locked
Exchange Server 2007 VRFY RRS feed

  • 问题

  • Does anyone know how to completely disable VRFY in exchange server 2007?

    We've had an audit from a security firm and this (although it isn't, in fact, a problem, I know) is showing up as a breach

    I just wondered if I could simply disable VRFY before I ring up and start shouting the odds with them?

    Thanks
    2009年8月7日 10:14

答案

  • I guess it is disable by default in Exchange since 2000/2003, isn't it?

    Do telnet to your Exchange 2007 server on port 25 and check...
    telnet Exchange2007ServerName 25
    vrfy *
    vrfy username@exchangedomain.com

    You will get below result...
    252 2.1.5 Cannot VRFY user

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com RSS

    • 已建议为答案 Amit Tank 2009年8月7日 17:29
    • 已标记为答案 Amit Tank 2009年8月16日 13:07
    2009年8月7日 17:29
  • Microsoft does not enable VRFY in any version of Exchange after E2K that I am aware of.  Like MANY things in a security consultant's report, tell them this is a false positive.   Security consultants often just do very generic scans and report finding such as the VRFY command is showing up when their scanner does an EHLO to the Exchange server.  They don't bother to investigate that this is an Exchange server and that the verb really does not do anything. 

    Jim McBee - Blog - http://mostlyexchange.blogspot.com
    • 已标记为答案 Amit Tank 2009年8月16日 13:07
    2009年8月7日 18:48
  • Hi,

     

    Base on my research, it is hard coded in exchange 2007 not to support vrfy command.

     

    Just like Amit said,  it will actually respond back with internal static, readonly SmtpResponse UnableToVrfyUser = new SmtpResponse("252", "2.1.5", "Cannot VRFY user");

     

    Regards,

    Xiu

    • 已建议为答案 Xiu Zhang 2009年8月10日 8:56
    • 已标记为答案 Amit Tank 2009年8月16日 13:07
    2009年8月10日 8:56

全部回复

  • VRFY is one of the basic SMTP commands. It is used to verify the existence of a user on an SMTP e-mail server. If a wildcard is used in the VRFY command (i.e. VRFY *), a remote server would return the complete list of users. This should be disabled or remote attackers could exploit this command to gather information about users for future attacks.


    What is your OS version?
    Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
    2009年8月7日 12:53
  • I guess it is disable by default in Exchange since 2000/2003, isn't it?

    Do telnet to your Exchange 2007 server on port 25 and check...
    telnet Exchange2007ServerName 25
    vrfy *
    vrfy username@exchangedomain.com

    You will get below result...
    252 2.1.5 Cannot VRFY user

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com RSS

    • 已建议为答案 Amit Tank 2009年8月7日 17:29
    • 已标记为答案 Amit Tank 2009年8月16日 13:07
    2009年8月7日 17:29
  • Microsoft does not enable VRFY in any version of Exchange after E2K that I am aware of.  Like MANY things in a security consultant's report, tell them this is a false positive.   Security consultants often just do very generic scans and report finding such as the VRFY command is showing up when their scanner does an EHLO to the Exchange server.  They don't bother to investigate that this is an Exchange server and that the verb really does not do anything. 

    Jim McBee - Blog - http://mostlyexchange.blogspot.com
    • 已标记为答案 Amit Tank 2009年8月16日 13:07
    2009年8月7日 18:48
  • Hi,

     

    Base on my research, it is hard coded in exchange 2007 not to support vrfy command.

     

    Just like Amit said,  it will actually respond back with internal static, readonly SmtpResponse UnableToVrfyUser = new SmtpResponse("252", "2.1.5", "Cannot VRFY user");

     

    Regards,

    Xiu

    • 已建议为答案 Xiu Zhang 2009年8月10日 8:56
    • 已标记为答案 Amit Tank 2009年8月16日 13:07
    2009年8月10日 8:56
  • Microsoft does not enable VRFY in any version of Exchange after E2K that I am aware of.  Like MANY things in a security consultant's report, tell them this is a false positive.   Security consultants often just do very generic scans and report finding such as the VRFY command is showing up when their scanner does an EHLO to the Exchange server.  They don't bother to investigate that this is an Exchange server and that the verb really does not do anything. 

    Jim McBee - Blog - http://mostlyexchange.blogspot.com


    I agree with the false-positives thing Jim. It's these type of checklist auditors that give other security consultants a bad name. If a vulnerability is worth noting on a report (especially if it's listed as a "breach") then it's probably worth validating.
    2009年8月20日 13:26