Loading ...
Sorry, an error occurred while loading the content.

VRFY defaults to on--why?

Expand Messages
  • Stan Hoeppner
    Hay Wietse, Someone was wondering on spam-l why Postfix defaults smtpd VRFY to ON instead of OFF. Their theory being that the default of ON makes it easier
    Message 1 of 7 , Jan 29, 2010
    • 0 Attachment
      Hay Wietse,

      Someone was wondering on spam-l why Postfix defaults smtpd VRFY to ON instead of
      OFF. Their theory being that the default of ON makes it easier for spammers to
      harvest addresses.

      Most people shut if off (including me). Then spammers go to RCPT TO checking,
      so IMO it makes little difference. Just wanted your position on this so I can
      post an official response to spam-l. I don't want Postfix (or you) getting any
      kind of ill-deserved reputation due to VRFY defaulting to on. Minor issue,
      silly yes, but apparently important to some.

      So, what do I tell them? Has this already been answered long ago? Link?

      Thanks.

      --
      Stan
    • Wietse Venema
      ... Postfix implements the SMTP protocol according to the RFCs that describe the protocol. If someone believes that Postfix default settings do not follow the
      Message 2 of 7 , Jan 29, 2010
      • 0 Attachment
        Stan Hoeppner:
        > Hay Wietse,
        >
        > Someone was wondering on spam-l why Postfix defaults smtpd VRFY
        > to ON instead of OFF. Their theory being that the default of ON
        > makes it easier for spammers to harvest addresses.

        Postfix implements the SMTP protocol according to the RFCs that
        describe the protocol. If someone believes that Postfix default
        settings do not follow the recommendations of the protocol, then
        they can point out the discrepancy and report a bug on the
        postfix-users mailinglist.

        There is no evidence that VRFY makes the spammer's job easier. In
        fact, VRFY responses in Postfix disclose no more information than
        is already available with RCPT TO responses.

        Wietse
      • LuKreme
        ... That s a pretty stupid theory though. -- I don t care if Bill Gates is the world s biggest philanthropist. The pain he has inflicted on the world in the
        Message 3 of 7 , Jan 31, 2010
        • 0 Attachment
          On 29-Jan-2010, at 18:20, Stan Hoeppner wrote:

          > Their theory being that the default of ON makes it easier for spammers to
          > harvest addresses.

          That's a pretty stupid theory though.

          --
          "I don't care if Bill Gates is the world's biggest philanthropist.
          The pain he has inflicted on the world in the past 20 years
          through lousy products easily outweighs any good he has
          done.... Apple is as arrogant as Microsoft but at least its
          stuff works as advertised" -- Graem Philipson
        • Jacqui Caren-home
          ... I recommend joining the spam-l list and joining the discussion there. It was noted that the RFCs mention VRFY as a feature but does not state that it has
          Message 4 of 7 , Jan 31, 2010
          • 0 Attachment
            LuKreme wrote:
            > On 29-Jan-2010, at 18:20, Stan Hoeppner wrote:
            >
            >> Their theory being that the default of ON makes it easier for spammers to
            >> harvest addresses.
            >
            > That's a pretty stupid theory though.

            I recommend joining the spam-l list and joining the discussion there.
            It was noted that the RFCs mention VRFY as a feature but does not state that
            it has to be enabled or disabled by default.

            I collect deliverability metrics and as part of this track (netcraft style)
            enabled features including who has VRFY enabled - lets just say very very few
            people have it enabled...

            Jacqu
          • Wietse Venema
            ... Citing RFC 2821: Server implementations SHOULD support both VRFY and EXPN. For security reasons, implementations MAY provide local installations a way to
            Message 5 of 7 , Jan 31, 2010
            • 0 Attachment
              Jacqui Caren-home:
              > It was noted that the RFCs mention VRFY as a feature but does not state that
              > it has to be enabled or disabled by default.

              Citing RFC 2821:

              Server implementations SHOULD support both VRFY and EXPN. For
              security reasons, implementations MAY provide local installations a
              way to disable either or both of these commands through configuration
              options or the equivalent.

              Citing RFC 5321:

              Server implementations SHOULD support both VRFY and EXPN. For
              security reasons, implementations MAY provide local installations a
              way to disable either or both of these commands through configuration
              options or the equivalent (see Section 7.3).

              A server SHOULD implement VRFY and EXPN, the OFF switch is optional,
              therefore the default is as if the OFF switch does not exist. People
              who read this RFC otherwise should become politicians.

              Wietse
            • LuKreme
              ... And SHOULD is well-defined in RFC 2119 SHOULD This word, or the adjective RECOMMENDED , mean that there may exist valid reasons in particular
              Message 6 of 7 , Jan 31, 2010
              • 0 Attachment
                On 31-Jan-2010, at 12:21, Wietse Venema wrote:
                >
                > Server implementations SHOULD support both VRFY and EXPN. For
                > security reasons, implementations MAY provide local installations a
                > way to disable either or both of these commands through configuration
                > options or the equivalent.

                And SHOULD is well-defined in RFC 2119

                SHOULD This word, or the adjective "RECOMMENDED", mean that there
                may exist valid reasons in particular circumstances to ignore a
                particular item, but the full implications must be understood and
                carefully weighed before choosing a different course.

                --
                The real world was far too real to leave neat little hints. It was full of too many things. It wasn't by eliminating the impossible that you got at the truth, however improbable; it was by the much harder process of eliminating the possibilities. --Feet of Clay
              • Stan Hoeppner
                ... I recommend against this. The topic is dead there now. One poster there questioned why Wietse enabled it by default. I merely asked here so I could post
                Message 7 of 7 , Jan 31, 2010
                • 0 Attachment
                  Jacqui Caren-home put forth on 1/31/2010 12:47 PM:

                  > I recommend joining the spam-l list and joining the discussion there.

                  I recommend against this. The topic is dead there now. One poster there
                  questioned why Wietse enabled it by default. I merely asked here so I could
                  post an official answer to spam-l. In hind sight, maybe I should have emailed
                  Wietse directly. My apologies if I've started a useless debate here. This
                  topic has been beaten to death in many fora over the years. No need to rehash
                  it again really.

                  --
                  Stan
                Your message has been successfully submitted and would be delivered to recipients shortly.