Re: Question regarding VRFY

2018-03-01 Thread MRob 

On 2018-03-01 08:14, John Fawcett wrote:

On 01/03/18 05:09, J Doe wrote:

Hi John,

On Feb 27, 2018, at 3:25 PM, John Fawcett  
wrote:
I can't think of a compelling reason either to enable VRFY or to 
disable

it. Disabling it stops people abusing it, but then they can just use
RCPT TO to get the same information in most cases. I disabled it 
since I

can't see any use for it.

John
That is a valid point - I believe the VRFY RFC observed the same 
thing: that RCPT TO can be used in a similar fashion.


Performing an EHLO to both Gmail and Hotmail/Outlook shows that they 
both disable it, which I would expect, but do they implement a policy 
of a certain number of invalid RCPT TO cause the connection to 
terminate ?


I know there is a setting for the number of “junk commands” received 
in Postfix, but that is different.  Is there a method via main.cf for 
restricting RCPT TO abuse ?


Thanks,

- J


These settings control behaviour of the smtpd server for number of
errors (including RCTP TO errors)

smtpd_soft_error_limit

smtpd_error_sleep_time

smtpd_hard_error_limit

The following setting controls how many RCPT TO commands can be sent 
per

unit of time

smtpd_client_recipient_rate_limit


Are there any recommendations or guidelines how to set values for that 
family of settins? They are all turned off in default as you see here:

http://www.postfix.org/TUNING_README.html#conn_limit

Re: Question regarding VRFY

2018-03-01 Thread John Fawcett 
On 01/03/18 05:09, J Doe wrote:
> Hi John,
>
>> On Feb 27, 2018, at 3:25 PM, John Fawcett  wrote:
>> I can't think of a compelling reason either to enable VRFY or to disable
>> it. Disabling it stops people abusing it, but then they can just use
>> RCPT TO to get the same information in most cases. I disabled it since I
>> can't see any use for it.
>>
>> John
> That is a valid point - I believe the VRFY RFC observed the same thing: that 
> RCPT TO can be used in a similar fashion.
>
> Performing an EHLO to both Gmail and Hotmail/Outlook shows that they both 
> disable it, which I would expect, but do they implement a policy of a certain 
> number of invalid RCPT TO cause the connection to terminate ?
>
> I know there is a setting for the number of “junk commands” received in 
> Postfix, but that is different.  Is there a method via main.cf for 
> restricting RCPT TO abuse ?
>
> Thanks,
>
> - J

These settings control behaviour of the smtpd server for number of
errors (including RCTP TO errors)

    smtpd_soft_error_limit

    smtpd_error_sleep_time

    smtpd_hard_error_limit 

The following setting controls how many RCPT TO commands can be sent per
unit of time

    smtpd_client_recipient_rate_limit

In general you will only be able to slow down recipient verification,
not prevent it. Nowadays I don't believe that address verification abuse
is a significant problem.

John

Re: Question regarding VRFY

2018-02-28 Thread J Doe 
Hi John,

> On Feb 27, 2018, at 3:25 PM, John Fawcett  wrote:
> I can't think of a compelling reason either to enable VRFY or to disable
> it. Disabling it stops people abusing it, but then they can just use
> RCPT TO to get the same information in most cases. I disabled it since I
> can't see any use for it.
> 
> John

That is a valid point - I believe the VRFY RFC observed the same thing: that 
RCPT TO can be used in a similar fashion.

Performing an EHLO to both Gmail and Hotmail/Outlook shows that they both 
disable it, which I would expect, but do they implement a policy of a certain 
number of invalid RCPT TO cause the connection to terminate ?

I know there is a setting for the number of “junk commands” received in 
Postfix, but that is different.  Is there a method via main.cf for restricting 
RCPT TO abuse ?

Thanks,

- J

Re: Question regarding VRFY

2018-02-27 Thread John Fawcett 
On 27/02/18 20:36, J Doe wrote:
> Hi,
>
> I read in both the Postfix man file (man 5 postconf), and the SMTP RFC 
> (5321), that VRFY can be disabled on a site-by-site basis.
>
> I disabled this on my server for port 25 but am wondering if I should leave 
> this enabled on my Postfix instance that provides submission (587) ?  I have 
> confirmed that by editing main.cf and master.cf it is only available on 
> submission and requires SASL authentication before working.
>
> Are there modern MUA’s that authenticated users may use that make use of VRFY 
> (perhaps by checking e-mail address validity before sending, while the 
> message body is still being composed), or am I better off leaving it disabled 
> everywhere ?
>
> Thanks,
>
> - J

I can't think of a compelling reason either to enable VRFY or to disable
it. Disabling it stops people abusing it, but then they can just use
RCPT TO to get the same information in most cases. I disabled it since I
can't see any use for it.

John

Question regarding VRFY

2018-02-27 Thread J Doe 
Hi,

I read in both the Postfix man file (man 5 postconf), and the SMTP RFC (5321), 
that VRFY can be disabled on a site-by-site basis.

I disabled this on my server for port 25 but am wondering if I should leave 
this enabled on my Postfix instance that provides submission (587) ?  I have 
confirmed that by editing main.cf and master.cf it is only available on 
submission and requires SASL authentication before working.

Are there modern MUA’s that authenticated users may use that make use of VRFY 
(perhaps by checking e-mail address validity before sending, while the message 
body is still being composed), or am I better off leaving it disabled 
everywhere ?

Thanks,

- J