Today, I was doing some security checks on Nethserver using OpenVAS via Ubuntu 18.04.
OpenVas find the following vulnerability and suggest me a solution to disable the VRFY and EXPN request on Mailserver. But I don’t know how I can disable these kinds of requests?
Well… root is the only user that cannot… not be present on every unix/linux system. Even BSD.
So (d’oh) it’s quite common the answer root to VRFY. Question is: does the VRFY whatever will give any answer? IMVHO the query is quite pointless and useless…
Vulnerability Insight:
VRFY and EXPN ask the server for information about an address. They are
inherently unusable through firewalls, gateways, mail exchangers for part-time hosts, etc.
That, um, isn’t very insightful. I suppose (though they don’t bother to say it) the concern is that it gives a bad actor a relatively easy way to check whether an account exists on your server, but calling that a “vulnerability” sounds like a bit of a stretch.
I expect the reason root is queried is because it’s guaranteed to be there on pretty much any Unix-y system, but the real issue (though once again, I’m only guessing, because they don’t bother to explain why they believe this to be a problem) is that it responds to VRFY at all. Here’s what my server does:
250 DSN
VRFY dan
252 2.0.0 dan
VRFY nonexistent
550 5.1.1 <nonexistent>: Recipient address rejected: User unknown in local recipient table
DONE
I don’t see that it would make a difference–the SMTP server is accessible on red and green. Is it configured to respond differently to the VRFY command between the two? I could probably test this on mine, but it’ll take a bit before I could get to it.
I do agree it’s a false positive, but that’s because I don’t believe the so-called “vulnerability” is actually a vuln–but since they don’t bother to explain why they flag it, it’s kind of hard to say.