck: SMTP daemon supports EHLOwhere exactly is the security hole?you should not trust the output of every tool blind

Re: security vulnerability : SMTP daemon supports EHLO

During a VA scan, it's reported that my postfix server has a security vulnerability : EhloCheck: SMTP daemon supports EHLO As Roger Klorese pointed out, there is an advertised, fuzzy vulnerability advisory out there regarding EHLO. However, as Noel Jones indicated, EHLO is a standard part of

Re: security vulnerability : SMTP daemon supports EHLO

Ok, ok, no offence intended. Can we mitigate it somewhat like what Roger Klorese suggested, eg: restrict the info EHLO reveals or don't reveal actual hostname : smtp_helo_name ($myhostname) Use a fictitious hostname to send in the SMTP EHLO or HELO command ( how do I do

Re: security vulnerability : SMTP daemon supports EHLO

from the url Roger Klorese provided, http://www.iss.net/security_center/reference/vuln/smtp-ehlo.htm it says : SMTP daemons that support Extended HELO (EHLO) can release information that could be useful to an attacker in performing an attack. Attackers have been known to use the EHLO command

Re: security vulnerability : SMTP daemon supports EHLO

Roger Goh: Hi, During a VA scan, it's reported that my postfix server has a security vulnerability : EhloCheck: SMTP daemon supports EHLO EHLO is required by the SMTP standard (RFC 5321). Wietse

Re: security vulnerability : SMTP daemon supports EHLO

Can we mitigate it somewhat like what Roger Klorese suggested, eg: restrict the info EHLO reveals or don't reveal actual hostname : All the configuration items you mentioned are things that affect what your Postfix will or won't do as a client talking to other servers. These configuration

Re: security vulnerability : SMTP daemon supports EHLO

So what other 'vulnerable' configuration information EHLO reveals how they can disabled/mitigated/fabricated ? You may want to suppress the SIZE information (maximum size of a message that your server will accept). Some hackers might take this as a challenge and try to exploit it in a

Re: security vulnerability : SMTP daemon supports EHLO

On Tue, May 03, 2011 at 10:00:58AM -0700, Rich Wales wrote: So what other 'vulnerable' configuration information EHLO reveals how they can disabled/mitigated/fabricated ? You may want to suppress the SIZE information (maximum size of a message that your server will accept). Some hackers

RE: security vulnerability : SMTP daemon supports EHLO

-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Rich Wales Sent: Tuesday, May 03, 2011 9:18 AM To: postfix users Subject: Re: security vulnerability : SMTP daemon supports EHLO I can imagine that some hackers might

Re: security vulnerability : SMTP daemon supports EHLO

You may want to suppress the SIZE information . . . . No, this is silly, one is better off advertising the maximum size to avoid the vast majority unnecessary partial transmission of overly large messages. An attacker can tie up SMTP server resources whether the SIZE limit is known or not.

Re: security vulnerability : SMTP daemon supports EHLO

On Tue, May 03, 2011 at 11:15:57AM -0700, Rich Wales wrote: A followup question. If I suppress the advertising of an extended feature by listing it in smtpd_discard_ehlo_keywords, does that also disable the feature? Or do I have to do other things to actually turn a feature off and make it

Re: security vulnerability : SMTP daemon supports EHLO

Am 03.05.2011 19:00, schrieb Rich Wales: So what other 'vulnerable' configuration information EHLO reveals how they can disabled/mitigated/fabricated ? You may want to suppress the SIZE information (maximum size of a message that your server will accept). Some hackers might take this as