The SMTP services SMTP greeting must not provide version information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4384	GEN004560	SV-63771r1_rule		Low

Description
The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version.

STIG	Date
Oracle Linux 5 Security Technical Implementation Guide	2020-02-25

Details

Check Text ( C-52339r1_chk )
To check for the version of either sendmail or Postfix being displayed in the greeting: # telnet localhost 25 If a version number is displayed, this is a finding.

Fix Text (F-54351r1_fix)
Ensure sendmail or Postfix has been configured to mask the version information. Procedure for sendmail: Change the O SmtpGreetingMessage line in the /etc/mail/sendmail.cf file as noted below: O SmtpGreetingMessage=$j Sendmail $v/$Z; $b change it to: O SmtpGreetingMessage= Mail Server Ready ; $b for Postfix: Examine the "smtpd_banner" line of /etc/postfix/main.conf and remove any "$mail_version" entry on it or comment the entire "smtpd_banner" line to use the default value which does not display the version information.

Fix Text (F-54351r1_fix)

Ensure sendmail or Postfix has been configured to mask the version information.

Procedure
for sendmail:
Change the O SmtpGreetingMessage line in the /etc/mail/sendmail.cf file as noted below:
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
change it to:
O SmtpGreetingMessage= Mail Server Ready ; $b

for Postfix:
Examine the "smtpd_banner" line of /etc/postfix/main.conf and remove any "$mail_version" entry on it or comment the entire "smtpd_banner" line to use the default value which does not display the version information.