PCI issue

Discussion regarding the Standard version.
Post Reply
jacobc
Posts: 2
Joined: Thu Sep 12, 2019 10:56 am

PCI issue

Post by jacobc » Thu Sep 12, 2019 10:58 am

Hi,

We have a PCI scan failing on server running MailEnable Standard edition. Can anyone suggest how we can resolve this issue?

THREAT:
It is possible to enumerate the names of valid users on the remote host.

IMPACT:
The remote SMTP server answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the
validity of an account.
Your mailer should not allow remote users to use any of these commands, because it gives them too much information.

Here is a trace of the SMTP traffic that demonstrates the issue :
220 xxxxxxxxxxxxxxxxxxxxxx ESMTP MailEnable Service, Version: 10.26-- ready at 09/10/19 12:18:53
HELO example.com
250 Requested mail action okay, completed
VRFY root
550 String does not match anything.

Thanks

Jacob

MailEnable-Ian
Site Admin
Posts: 9144
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: PCI issue

Post by MailEnable-Ian » Thu Sep 12, 2019 11:56 pm

Hi,

Please review the following documentation page and disable the VRFY and EXPN extensions in the SMTP properties.

https://www.mailenable.com/documentation/10.0/Standard/Advanced%20SMTP.html
Regards,

Ian Margarone
MailEnable Support

Post Reply