?
Solved

security vulnerability : postfix SMTP daemon supports EHLO

Posted on 2011-05-03
11
Medium Priority
?
1,647 Views
Last Modified: 2012-05-11

During a VA scan, it's reported that my postfix server has
a security vulnerability :

  EhloCheck: SMTP daemon supports EHLO


Q1. How can I disable EHLO & still send/receive mails?

Q2. Or is there a later version of postfix (let me know the
       version) that addresses this or any patch to apply?

Q3. Or this vulnerability can be explained off as it's ever
        present in all postfix versions?


Below are the current configs of my postfix server:

# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
bounce_size_limit = 65536
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = yyyyyyyy.com
default_privs = nobody
default_transport = smtp
header_size_limit = 32768
html_directory = /usr/share/doc/postfix-2.5.6-documentation/html
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /big_partitn/spool/mail
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost
mydomain = yyyyyyyy.com
myhostname = pfixsvr.yyyyyyyy.com
mynetworks = 172.16.20.0/24, 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /big_partitn/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6-documentation/readme
relay_domains = $mydestination
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP POSTFIX
smtpd_delay_reject = yes
smtpd_recipient_limit = 500
smtpd_recipient_restrictions = permit_mynetworks,   permit_sasl_authenticated,
              check_client_access hash:/etc/postfix/rbl_override,
              reject_unauth_destination,
                              reject_rbl_client dsn.rfc-ignorant.org,
              permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_timeout = 360
soft_bounce = no
unknown_local_recipient_reject_code = 550

============================================

# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Thu Mar 17 18:10:18 SGT 2011
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.6
System: Red Hat Enterprise Linux ES release 4 (Nahant Update 2)

-- smtpd is linked to --
      libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x47b72000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

. . . . .
0
Comment
Question by:sunhux
  • 5
  • 3
  • 2
  • +1
11 Comments
 

Author Comment

by:sunhux
ID: 35514204

1 more question:
& if there's a way to disable EHLO or fixing it via a patch,
how do I verify (without running VA scan) that this EHLO
vulnerability has  been fixed?
0
 

Author Comment

by:sunhux
ID: 35514632

from the url
  http://www.iss.net/security_center/reference/vuln/smtp-ehlo.htm

it says :
SMTP daemons that support Extended HELO (EHLO) can release information
that could be useful to an attacker in performing an attack. Attackers
have been known to use the EHLO command to determine configuration
information on SMTP daemons.


So what other 'vulnerable' configuration information EHLO reveals &
how they can disabled/mitigated/fabricated ?



smtp_helo_name ($myhostname)
   Use a fictitious hostname to send in the SMTP EHLO  or  HELO
              command (& how do I do this?)

& from the url http://www.postfix.org/lmtp.8.html, can I insert something
like the following in main.cf :

smtp_never_send_ehlo (no)
  Never send EHLO at the start of an SMTP session.



& from the url http://www.postfix.org/postconf.5.html
$helo_name
   The hostname given in HELO or EHLO command or empty string

(& where & what's the syntax to set the above suggestions?)
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 680 total points
ID: 35622976
Ehlo is an RFC2821 - Enhanced helo (greeting) which part of SMTP/ESMTP protocols.
 
Do you need to use SMTP AUTH?
You could edit main.cf.default and change the ESMTP to SMTP

The check is a tool that provides you infromation, it is up to you to make sure that the "alert" is legit or not.
Make sure you do not have vrfy username@yourdomain.com functional.
You can disable the ESMTP feature you do not need.
http://www.postfix.org/postconf.5.html
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 43

