On 2017-11-05 Paul Graham <[email protected]> wrote: > Package: exim4-config > Version: 4.90~RC1-1 > Severity: normal
> Dear Maintainer, > *** Reporter, please consider answering these questions, where appropriate *** > * What led up to the situation? > This recently came up in Exim logs: > 2017-11-03 16:22:39 H=(ws2008) [10.20.30.40] F=<[email protected]> > rejected RCPT <[email protected]>: Sender verify failed [...] > It reveals that an attacker took advantage that sender verification happens > before relay checks to perform a brute force scan that revealed valid > addresses in our domain. > * What exactly did you do (or not do) that was effective (or > ineffective)? > We moved sender verification so that it happens after relay check. > * What was the outcome of this action? > After this change, it's no longer possible for an attacker to use this > technique to extract information. All their attempts would result in "relay > not permitted" regardless of sender address. [...] I do not see the attacker gain, the same information can be extracted by trying out RCPT TO *@omega-software.com with FROM [email protected]. What am I missing? cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'

