Re: security vulnerability : SMTP daemon supports EHLO

[Roger B.A. Klorese]

On May 3, 2011, at 8:49 AM, Reindl Harald wrote: Am 03.05.2011 17:34, schrieb Roger Goh: Hi, During a VA scan, it's reported that my postfix server has a security vulnerability :   EhloCheck: SMTP daemon supports EHLO where exactly is the security hole? you should not trust the output of every tool blind without try to understand what the output means EHLO is a part of ESMTP ____________________ http://en.wikipedia.org/wiki/ESMTP Some relatively common keywords (not all of them corresponding to commands) used today are:    * 8BITMIME — 8 bit data transmission, RFC 6152    * ATRN — Authenticated TURN for On-Demand Mail Relay, RFC 2645    * SMTP-AUTH — Authenticated SMTP, RFC 4954    * CHUNKING — Chunking, RFC 3030    * DSN — Delivery status notification, RFC 3461 (See Variable envelope return path)    * ETRN — Extended version of remote message queue starting command TURN, RFC 1985    * HELP — Supply helpful information, RFC 821    * PIPELINING — Command pipelining, RFC 2920    * SIZE — Message size declaration, RFC 1870    * STARTTLS — Transport layer security, RFC 3207 (2002)    * UTF8SMTP — Allow UTF-8 encoding in mailbox names and header fields, RFC 5336 Quoting http://www.iss.net/security_center/reference/vuln/smtp-ehlo.htm Note that: - the SMTP standard requires it - it's rated as low-risk - You can restrict the info it shows SMTP daemon supports EHLO (EhloCheck) Vuln ID: 323 Risk Level:   Low EhloCheck Platforms: IBM AIX, WindRiver BSDOS, SGI IRIX, Linux Kernel, Sun Solaris, IETF SMTP, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Apple Mac OS, Microsoft Windows 2003 Server, Microsoft Windows Vista Description: SMTP daemons that support Extended HELO (EHLO) can release information that could be useful to an attacker in performing an attack. Attackers have been known to use the EHLO command to determine configuration information on SMTP daemons. Remedy: SMTP as defined in RFC 2821 (see References) requires EHLO. Some SMTP implementations allow you to disable EHLO, but this capability is neither required nor consistent across products. If you are uncomfortable with the information that the Extended SMTP features can reveal, you may choose to disable EHLO on your mail server (if applicable), or switch to a mail server that allows EHLO to be disabled. Consult your mail server documentation or contact your vendor for information on whether it is possible to modify your mail server configuration to disable EHLO.