> During a VA scan, it's reported that my postfix server has a security > vulnerability : EhloCheck: SMTP daemon supports EHLO
As Roger Klorese pointed out, there is an advertised, fuzzy vulnerability advisory out there regarding EHLO. However, as Noel Jones indicated, EHLO is a standard part of SMTP and is required for some essential security features -- so, IMO, anyone who demands a total disabling of EHLO is being paranoid and/or uninformed. You might want to use "smtpd_discard_ehlo_keywords" to tell your server not to advertise certain EHLO keywords. For example, I am currently using "smtpd_discard_ehlo_keywords = etrn size silent-discard" in my main.cf, which tells my server not to advertise the ETRN capability or my maximum message length limit. I also have "fast_flush_domains =" in my main.cf, to make sure no mail is made available for ETRN processing even if some client decides to try using it despite my not advertising it. See the page "http://www.postfix.org/ETRN_README.html"; for more info about ETRN. I can imagine that some hackers might use the SIZE info in an EHLO response as an invitation to try to crash a server by sending huge messages that are just under the advertised maximum length -- hence the idea of omitting this item from the EHLO response. I'd certainly be interested in hearing other thoughts about EHLO-related security concerns. Rich Wales Palo Alto, CA ri...@richw.org
