Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Disable EXPN and VRFY in Sendmail to increase security UNIX
I've found this tip on burningvoid.com's Infrequently Asked Questions page. EXPN and VRFY are two sendmail flags that can compromise the security of your mail server (assuming you've enabled it in OS X). This page describes both variables' functions a bit more fully, and explains how to disable them in sendmail's config file.

I tried it on MacOS 10.2.4 and it worked. I hope this helps..
    •    
  • Currently 1.67 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (3 votes cast)
 
[5,469 views]  

Disable EXPN and VRFY in Sendmail to increase security | 5 comments | Create New Account
Click here to return to the 'Disable EXPN and VRFY in Sendmail to increase security' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Install qmail
Authored by: silas on Feb 25, '03 10:47:16AM
Another way to improve the security of sendmail is to remove it from your system and install qmail, the #2 MTA on the Internet, instead. qmail is a Mac user's mailer -- more secure, reliable, easy to configure, and robust than sendmail.

[ Reply to This | # ]
Install qmail
Authored by: wyvern on Feb 25, '03 04:33:05PM

unfortunately, qmail is also very difficult to install. It's not by any means easy to use. It may be secure but it's needlessly complex... You have to create a bevy of users, plop a gaggle of files all over your system, and then start to configure the beast... what a pain! I tried for nearly a week to get qmail to work. When it still didn't, sendmail and its 30 mins of configuring looked awfully attractive, even if it is slow. Speed doesn't matter when it's just serving a few hundred messages per day.

I'm going to switch to postfix, I think, because sendmail does suck.



[ Reply to This | # ]
telnet must be enabled for these to be abused
Authored by: dierauer on Feb 25, '03 05:35:48PM

From the explanation, it seems clear that telnet must be enabled for these to be a security hole. Since recent versions of OS X have telnet disabled by default, this doesn't strike me as a big issue for your average OS X user/admin.



[ Reply to This | # ]
telnet must be enabled for these to be abused
Authored by: adashiel on Feb 25, '03 11:18:25PM

Telnet is disabled by default only in the sense that someone can't telnet to port 23 and shell into an account on your Mac. However, if you are running sendmail, someone still can telnet to port 25 (SMTP) and do an EXPN or VRFY.



[ Reply to This | # ]
mc option?
Authored by: bmerlin on Feb 26, '03 02:21:28PM

I use m4 to generate sendmail.cf. Which command should be used to change PrivacyOptions?

define(`confPRIVACY_OPTIONS', `noexpn novrfy')

doesn't work.



[ Reply to This | # ]