I have checked this script and the simplest thing you can do is to delay rejection of invalid RCPT TO to DATA or END-OF-DATA. In this case, nmap will output all usernames it uses to check, making this info completely useless for potential attacker.
On 10/15/24 15:03, Paul Fowler via Postfix-users wrote:
Hi, Are there best practices for avoid OS username enumeration on a mail relay? Or is it something that maybe I've misconfigured? E.g. the nmap smtp-enum-users script shows some default users. Host is up (0.13s latency). PORT STATE SERVICE 25/tcp open smtp | smtp-enum-users: | root |_ admin I have this parameter set "disable_vrfy_command = yes" I have the default parameter "local_recipient_maps = proxy:unix:passwd.byname $alias_maps" I have tested this parameter by removing the values, but it did not seem to make a difference. Regards, Paul _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
