Security

Disable the EXPN and VRFY commands.

 
SOLVED
Go to solution
Matti_Kurkela
Honored Contributor

Re: Disable the EXPN and VRFY commands.

If you follow Bill's instructions, sendmail will be completely disabled, so EXPN and VRFY will no longer work.

But maybe you don't want to disable Sendmail completely.

 

When I Googled with keywords "sendmail disable expn vrfy", this was the second result:

 

http://jibbysununix.blogspot.fi/2010/03/sendmail-disabling-help-and-version.html

 

Look at the step 2).

 

Note: depending on your HP-UX and Sendmail versions, you may have to make a similar change to /etc/mail/submit.cf too.

 

The above is just a quick "cookbook-style" instruction. To really understand Sendmail on HP-UX, you will need two books:

First, the HP-UX Mailing Services Administrator's Guide:

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02037761/c02037761.pdf

 

Second, the "sendmail" book from O'Reilly:

http://shop.oreilly.com/product/9780596510299.do

This is not downloadable for free, but it is very important if you're using Sendmail in a serious way. Usually you'll want the latest edition of the book, although earlier editions may be useful with old HP-UX versions (and people who have updated to the latest edition might be selling old editions of the book on eBay or similar).

 

The "sendmail" book will completely describe the operation and configuration of a standard version of Sendmail. As a printed book, it is a 1300-page monster, but don't worry. The largest part of the book is a list of every configuration setting in Sendmail: you don't need to read all of that, just read the introductory chapters at the beginning of the book, then pick & choose what you need, or use it as a reference.

 

But HP has made some modifications to the configuration: the HP-UX Mailing Services Administrator's Guide describes the differences and also gives direct advice for some common configurations. If you need an "advanced configuration" of Sendmail on HP-UX, you really need both. Without having read the "sendmail" book, you won't understand all the concepts and references in the Mailing Services Administrator's Guide.

 

If you need a sendmail configuration option that is not immediately available in the standard HP-UX sendmail.cf file, you'll need the complete Sendmail configuration macro system that is available at /usr/newconfig/etc/mail/cf/cf/. HP has  created a gen_cf script that makes it easier to use, but you'll really need the Mailing Services Administrator's Guide to successfully use it.

MK
Bill Hassell
Honored Contributor

Re: Disable the EXPN and VRFY commands.

OK, to simply disable these security issues, you can change the PrivacyOptions and SmtpGreetingMessage.

As with all sendmail settings, these may or may not all apply to your particular version of sendmail.

vi /etc/mail/sendmail.cf

Search for the line that has:

O PrivacyOptions=

To disable expn and vrfy (and authwarnings), change the line to:

O PrivacyOptions=authwarnings,noexpn,novrfy

And anticipating further security issues, change the default greeting from something like this:

O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

 

to this:

O SmtpGreetingMessage=$j $b

 



Bill Hassell, sysadmin