On Tue, May 03, 2011 at 10:00:58AM -0700, Rich Wales wrote:
> > So what other 'vulnerable' configuration information EHLO reveals
> > & how they can disabled/mitigated/fabricated ?
>
> You may want to suppress the SIZE information (maximum size of a
> message that your server will accept). Some hackers might take
> this as a challenge and try to exploit it in a denial-of-service
> attack to clog up your server with huge junk messages that are
> just under your advertised size limit. Unless you have a very
> small "message_size_limit" for some unusual reason, I don't see
> any real point in explicitly advertising it.
No, this is silly, one is better off advertising the maximum size to
avoid the vast majority unnecessary partial transmission of overly large
messages. An attacker can tie up SMTP server resources whether the SIZE
limit is known or not.
The vulnerability scanning tool in question is worse than useless in
this regard, the right answer is to turn off that scan feature, or
ignore it.
Regardless, one should not enable SMTP features one does not want to
offer to outside parties. Potentially ETRN, DSN, ...
--
Viktor.
