On 2024-10-15 at 13:02:02 UTC-0400 (Tue, 15 Oct 2024 17:02:02 +0000)
Serhii via Postfix-users <li...@at.encryp.ch>
is rumored to have said:
On 10/15/24 16:52, Bill Cole via Postfix-users wrote:
Unless you've intentionally enabled EXPN in your config, you probably
have not done anything really wrong but not all defaults are ideal.
There are some non-defaults which will break SOME enumeration
attempts:
main.cf:
smtpd_reject_unlisted_sender = yes
disable_vrfy_command = yes
What version of nmap do you have?
7.95. At the top of that script it says:
Attempts to enumerate the users on a SMTP server by issuing the VRFY,
EXPN or RCPT TO
commands. The goal of this script is to discover all the user accounts
in the remote
system.
It also shows its last change as 2011-06-03, so it's not exactly in
active development.
In my case nmap used RCPT TO for checking recipients, so disabling
VRFY is of no help:
Oct 15 16:44:25 cheems postfix/smtpd[1051067]: disconnect from
x.x.x.x[x.x.x.x]:46118 ehlo=1 mail=1 rcpt=10 quit=1 commands=13
As for smtpd_reject_unlisted_sender, it won't help for address that is
not in local, virtual or relay address class:
https://www.postfix.org/ADDRESS_CLASS_README.html#classes
Exactly. It breaks the MAIL command, because that enumeration script
needs to use something as a sender address. It uses usertest@[host], an
invented address which won't be rejected unless you have
smtpd_reject_unlisted_sender (or reject_unlisted_sender in a restriction
list) OR happen to have a user named usertest.
So I get the test showing up in the summary log lines like this:
Oct 15 12:36:37 shiny postfix/submit/smtpd[4882]: disconnect from
HOST[IP.AD.DR.ESS] ehlo=1 mail=0/1 commands=1/2
Oct 15 12:36:50 shiny postfix/smtpd[4886]: disconnect from
HOST[IP.AD.DR.ESS] ehlo=1 mail=1/2 rcpt=0/1 vrfy=0/1 unknown=0/2
commands=2/7
Oct 15 12:36:50 shiny postfix/smtps/smtpd[4884]: disconnect from
HOST[IP.AD.DR.ESS] ehlo=1 mail=1/2 rcpt=0/1 vrfy=0/1 unknown=0/2
commands=2/7
Note that the usernames.lst file which nmap uses by default only has 10
usernames, so by default a run where every RCPT is sent and fails is not
much of a burden. However, an actual malicious enumerator will have a
much longer list, so if you let them get to RCPT they may be connected
for much longer.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
