• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1751
  • Last Modified:

security vulnerability : postfix SMTP daemon supports EHLO


During a VA scan, it's reported that my postfix server has
a security vulnerability :

  EhloCheck: SMTP daemon supports EHLO


Q1. How can I disable EHLO & still send/receive mails?

Q2. Or is there a later version of postfix (let me know the
       version) that addresses this or any patch to apply?

Q3. Or this vulnerability can be explained off as it's ever
        present in all postfix versions?


Below are the current configs of my postfix server:

# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
bounce_size_limit = 65536
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = yyyyyyyy.com
default_privs = nobody
default_transport = smtp
header_size_limit = 32768
html_directory = /usr/share/doc/postfix-2.5.6-documentation/html
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /big_partitn/spool/mail
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost
mydomain = yyyyyyyy.com
myhostname = pfixsvr.yyyyyyyy.com
mynetworks = 172.16.20.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /big_partitn/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6-documentation/readme
relay_domains = $mydestination
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP POSTFIX
smtpd_delay_reject = yes
smtpd_recipient_limit = 500
smtpd_recipient_restrictions = permit_mynetworks,   permit_sasl_authenticated,
              check_client_access hash:/etc/postfix/rbl_override,
              reject_unauth_destination,
                              reject_rbl_client dsn.rfc-ignorant.org,
              permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_timeout = 360
soft_bounce = no
unknown_local_recipient_reject_code = 550

============================================

# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Thu Mar 17 18:10:18 SGT 2011
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.6
System: Red Hat Enterprise Linux ES release 4 (Nahant Update 2)

-- smtpd is linked to --
      libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x47b72000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

. . . . .
0
sunhux
Asked:
sunhux
  • 5
  • 3
  • 2
  • +1
6 Solutions
 
sunhuxAuthor Commented:

1 more question:
& if there's a way to disable EHLO or fixing it via a patch,
how do I verify (without running VA scan) that this EHLO
vulnerability has  been fixed?
0
 
sunhuxAuthor Commented:

from the url
  http://www.iss.net/security_center/reference/vuln/smtp-ehlo.htm

it says :
SMTP daemons that support Extended HELO (EHLO) can release information
that could be useful to an attacker in performing an attack. Attackers
have been known to use the EHLO command to determine configuration
information on SMTP daemons.


So what other 'vulnerable' configuration information EHLO reveals &
how they can disabled/mitigated/fabricated ?



smtp_helo_name ($myhostname)
   Use a fictitious hostname to send in the SMTP EHLO  or  HELO
              command (& how do I do this?)

& from the url http://www.postfix.org/lmtp.8.html, can I insert something
like the following in main.cf :

smtp_never_send_ehlo (no)
  Never send EHLO at the start of an SMTP session.



& from the url http://www.postfix.org/postconf.5.html
$helo_name
   The hostname given in HELO or EHLO command or empty string

(& where & what's the syntax to set the above suggestions?)
0
 
arnoldCommented:
Ehlo is an RFC2821 - Enhanced helo (greeting) which part of SMTP/ESMTP protocols.
 
Do you need to use SMTP AUTH?
You could edit main.cf.default and change the ESMTP to SMTP

The check is a tool that provides you infromation, it is up to you to make sure that the "alert" is legit or not.
Make sure you do not have vrfy username@yourdomain.com functional.
You can disable the ESMTP feature you do not need.
http://www.postfix.org/postconf.5.html
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
ravenplCommented:
Agree with arnold:
ehlo support is not security flow, maybe it is a leak about postfix capabilities
But before You disable ehlo - remote clients will never use encryption(starttls) authentication(auth), pipelining, chunking, 8bit transfers etc. etc. if You disable ehlo. Without ehlo remotes will never know they can do that.
So it's Your choice.
Also note, that with postfix You can disable some ehlo reponds while still supporting ehlo. The common is probably
smtpd_discard_ehlo_keywords = silent-discard VRFY ETRN DSN
0
 
btanExec ConsultantCommented:
this is one good article to look at closing up the basic vulnerability for posfix server, there can be restriction put in place selectively and the article shared it drilling into specifics. probably you can take it as holistic security posture instead of focusing only on ehlo since we know it is necessary for auth and startls for the security checks.

http://www.workaround.org/ispmail/lenny/authenticated-smtp

if it is due to protocol gaps and we disable it, are we saying sacrificing the overall security for that lesser significant leakage. there is always a balance to make. e.g. tls and ssl has renegotiation flaws and secure by default advice is to disable such services but if we know disabling bring about greater security repercussion, the risk assessed will be detering the decision. So before new patches comes, the idea is to reduce window of exspoure where possible with layered defenses for that period esp knowing protocol standard changes take a while to effect...

just some thoughts
0
 
sunhuxAuthor Commented:

Thanks very much for the insights chaps.

Btw, does anyone know if MS Exchange 2010 uses SMTP or it uses
some other protocol?  I think I heard a colleague from another team tt
Exchg 2010 does not use SMTP (& no POP3 / securePOP) so more secure
0
 
arnoldCommented:
ESMTP/SMTP is the standard to exchange email between servers, the starttls is an extension.

You need to know the context on whether pop3/secure pop is not configured by default in favor of IMAP/Secure IMAP which provides access to the messages while the messages remain stored on the server.
There is a way to enable pop3 on exchange 2010
http://technet.microsoft.com/en-us/library/bb124934.aspx


0
 
btanExec ConsultantCommented:
Protocols such as HTTP (OWA /ActiveSync / Outlook Anywhere ), IMAP4 and POP 3 each have potential vulnerabilities . However, similar to SMTP, they can be protected with certificates .

External - facing transport servers use opportunistic transport layer security (TLS ) when connecting to remote SMTP hosts . This allows them to send encrypted communications outbound if the remote server has a trusted certificate . Administrators can also enable domain security for partner SMTP domains for mutual TLS encryption.

No mention of use of ESMTP though, but exchange 2010 is much secure than its predecessors.

http://searchexchange.techtarget.com/tip/Built-in-security-tools-help-defend-Exchange-Server-2010

other consideration for deployment

http://technet.microsoft.com/en-us/library/cc512685.aspx
0
 
sunhuxAuthor Commented:

Thanks BreadTan, I must have heard wrongly that Exchange 2010 does
not use SMTP;  so it does?
0
 
btanExec ConsultantCommented:
Going back in time, Exchange 2007 has its own transport engine and does not require the Windows SMTP server to be installed.  Exchange 2003 does use the Windows SMTP server.

From Exchange 2007 onwards, you should NOT install SMTP from add/remove programs like you used to do it 2003. For Exchange 2010, it is same as 2007 and use SMTP - no specific SMTP service any more (like in previous versions) for you to stop/start.

If you installed the HUB transport role you have also installed the SMTP protocol. To be more specific, Microsoft Exchange Transport services (New SMTP service) is service that used for mail transfer protocol (Replaced SMTP services), it is started automatic by default, when deployed Hub Transport and Edge Transport. See the link

http://technet.microsoft.com/en-us/library/ee423542.aspx

You can even create connectors to other SMTP server

http://smtpport25.wordpress.com/2010/07/11/exchange-2010-connectors/

So in short, I do not see that we can really live w/o SMTP but be more wary is necessary and add on the security as needed.

If you are interested, you can even do email tracking and SMTP logging
- By enabling Message Tracking on your Hub Transport servers if you want to track email.  You can also enable SMTP logging as well: http://technet.microsoft.com/en-us/library/bb124531(EXCHG.80).aspx
0
 
sunhuxAuthor Commented:
excellent
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now