UCF STIG Viewer Logo

The SMTP service must not have the VRFY feature active.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4693 GEN004680 SV-4693r2_rule ECSC-1 Low
Description
The VRFY (Verify) command allows an attacker to determine if an account exists on a system, providing significant assistance to a brute-force attack on user accounts. VRFY may provide additional information about users on the system, such as the full names of account owners.
STIG Date
SOLARIS 9 X86 SECURITY TECHNICAL IMPLEMENTATION GUIDE 2015-10-01

Details

Check Text ( C-705r2_chk )
Determine if VRFY is disabled.

Procedure:
# telnet localhost 25
vrfy root

If the command does not return a 500 error code of command unrecognized, this is a finding.

OR

Locate the sendmail.cf configuration file.

Procedure:
# find / -name sendmail.cf -print
# grep -v "^#" |grep -i "(goaway|vrfy)"

Verify the VRFY command is disabled with an entry in the sendmail.cf file that reads as one of the following:

Opnovrfy
O PrivacyOptions=novrfy
Opgoaway
O PrivacyOptions=goaway

(Other privacy options, such as noexpn or noetrn, may be included in the same line, separated by commas. The goaway option encompasses a number of privacy options, including novrfy.) If the VRFY command is not disabled, this is a finding.
Fix Text (F-4621r2_fix)
If Sendmail is running, add the line Opnovrfy to the Sendmail configuration file, usually located in /etc/sendmail.cf. For other mail servers, contact the vendor for information on how to disable the verify command. Newer versions of Sendmail are available at http://www.sendmail.org or from ftp://ftp.cs.berkeley.edu/ucb/sendmail.