* Roger Goh :
> Hi,
>
> During a VA scan, it's reported that my postfix server has
> a security vulnerability :
>
>EhloCheck: SMTP daemon supports EHLO
That is NOT a vulnerability.
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campu
Am 03.05.2011 19:00, schrieb Rich Wales:
>> So what other 'vulnerable' configuration information EHLO reveals
>> & how they can disabled/mitigated/fabricated ?
>
> You may want to suppress the SIZE information (maximum size of a
> message that your server will accept). Some hackers might take
>
On Tue, May 03, 2011 at 11:15:57AM -0700, Rich Wales wrote:
> A followup question. If I suppress the advertising of an extended
> feature by listing it in smtpd_discard_ehlo_keywords, does that also
> disable the feature? Or do I have to do other things to actually
> turn a feature off and make
>> You may want to suppress the SIZE information . . . .
>
> No, this is silly, one is better off advertising the maximum size
> to avoid the vast majority unnecessary partial transmission of
> overly large messages. An attacker can tie up SMTP server resources
> whether the SIZE limit is known o
> -Original Message-
> From: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Rich Wales
> Sent: Tuesday, May 03, 2011 9:18 AM
> To: postfix users
> Subject: Re: security vulnerability : SMTP daemon supports EHLO
>
> I can i
On Tue, May 03, 2011 at 10:00:58AM -0700, Rich Wales wrote:
> > So what other 'vulnerable' configuration information EHLO reveals
> > & how they can disabled/mitigated/fabricated ?
>
> You may want to suppress the SIZE information (maximum size of a
> message that your server will accept). Some
> So what other 'vulnerable' configuration information EHLO reveals
> & how they can disabled/mitigated/fabricated ?
You may want to suppress the SIZE information (maximum size of a
message that your server will accept). Some hackers might take
this as a challenge and try to exploit it in a denia
> Can we mitigate it somewhat like what Roger Klorese suggested,
> eg: restrict the info EHLO reveals or don't reveal actual hostname :
All the configuration items you mentioned are things that affect what
your Postfix will or won't do as a client talking to other servers.
These configuration opti
Roger Goh:
> Hi,
>
> During a VA scan, it's reported that my postfix server has
> a security vulnerability :
>
>EhloCheck: SMTP daemon supports EHLO
EHLO is required by the SMTP standard (RFC 5321).
Wietse
& from the url Roger Klorese provided,
http://www.iss.net/security_center/reference/vuln/smtp-ehlo.htm
it says :
SMTP daemons that support Extended HELO (EHLO) can release information
that could be useful to an attacker in performing an attack. Attackers
have been known to use the EHLO command t
Ok, ok, no offence intended.
Can we mitigate it somewhat like what Roger Klorese suggested,
eg: restrict the info EHLO reveals or don't reveal actual hostname :
smtp_helo_name ($myhostname)
Use a fictitious hostname to send in the SMTP EHLO or HELO
command (& how do I do this?
> During a VA scan, it's reported that my postfix server has a security
> vulnerability : EhloCheck: SMTP daemon supports EHLO
As Roger Klorese pointed out, there is an advertised, fuzzy vulnerability
advisory out there regarding EHLO. However, as Noel Jones indicated, EHLO
is a standard part o
On May 3, 2011, at 8:49 AM, Reindl Harald wrote:Am 03.05.2011 17:34, schrieb Roger Goh:Hi,During a VA scan, it's reported that my postfix server hasa security vulnerability : EhloCheck: SMTP daemon supports EHLOwhere exactly is the security hole?you should not trust the output of every tool blind
Am 03.05.2011 17:34, schrieb Roger Goh:
> Hi,
>
> During a VA scan, it's reported that my postfix server has
> a security vulnerability :
>
>EhloCheck: SMTP daemon supports EHLO
where exactly is the security hole?
you should not trust the output of every tool blind without
try to understan
On 5/3/2011 10:34 AM, Roger Goh wrote:
Hi,
During a VA scan, it's reported that my postfix server has
a security vulnerability :
EhloCheck: SMTP daemon supports EHLO
EHLO is not a security vulnerability, rather it is a standard
feature of SMTP (not just postfix, but all mail servers).
On May 3, 2011, at 8:42 AM, Roger Goh wrote:
> 1 more question:
>
> if there's a way to disable EHLO or fixing it via a patch,
> how do I verify (without running VA scan) that this EHLO
> vulnerability has been fixed?
>
What vulnerability?! Who doesn't use EHLO?!?!
Perhaps you should use a
1 more question:
if there's a way to disable EHLO or fixing it via a patch,
how do I verify (without running VA scan) that this EHLO
vulnerability has been fixed?
TIA
Roger
17 matches
Mail list logo
