Quoting Claudio Prono :
> Hello all,
>
> I use Postfix with mysql database for the users lookup. I have recently
> found an information leak with the RCPT TO command.
>
> Here is an example:
>
> telnet mailserver 25
> Trying XXX.XXX.XXX.XXX...
> Connected to mailserver.
> Escape character is '^]'.
On 09/07/2010 12:16 PM, Claudio Prono wrote:
Hello all,
I use Postfix with mysql database for the users lookup. I have recently
found an information leak with the RCPT TO command.
Here is an example:
telnet mailserver 25
Trying XXX.XXX.XXX.XXX...
Connected to mailserver.
Escape character is '^
* Claudio Prono :
> Ok, this is right, but is also an information leak... with rcpt to i can
> enumerate the local users of the system, and for me this is not too
> good... No way to fix this?
Turn off SMTP :)
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitä
On 2010-09-07 17:23, Claudio Prono wrote:
> Ok, this is right, but is also an information leak... with rcpt to i can
> enumerate the local users of the system, and for me this is not too
> good... No way to fix this?
>
>
If it is not necessary for those local users to receive mail, you could
alt
On Tue, Sep 07, 2010 at 10:40:23AM -0500, Noel Jones wrote:
>> Ok, this is right, but is also an information leak... with rcpt to i can
>> enumerate the local users of the system, and for me this is not too
>> good... No way to fix this?
>
> This is part of the design of SMTP. You can call it a f
On 9/7/2010 10:23 AM, Claudio Prono wrote:
Noel Jones ha scritto:
On 9/7/2010 5:16 AM, Claudio Prono wrote:
Hello all,
I use Postfix with mysql database for the users lookup. I have recently
found an information leak with the RCPT TO command.
..
Any hint is well accepted.
This is a bas
Noel Jones ha scritto:
> On 9/7/2010 5:16 AM, Claudio Prono wrote:
>> Hello all,
>>
>> I use Postfix with mysql database for the users lookup. I have recently
>> found an information leak with the RCPT TO command.
>>
> ..
>>
>> Any hint is well accepted.
>>
>
> This is a basic function of the SMTP
On 9/7/2010 5:16 AM, Claudio Prono wrote:
Hello all,
I use Postfix with mysql database for the users lookup. I have recently
found an information leak with the RCPT TO command.
...
Any hint is well accepted.
This is a basic function of the SMTP protocol.
Hello all,
I use Postfix with mysql database for the users lookup. I have recently
found an information leak with the RCPT TO command.
Here is an example:
telnet mailserver 25
Trying XXX.XXX.XXX.XXX...
Connected to mailserver.
Escape character is '^]'.
220 mailserver ESMTP
helo mail
250 mailserv
