|
| | | Forum Newbie
Group: Forum Members
Last Login: 9/19/2007 9:22:55 AM
Posts: 5, Visits: 10 |
| We are required to run our IP address through a 3rd party security audit to comply with our credit card processing provider. Our security audit has been coming back with the following failure:
Synopsis : It is possible to enumerate the names of valid users on the remote host. Description : The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information. Solution: If you are using Sendmail, add the option : O PrivacyOptions=goaway in /etc/sendmail.cf. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C: P/I:N/A:N) CVE : CVE-1999-0531 Other references : OSVDB:12551
(NOTE: I added a space to the part between parentheses to prevent a smiley)
Is there a setting I'm missing to fix this issue?
We currently have the "Disable SMTP "VRFY" Command" checked on our server. Checking "Disable SMTP AUTH" in our SMTP settings makes no difference and it breaks our e-mail system for remote users using POP to send e-mail.
I believe I brought this up to Ipswitch support before but the answer was that they just returned an error message rather than not answering. We've been failling this test for a while but the securty auditing company recently upgraded this from a 1 point to a 4 point failure which makes us non-compliant for the scan. It wasn't a major issue before now.
Thanks.
John |
| |
| | | Forum Guru
Group: Forum Members
Last Login: Yesterday @ 5:58:45 PM
Posts: 1,660, Visits: 871 |
| | 1) After making changes, did you restart both the SMTP and QueueManager services? 2) Do not check "Disable SMTP Auth" that has nothing to do with this. 3) On the SMTP service, under Security,
Uncheck "Allow Remote view of local groups"
Check "Disable SMTP VRFY command"
John T
eServices For You"Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 9/19/2007 9:22:55 AM
Posts: 5, Visits: 10 |
| Yes, I stopped and restarted SMTP.
The other options are already set the way you suggest. These were the settings we have always had. Still failing the test for some reason.
When I run the VRFY command in a telnet window on port 25, it returns:
502 Command not implemented
When I run the EXPN command, it returns:
550 lists are confidential
So we don't either command implemented. I read online somewhere that a valid response EXPN should return:
550 Access Denied!
This is probably what the Ipswitch tech was talking about.
Thanks.
John Olden |
| |
| | | Junior Member
Group: Forum Members
Last Login: 1/7/2008 12:58:17 PM
Posts: 10, Visits: 9 |
| | Honstly, I would go back to your PCI auditor and ask why the text after the 550 is an issue. Once you receive a 550, that in itself means you cannot do it and the entire text portion is for the human reader, not the 'automation'. I think you have a more than valid point about passing even though their 'automation' thinks otherwise. Some programmer wrote some sloppy code imho. For more reference / ammunition in your defense... http://www.ietf.org/rfc/rfc0821.txt Specifically starting around page 48, as it defines permanent error codes (those starting with a 5). |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 9/19/2007 9:22:55 AM
Posts: 5, Visits: 10 |
| I forgot to come back here and follow up on this issue.
I sent a message to Ipswitch support about this and they basically came back with the same thing you said. That the 550 and 502 codes are RFC compliant. I forwarded their take on the situation to the PCI scanning company and they came back with, "After doing some research, the following is what our scan is showing and why it is failing..." and then they listed the same results I stated earlier. I replied back with "...Ok?...Why is this a failure if the RFC says this is what it should be saying?" And I linked to the same RFC source you did.
They finally lowered the score to a 3 which is considered a non-critical failure. I don't see why it's a failure at all but at least we are shown as being compliant now.
I hate to say it but this shouldn't be a problem after 6 months since we will be switching over to Exchange server. Then we will have a whole different set of problems.  |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 7/9/2008 5:51:38 PM
Posts: 5, Visits: 4 |
| jgolden (9/10/2007)
When I run the VRFY command in a telnet window on port 25, it returns:
502 Command not implemented
When I run the EXPN command, it returns:
550 lists are confidential
I am telneting into my server using a dos prompt by typing telnet XX.XX.XX.XX 25 When I run the VRFY and EXPN commands at the telnet prompt I am recieving the same response as above VRFY = 502 command not implemented and EXPN = 550 lists are confidential The error below now has a base score of 5 which is causing me to fail my PCI DSS compliance.
It looks like it is failing because EXPN is returning "550 lists are confidential" not "550 Access Denied"! Any thoughts on how I can get around this issue? Thank you,
Martin Note: this warning was first detected on 2008-06-03 10:00:00
Plugin "EXPN and VRFY commands"
Category "Simple mail transfer protocol (SMTP) and mail server"
Priority Ranking "Medium Priority" Synopsis : It is possible to enumerate the names of valid users on the remote host. Description : The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information. Solution : If you are using Sendmail, add the option : O PrivacyOptions=goaway in /etc/sendmail.cf. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C /I:N/A:N) Plugin output : EXPN root produces the following output : 550 lists are confidential CVE : CVE-1999-0531, Other, references, :, OSVDB:12551
Thank you, Martin |
| |
| | | Forum Guru
Group: Forum Members
Last Login: Yesterday @ 5:58:45 PM
Posts: 1,660, Visits: 871 |
| Look through the archives. This is overzealuous auditing.
John T
eServices For You"Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 7/9/2008 5:51:38 PM
Posts: 5, Visits: 4 |
| Hi John, Thanks for the info.
Thank you, Martin |
| |
|
|