0007 setup intro

”define(`confPRIVACY_FLAGS',`goaway')dnl”についてもう少し見て行こう

define(`confPRIVACY_FLAGS',`goaway')dnl

define(`confPRIVACY_FLAGS',`goaway')dnl

Bonjour ちと長いが要するに

For best security we recommend this setting:

O PrivacyOptions=goaway

対処しておきなさいということのようです。

http://www.unix.org.ua/orelly/networking/sendmail/ch22_03.htm
The SMTP vrfy command causes sendmail to verify that it will accept an address for delivery. If a user's login name is given, the full name and login name are printed:

vrfy george
250 George Washington
Here, the 250 SMTP reply code (see RFC821) means a successful verification. [7] If the user is unknown, however, sendmail says so:

[7] See the F=q flag (Section 30.8.36, F=q) for a way and reason to change this SMTP reply code to 252.

vrfy foo
550 foo... User unknown

The SMTP expn command is similar to the vrfy command, except that in the case of a mailing list, it will show all the members of that list. The SMTP expn command causes sendmail to expand (show all the recipients) of an address. To illustrate the risk, consider that many sites have aliases that include all or a large segment of users. Such aliases often have easily guessed names, such as all, everyone, or staff. A probe of all, for example, might produce something like the following:

expn all
250-George Washington <george@wash.dc.gov>
250-Thomas Jefferson <tj@wash.dc.gov>
250-Ben Franklin <ben@here.us.edu>
250-Betsy Ross <msflag@ora.com>
250 John Q. Public <jqp@aol.com>

With well-designed passwords these full and login names can safely be given to the world at large. But if one user (say jqp) has a poorly designed password (such as jqpublic), your site's security can easily be compromised. [8] Note that not all uses of vrfy or expn represent probes. Some MUAs, [9] for example, routinely vrfy each recipient before sending a message.

[8] The fingerd(8) utility can also reveal login IDs.

[9] The GNU fingerd(8) daemon also uses vrfy to provide mailbox information.

SMTP vrfy and expn commands are individually logged in a form like one of the following:

Sep 22 11:40:43 yourhost sendmail[pid]: other.host: vrfy all
Sep 22 11:40:43 yourhost sendmail[pid]: [222.33.44.55]: vrfy all
Sep 22 11:40:43 yourhost sendmail[pid]: other.host: expn all
Sep 22 11:40:43 yourhost sendmail[pid]: [222.33.44.55]: expn all

This shows that someone from the outside (other.host in the first and third examples) attempted to probe for usernames in the mailing list named all. In the second and last examples the probing hostname could not be found, so the IP address is printed instead (in the square brackets). Note that this form of logging is enabled only if the LogLevel (L) option (see Section 34.8.33) is greater than 5.Pre-V8 versions of sendmail do not report SMTP vrfy or expn attempts at all. Some versions of sendmail (such as the HP_UX version) appear to verify but really only echo the address stated.

V8 sendmail allows vrfy and expn services to be selectively accepted or rejected on the basis of the setting of the PrivacyOptions (p) option (see Section 34.8.47, PrivacyOptions (p)).
For best security we recommend this setting:

O PrivacyOptions=goaway

前に

戻る

にゃんたろう拝！
2006年12月 8日 (金) 22:08:44 JST 作成