none
Disabling ETRN and ATRN commands RRS feed

  • Question

  • Hello, Microsoft Group,

               We have a few vulnerabilities on our servers. We have a PCI audit coming up and they are asking to upgrade the SMTP server, or

    All modern SMTP servers reject the TURN command for security reasons. Upgrade to a newer SMTP server version. You should also disable the ETRN and ATRN commands unless you have a good reason for using them.

    The original SMTP specification described a "TURN" command that allows the roles of server and client to be reversed in a session. When a client issues the "TURN" command, the server "turns around" and sends any queued mail for that domain to the client, essentially treating the client as an SMTP server.

    The "TURN" command is obsolete and insecure. It specifies no authentication mechanism, allowing a single user from a domain to retrieve all queued mail for that domain (for all users). Modern SMTP servers reject the "TURN" command for these reasons. A replacement for "TURN" command, called "ETRN", has been Error! Hyperlink reference not valid.to rectify some of the security problems with "TURN". However, this proposal is not without its own security problems.

    how can i disable the ETRN and ATRN commands. please help me on this. Thanks.

     

    Friday, July 30, 2010 2:01 PM

Answers

All replies