Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

security vulnerability : postfix SMTP daemon supports EHLO


During a VA scan, it's reported that my postfix server has
a security vulnerability :

  EhloCheck: SMTP daemon supports EHLO


Q1. How can I disable EHLO & still send/receive mails?

Q2. Or is there a later version of postfix (let me know the
       version) that addresses this or any patch to apply?

Q3. Or this vulnerability can be explained off as it's ever
        present in all postfix versions?


Below are the current configs of my postfix server:

# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
bounce_size_limit = 65536
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = yyyyyyyy.com
default_privs = nobody
default_transport = smtp
header_size_limit = 32768
html_directory = /usr/share/doc/postfix-2.5.6-documentation/html
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /big_partitn/spool/mail
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost
mydomain = yyyyyyyy.com
myhostname = pfixsvr.yyyyyyyy.com
mynetworks = 172.16.20.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /big_partitn/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6-documentation/readme
relay_domains = $mydestination
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP POSTFIX
smtpd_delay_reject = yes
smtpd_recipient_limit = 500
smtpd_recipient_restrictions = permit_mynetworks,   permit_sasl_authenticated,
              check_client_access hash:/etc/postfix/rbl_override,
              reject_unauth_destination,
                              reject_rbl_client dsn.rfc-ignorant.org,
              permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_timeout = 360
soft_bounce = no
unknown_local_recipient_reject_code = 550

============================================

# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Thu Mar 17 18:10:18 SGT 2011
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.6
System: Red Hat Enterprise Linux ES release 4 (Nahant Update 2)

-- smtpd is linked to --
      libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x47b72000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

. . . . .
Avatar of sunhux
sunhux

ASKER


1 more question:
& if there's a way to disable EHLO or fixing it via a patch,
how do I verify (without running VA scan) that this EHLO
vulnerability has  been fixed?
Avatar of sunhux

ASKER


from the url
  http://www.iss.net/security_center/reference/vuln/smtp-ehlo.htm

it says :
SMTP daemons that support Extended HELO (EHLO) can release information
that could be useful to an attacker in performing an attack. Attackers
have been known to use the EHLO command to determine configuration
information on SMTP daemons.


So what other 'vulnerable' configuration information EHLO reveals &
how they can disabled/mitigated/fabricated ?



smtp_helo_name ($myhostname)
   Use a fictitious hostname to send in the SMTP EHLO  or  HELO
              command (& how do I do this?)

& from the url http://www.postfix.org/lmtp.8.html, can I insert something
like the following in main.cf :

smtp_never_send_ehlo (no)
  Never send EHLO at the start of an SMTP session.



& from the url http://www.postfix.org/postconf.5.html
$helo_name
   The hostname given in HELO or EHLO command or empty string

(& where & what's the syntax to set the above suggestions?)
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER


Thanks very much for the insights chaps.

Btw, does anyone know if MS Exchange 2010 uses SMTP or it uses
some other protocol?  I think I heard a colleague from another team tt
Exchg 2010 does not use SMTP (& no POP3 / securePOP) so more secure
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER


Thanks BreadTan, I must have heard wrongly that Exchange 2010 does
not use SMTP;  so it does?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

excellent