On Tue, Sep 07, 2010 at 10:40:23AM -0500, Noel Jones wrote:
>> Ok, this is right, but is also an information leak... with rcpt to i can
>> enumerate the local users of the system, and for me this is not too
>> good... No way to fix this?
>
> This is part of the design of SMTP. You can call it a feature or a flaw or
> an information leak, but it's still part of the design. This is not
> postfix specific; it is a design feature of every software that implements
> SMTP.
>
> I would suggest investing in a few good books on SMTP to prevent asking
> further sophomoric questions.
This said, when the "postscreen" feature of Postfix 2.8 is complete
(includes a mini SMTP engine for envelope logging, ...) it will provide
some protection from directory harvesting, when the agent doing the
harvesting is a bot that fails RBL checks or grey-listing.
This can be done without "postscreen" today, provided that recipient
validation follows RBL checks and call-outs to grey-listing policy
services, ...
No directory harvesting defense is perfect. The "information leakage"
in question is fundamentally unavoidable unless one accepts and bounces
mail to invalid recipients, but this "cure" is worse than the "disease".
--
Viktor.
