Dear community,
First off I would like to say I like mail in a box, it is easy to configure, manage, and use !
However i was doing some security checks using openvas on my unmodified mail in a box test setup (version 0.6) if I am not mistaken(ubuntu also fully updated today).
However, openvas notified my of the following vulnerability/misconfiguration:
Summary
The Mailserver on this host answers to VRFY and/or EXPN requests. VRFY and EXPN ask the server for information about an address. They are inherently unusable through firewalls, gateways, mail exchangers for part-time hosts, etc. OpenVAS suggests that, if you really want to publish this type of information, you use a mechanism that legitimate users actually know about, such as Finger or HTTP.
Luckily openvas also comes up with a solution:
Disable VRFY and/or EXPN on your Mailserver. For postfix add ‘disable_vrfy_command=yes’ in ‘main.cf’. For Sendmail add the option ‘O PrivacyOptions=goaway’.
I know how to edit the config file so for me this is not a big problem, however to stay in the realm of keeping your data (and email adresses) private it might be an idea to turn it of by default an/or give people the option to disable it trough the webadmin panel.
like to hear what you guys think, I think mail in abox is a great project no matter what.
Regards, Sjaak