Great Circle Associates List-Managers
(September 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Turning off EXPN (and VRFY) for Majordomo security concern
From: Jason L Tibbitts III <tibbs @ hpc . uh . edu>
Date: Mon, 30 Sep 1996 11:19:29 -0500
To: brozen @ webdreams . com
Cc: majordomo-users @ GreatCircle . COM, list-managers @ GreatCircle . COM
In-reply-to: Your message of "Mon, 30 Sep 1996 17:11:57 +0200"
References: <324FE33D . 44C1 @ webdreams . com>

[Are so many mailing lists really necessary?  I will get three copies of
this.]

>>>>> "BR" == Brock Rozen <brozen @
 webdreams .
 com> writes:

BR> Does anybody know how I can turn EXPN (and VRFY) off on sendmail so
BR> that I don't run into security problems with majordomo?

>From the sendmail operations guide that comes with sendmail (8.7 or
higher):

PrivacyOptions = opt,opt,...
Set the privacy options.
``Privacy'' is really a misnomer; many of these are just a way of insisting
on stricter adherence  to the  SMTP protocol. The  options  can be selected
from:

public          Allow open access
needmailhelo    Insist on HELO or EHLO command before MAIL
needexpnhelo    Insist on HELO or EHLO command before EXPN
noexpn          Disallow EXPN entirely
needvrfyhelo    Insist on HELO or EHLO command before VRFY
novrfy          Disallow VRFY entirely
restrictmailq   Restrict mailq command
restrictqrun    Restrict -q command line flag
noreceipts      Don't return success DSNs
goaway          Disallow essentially all SMTP status queries
authwarnings    Put X-Authentication-Warning: headers in messages

The goaway pseudo-flag sets all flags except restrictmailq and
restrictqrun.

So add

O PrivacyOptions=authwarnings,novrfy,noexpn

or just

O PrivacyOptions=goaway

but this, in my opinion, turns off useful features.


References:
Indexed By Date Previous: Turning off EXPN (and VRFY) for Majordomo security concern
From: Brock Rozen <brozen @ webdreams . com>
Next: sick of SPAM comic ...
From: Jennifer Joy <jjoy @ risc . sps . mot . com>
Indexed By Thread Previous: Turning off EXPN (and VRFY) for Majordomo security concern
From: Brock Rozen <brozen @ webdreams . com>
Next: Re: Turning off EXPN (and VRFY) for Majordomo security concern
From: John R Levine <johnl @ iecc . com>

Google
 
Search Internet Search www.greatcircle.com