On Jul 2, 2005, at 12:06 AM, Gordon Rowell wrote:
Although useful for debugging, I don't think we should disclose the version number. I'd also be happy (or is that happier?) with:
Why? If it's for security, will it really make a difference? Does it give any information out that an attacker can use? If there ever is a security problem in qpsmtpd (unlikely, but I suppose possible), wouldn't the attacker just hit SMTP servers at random for it anyway? Or if doing a more targeted attack, surely they'll try no matter what the version string says or doesn't say.
Enabling logging in the firewall shows lots of probes for say windows vulnerabilities even if the box runs BSD or Linux. The HTTP log shows lots of 404s from accesses to obscure windows vulnerabilities too.
- ask -- http://www.askbjoernhansen.com/
