Question regarding VRFY

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Question regarding VRFY

J Doe
Hi,

I read in both the Postfix man file (man 5 postconf), and the SMTP RFC (5321), that VRFY can be disabled on a site-by-site basis.

I disabled this on my server for port 25 but am wondering if I should leave this enabled on my Postfix instance that provides submission (587) ?  I have confirmed that by editing main.cf and master.cf it is only available on submission and requires SASL authentication before working.

Are there modern MUA’s that authenticated users may use that make use of VRFY (perhaps by checking e-mail address validity before sending, while the message body is still being composed), or am I better off leaving it disabled everywhere ?

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding VRFY

John Fawcett
On 27/02/18 20:36, J Doe wrote:

> Hi,
>
> I read in both the Postfix man file (man 5 postconf), and the SMTP RFC (5321), that VRFY can be disabled on a site-by-site basis.
>
> I disabled this on my server for port 25 but am wondering if I should leave this enabled on my Postfix instance that provides submission (587) ?  I have confirmed that by editing main.cf and master.cf it is only available on submission and requires SASL authentication before working.
>
> Are there modern MUA’s that authenticated users may use that make use of VRFY (perhaps by checking e-mail address validity before sending, while the message body is still being composed), or am I better off leaving it disabled everywhere ?
>
> Thanks,
>
> - J

I can't think of a compelling reason either to enable VRFY or to disable
it. Disabling it stops people abusing it, but then they can just use
RCPT TO to get the same information in most cases. I disabled it since I
can't see any use for it.

John
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding VRFY

J Doe
Hi John,

> On Feb 27, 2018, at 3:25 PM, John Fawcett <[hidden email]> wrote:
> I can't think of a compelling reason either to enable VRFY or to disable
> it. Disabling it stops people abusing it, but then they can just use
> RCPT TO to get the same information in most cases. I disabled it since I
> can't see any use for it.
>
> John

That is a valid point - I believe the VRFY RFC observed the same thing: that RCPT TO can be used in a similar fashion.

Performing an EHLO to both Gmail and Hotmail/Outlook shows that they both disable it, which I would expect, but do they implement a policy of a certain number of invalid RCPT TO cause the connection to terminate ?

I know there is a setting for the number of “junk commands” received in Postfix, but that is different.  Is there a method via main.cf for restricting RCPT TO abuse ?

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding VRFY

John Fawcett
On 01/03/18 05:09, J Doe wrote:

> Hi John,
>
>> On Feb 27, 2018, at 3:25 PM, John Fawcett <[hidden email]> wrote:
>> I can't think of a compelling reason either to enable VRFY or to disable
>> it. Disabling it stops people abusing it, but then they can just use
>> RCPT TO to get the same information in most cases. I disabled it since I
>> can't see any use for it.
>>
>> John
> That is a valid point - I believe the VRFY RFC observed the same thing: that RCPT TO can be used in a similar fashion.
>
> Performing an EHLO to both Gmail and Hotmail/Outlook shows that they both disable it, which I would expect, but do they implement a policy of a certain number of invalid RCPT TO cause the connection to terminate ?
>
> I know there is a setting for the number of “junk commands” received in Postfix, but that is different.  Is there a method via main.cf for restricting RCPT TO abuse ?
>
> Thanks,
>
> - J

These settings control behaviour of the smtpd server for number of
errors (including RCTP TO errors)

    smtpd_soft_error_limit

    smtpd_error_sleep_time

    smtpd_hard_error_limit 

The following setting controls how many RCPT TO commands can be sent per
unit of time

    smtpd_client_recipient_rate_limit

In general you will only be able to slow down recipient verification,
not prevent it. Nowadays I don't believe that address verification abuse
is a significant problem.

John

Reply | Threaded
Open this post in threaded view
|

Re: Question regarding VRFY

mrobti
On 2018-03-01 08:14, John Fawcett wrote:

> On 01/03/18 05:09, J Doe wrote:
>> Hi John,
>>
>>> On Feb 27, 2018, at 3:25 PM, John Fawcett <[hidden email]>
>>> wrote:
>>> I can't think of a compelling reason either to enable VRFY or to
>>> disable
>>> it. Disabling it stops people abusing it, but then they can just use
>>> RCPT TO to get the same information in most cases. I disabled it
>>> since I
>>> can't see any use for it.
>>>
>>> John
>> That is a valid point - I believe the VRFY RFC observed the same
>> thing: that RCPT TO can be used in a similar fashion.
>>
>> Performing an EHLO to both Gmail and Hotmail/Outlook shows that they
>> both disable it, which I would expect, but do they implement a policy
>> of a certain number of invalid RCPT TO cause the connection to
>> terminate ?
>>
>> I know there is a setting for the number of “junk commands” received
>> in Postfix, but that is different.  Is there a method via main.cf for
>> restricting RCPT TO abuse ?
>>
>> Thanks,
>>
>> - J
>
> These settings control behaviour of the smtpd server for number of
> errors (including RCTP TO errors)
>
>     smtpd_soft_error_limit
>
>     smtpd_error_sleep_time
>
>     smtpd_hard_error_limit
>
> The following setting controls how many RCPT TO commands can be sent
> per
> unit of time
>
>     smtpd_client_recipient_rate_limit

Are there any recommendations or guidelines how to set values for that
family of settins? They are all turned off in default as you see here:
http://www.postfix.org/TUNING_README.html#conn_limit