[pfx] Re: Stop OS enumeration

Tue, 15 Oct 2024 09:53:49 -0700 

On 2024-10-15 at 11:03:13 UTC-0400 (Tue, 15 Oct 2024 16:03:13 +0100)
Paul Fowler via Postfix-users <pauldfow...@gmail.com>
is rumored to have said:


Hi,
Are there best practices for avoid OS username enumeration on a mail relay? 

I'm surprised it works at all against Postfix...


Or is it something that maybe I've misconfigured?
Unless you've intentionally enabled EXPN in your config, you probably have not done anything really wrong but not all defaults are ideal. There are some non-defaults which will break SOME enumeration attempts: 

main.cf:

        smtpd_reject_unlisted_sender = yes
    disable_vrfy_command = yes


master.cf:

        submission inet  n       -       n       -       -       smtpd
            -o syslog_name=postfix/submit
            -o smtpd_tls_security_level=encrypt
            -o smtpd_sasl_auth_enable=yes
            -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
            -o milter_macro_daemon_name=ORIGINATING
        smtps      inet  n       -       n       -       -       smtpd
            -o syslog_name=postfix/smtps
            -o smtpd_tls_wrappermode=yes
            -o smtpd_sasl_auth_enable=yes
            -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
            -o milter_macro_daemon_name=ORIGINATING-TLS

And make sure that smtpd_sasl_auth_enable is NOT set in main.cf.
This will make Postfix reject bogus sender addresses in local and virtual address classes on the port 25 (SMTP transport) service, while the master.cf stanzas for submission and smtps services require authentication for any sender.
With these on my Postfix server, the nmap enumeration script yields this sort of failure to enumerate: 


PORT    STATE SERVICE
25/tcp  open  smtp
| smtp-enum-users:
|_  Method EXPN returned a unhandled status code.
465/tcp open  smtps
| smtp-enum-users:
|_  Method EXPN returned a unhandled status code.
587/tcp open  submission
| smtp-enum-users:
|_  Couldn't perform user enumeration, authentication needed
NOTE: This assumes that you are following other modern best practices, including NOT enabling EXPN or VRFY, disabling AUTH on port 25, requiring AUTH on ports 465 and 587 (but only WITH TLS,) and NOT supporting wildcard delivery. 




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) 
Not Currently Available For Hire

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to