security vulnerability : postfix SMTP daemon supports EHLO

Posted on 2011-05-03
Last Modified: 2012-05-11

During a VA scan, it's reported that my postfix server has
a security vulnerability :

  EhloCheck: SMTP daemon supports EHLO

Q1. How can I disable EHLO & still send/receive mails?

Q2. Or is there a later version of postfix (let me know the
       version) that addresses this or any patch to apply?

Q3. Or this vulnerability can be explained off as it's ever
        present in all postfix versions?

Below are the current configs of my postfix server:

# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
bounce_size_limit = 65536
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list =
default_privs = nobody
default_transport = smtp
header_size_limit = 32768
html_directory = /usr/share/doc/postfix-2.5.6-documentation/html
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /big_partitn/spool/mail
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost
mydomain =
myhostname =
mynetworks =,
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /big_partitn/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6-documentation/readme
relay_domains = $mydestination
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP POSTFIX
smtpd_delay_reject = yes
smtpd_recipient_limit = 500
smtpd_recipient_restrictions = permit_mynetworks,   permit_sasl_authenticated,
              check_client_access hash:/etc/postfix/rbl_override,
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_timeout = 360
soft_bounce = no
unknown_local_recipient_reject_code = 550


# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Thu Mar 17 18:10:18 SGT 2011
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.6
System: Red Hat Enterprise Linux ES release 4 (Nahant Update 2)

-- smtpd is linked to -- => /usr/lib/ (0x47b72000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

. . . . .
Question by:sunhux

    Author Comment


    1 more question:
    & if there's a way to disable EHLO or fixing it via a patch,
    how do I verify (without running VA scan) that this EHLO
    vulnerability has  been fixed?

    Author Comment


    from the url

    it says :
    SMTP daemons that support Extended HELO (EHLO) can release information
    that could be useful to an attacker in performing an attack. Attackers
    have been known to use the EHLO command to determine configuration
    information on SMTP daemons.

    So what other 'vulnerable' configuration information EHLO reveals &
    how they can disabled/mitigated/fabricated ?

    smtp_helo_name ($myhostname)
       Use a fictitious hostname to send in the SMTP EHLO  or  HELO
                  command (& how do I do this?)

    & from the url, can I insert something
    like the following in :

    smtp_never_send_ehlo (no)
      Never send EHLO at the start of an SMTP session.

    & from the url
       The hostname given in HELO or EHLO command or empty string

    (& where & what's the syntax to set the above suggestions?)
    LVL 76

    Assisted Solution

    Ehlo is an RFC2821 - Enhanced helo (greeting) which part of SMTP/ESMTP protocols.
    Do you need to use SMTP AUTH?
    You could edit and change the ESMTP to SMTP

    The check is a tool that provides you infromation, it is up to you to make sure that the "alert" is legit or not.
    Make sure you do not have vrfy functional.
    You can disable the ESMTP feature you do not need.
    LVL 43

    Accepted Solution

    Agree with arnold:
    ehlo support is not security flow, maybe it is a leak about postfix capabilities
    But before You disable ehlo - remote clients will never use encryption(starttls) authentication(auth), pipelining, chunking, 8bit transfers etc. etc. if You disable ehlo. Without ehlo remotes will never know they can do that.
    So it's Your choice.
    Also note, that with postfix You can disable some ehlo reponds while still supporting ehlo. The common is probably
    smtpd_discard_ehlo_keywords = silent-discard VRFY ETRN DSN
    LVL 60

    Assisted Solution

    this is one good article to look at closing up the basic vulnerability for posfix server, there can be restriction put in place selectively and the article shared it drilling into specifics. probably you can take it as holistic security posture instead of focusing only on ehlo since we know it is necessary for auth and startls for the security checks.

    if it is due to protocol gaps and we disable it, are we saying sacrificing the overall security for that lesser significant leakage. there is always a balance to make. e.g. tls and ssl has renegotiation flaws and secure by default advice is to disable such services but if we know disabling bring about greater security repercussion, the risk assessed will be detering the decision. So before new patches comes, the idea is to reduce window of exspoure where possible with layered defenses for that period esp knowing protocol standard changes take a while to effect...

    just some thoughts

    Author Comment


    Thanks very much for the insights chaps.

    Btw, does anyone know if MS Exchange 2010 uses SMTP or it uses
    some other protocol?  I think I heard a colleague from another team tt
    Exchg 2010 does not use SMTP (& no POP3 / securePOP) so more secure
    LVL 76

    Assisted Solution

    ESMTP/SMTP is the standard to exchange email between servers, the starttls is an extension.

    You need to know the context on whether pop3/secure pop is not configured by default in favor of IMAP/Secure IMAP which provides access to the messages while the messages remain stored on the server.
    There is a way to enable pop3 on exchange 2010

    LVL 60

    Assisted Solution

    Protocols such as HTTP (OWA /ActiveSync / Outlook Anywhere ), IMAP4 and POP 3 each have potential vulnerabilities . However, similar to SMTP, they can be protected with certificates .

    External - facing transport servers use opportunistic transport layer security (TLS ) when connecting to remote SMTP hosts . This allows them to send encrypted communications outbound if the remote server has a trusted certificate . Administrators can also enable domain security for partner SMTP domains for mutual TLS encryption.

    No mention of use of ESMTP though, but exchange 2010 is much secure than its predecessors.

    other consideration for deployment

    Author Comment


    Thanks BreadTan, I must have heard wrongly that Exchange 2010 does
    not use SMTP;  so it does?
    LVL 60

    Assisted Solution

    Going back in time, Exchange 2007 has its own transport engine and does not require the Windows SMTP server to be installed.  Exchange 2003 does use the Windows SMTP server.

    From Exchange 2007 onwards, you should NOT install SMTP from add/remove programs like you used to do it 2003. For Exchange 2010, it is same as 2007 and use SMTP - no specific SMTP service any more (like in previous versions) for you to stop/start.

    If you installed the HUB transport role you have also installed the SMTP protocol. To be more specific, Microsoft Exchange Transport services (New SMTP service) is service that used for mail transfer protocol (Replaced SMTP services), it is started automatic by default, when deployed Hub Transport and Edge Transport. See the link

    You can even create connectors to other SMTP server

    So in short, I do not see that we can really live w/o SMTP but be more wary is necessary and add on the security as needed.

    If you are interested, you can even do email tracking and SMTP logging
    - By enabling Message Tracking on your Hub Transport servers if you want to track email.  You can also enable SMTP logging as well:

    Author Closing Comment


    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    Import PST to Exchange using Power Shell new-mailboximportrequest command, you can simply import the PST file into Exchange mailbox or archived. To know How to import PST into Exchange  2013 read the complete article.
    Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
    Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now