Accepted Solution

by:
ravenpl earned 320 total points
ID: 35676331
Agree with arnold:
ehlo support is not security flow, maybe it is a leak about postfix capabilities
But before You disable ehlo - remote clients will never use encryption(starttls) authentication(auth), pipelining, chunking, 8bit transfers etc. etc. if You disable ehlo. Without ehlo remotes will never know they can do that.
So it's Your choice.
Also note, that with postfix You can disable some ehlo reponds while still supporting ehlo. The common is probably
smtpd_discard_ehlo_keywords = silent-discard VRFY ETRN DSN
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 35690361
this is one good article to look at closing up the basic vulnerability for posfix server, there can be restriction put in place selectively and the article shared it drilling into specifics. probably you can take it as holistic security posture instead of focusing only on ehlo since we know it is necessary for auth and startls for the security checks.

http://www.workaround.org/ispmail/lenny/authenticated-smtp

if it is due to protocol gaps and we disable it, are we saying sacrificing the overall security for that lesser significant leakage. there is always a balance to make. e.g. tls and ssl has renegotiation flaws and secure by default advice is to disable such services but if we know disabling bring about greater security repercussion, the risk assessed will be detering the decision. So before new patches comes, the idea is to reduce window of exspoure where possible with layered defenses for that period esp knowing protocol standard changes take a while to effect...

just some thoughts
0
 

Author Comment

by:sunhux
ID: 35695736

Thanks very much for the insights chaps.

Btw, does anyone know if MS Exchange 2010 uses SMTP or it uses
some other protocol?  I think I heard a colleague from another team tt
Exchg 2010 does not use SMTP (& no POP3 / securePOP) so more secure
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 680 total points
ID: 35695766
ESMTP/SMTP is the standard to exchange email between servers, the starttls is an extension.

You need to know the context on whether pop3/secure pop is not configured by default in favor of IMAP/Secure IMAP which provides access to the messages while the messages remain stored on the server.
There is a way to enable pop3 on exchange 2010
http://technet.microsoft.com/en-us/library/bb124934.aspx


0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 35698753
Protocols such as HTTP (OWA /ActiveSync / Outlook Anywhere ), IMAP4 and POP 3 each have potential vulnerabilities . However, similar to SMTP, they can be protected with certificates .

External - facing transport servers use opportunistic transport layer security (TLS ) when connecting to remote SMTP hosts . This allows them to send encrypted communications outbound if the remote server has a trusted certificate . Administrators can also enable domain security for partner SMTP domains for mutual TLS encryption.

No mention of use of ESMTP though, but exchange 2010 is much secure than its predecessors.

http://searchexchange.techtarget.com/tip/Built-in-security-tools-help-defend-Exchange-Server-2010

other consideration for deployment

http://technet.microsoft.com/en-us/library/cc512685.aspx
0
 

Author Comment

by:sunhux
ID: 35699039

Thanks BreadTan, I must have heard wrongly that Exchange 2010 does
not use SMTP;  so it does?
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 35705594
Going back in time, Exchange 2007 has its own transport engine and does not require the Windows SMTP server to be installed.  Exchange 2003 does use the Windows SMTP server.

From Exchange 2007 onwards, you should NOT install SMTP from add/remove programs like you used to do it 2003. For Exchange 2010, it is same as 2007 and use SMTP - no specific SMTP service any more (like in previous versions) for you to stop/start.

If you installed the HUB transport role you have also installed the SMTP protocol. To be more specific, Microsoft Exchange Transport services (New SMTP service) is service that used for mail transfer protocol (Replaced SMTP services), it is started automatic by default, when deployed Hub Transport and Edge Transport. See the link

http://technet.microsoft.com/en-us/library/ee423542.aspx

You can even create connectors to other SMTP server

http://smtpport25.wordpress.com/2010/07/11/exchange-2010-connectors/

So in short, I do not see that we can really live w/o SMTP but be more wary is necessary and add on the security as needed.

If you are interested, you can even do email tracking and SMTP logging
- By enabling Message Tracking on your Hub Transport servers if you want to track email.  You can also enable SMTP logging as well: http://technet.microsoft.com/en-us/library/bb124531(EXCHG.80).aspx
0
 

Author Closing Comment

by:sunhux
ID: 35712457
excellent
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines some of the reasons why an email message gets flagged as spam on a recipient's end.
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question