The SMTP service must not have the VRFY feature active.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4693	GEN004680	SV-35083r1_rule	ECSC-1	Low

Description
The VRFY (Verify) command allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. VRFY may provide additional information about users on the system, such as the full names of account owners.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2017-01-27

Details

Check Text ( None )
None

Fix Text (F-31944r1_fix)
If running Sendmail, add the line Opnovrfy to the Sendmail configuration file, usually located in /etc/mail/sendmail.cf. For other mail servers, contact the vendor for information on how to disable the verify command. Newer versions of Sendmail are available at http://www.sendmail.org or from ftp://ftp.cs.berkeley.edu/ucb/sendmail. Edit the /etc/mail/sendmail.cf file and add or edit (one of) the following line(s): O PrivacyOptions=novrfy O PrivacyOptions=goaway Then restart the Sendmail service.

Fix Text (F-31944r1_fix)

If running Sendmail, add the line Opnovrfy to the Sendmail configuration file, usually located in /etc/mail/sendmail.cf. For other mail servers, contact the vendor for information on how to disable the verify command. Newer versions of Sendmail are available at http://www.sendmail.org or from ftp://ftp.cs.berkeley.edu/ucb/sendmail.

Edit the /etc/mail/sendmail.cf file and add or edit (one of) the following line(s):
O PrivacyOptions=novrfy
O PrivacyOptions=goaway

Then restart the Sendmail service.