Wednesday, September 17, 2014

Disable VRFY for Postfix (Retina ID 146)

The Retina Network Security Scanner from BeyondTrust, Inc was run against my servers and ID 146 was a hit or finding on one of my servers. Retina can give good results on network security vulnerabilities, but false finds are also common. The problem with that the scanner is that it doesn't show you how it finds the vulnerability or how to fix it. I did some research and it turns out that you need to disable the VRFY command in postfix. Below I have posted the security vulnerability from Retina, with instructions on how to fix the issue.

What Retina says about the vulnerability 

Retina ID or vID 146
Description The VRFY command can lead to a remote attacker gaining the first and last name registered to any given email account. This can aid an attacker in social engineering attacks.
Discussion - fix Follow your SMTP server's manual on how to disable the VRFY command. If no instructions are provided contact your SMTP server's vender.
Severity = Low to Med
SevCode = III
Port = TCP:25
IA Controls = Mail Server
Retina scan Version 5.19.9.2802
Expected "252" and found "252 2.0.0. administrator"

Test for this issue.
man@earth> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost
Escape character is '^]'.
220 earth.planet.com ESMTP Postfix
VRFY
502 5.51.1 VRFY command is disabled

If the VRFY command does not come back as "VRFY command is disabled" then this is a finding.

Remediation
Add this line below to the /etc/postfix/main.cf.
disable_vrfy_command = yes

Reference section

Ref for fix:
cyberciti.biz

Ref for Security issue:
iss.net
xforce.iss.net

Manpages
Sendmail
Postfix

No comments:

Post a Comment