Create option to disable VRFY and EXPN SMTP commands

Dear community,

First off I would like to say I like mail in a box, it is easy to configure, manage, and use !

However i was doing some security checks using openvas on my unmodified mail in a box test setup (version 0.6) if I am not mistaken(ubuntu also fully updated today).

However, openvas notified my of the following vulnerability/misconfiguration:

The Mailserver on this host answers to VRFY and/or EXPN requests. VRFY and EXPN ask the server for information about an address. They are inherently unusable through firewalls, gateways, mail exchangers for part-time hosts, etc. OpenVAS suggests that, if you really want to publish this type of information, you use a mechanism that legitimate users actually know about, such as Finger or HTTP.

Luckily openvas also comes up with a solution:

Disable VRFY and/or EXPN on your Mailserver. For postfix add ‘disable_vrfy_command=yes’ in ‘’. For Sendmail add the option ‘O PrivacyOptions=goaway’.

I know how to edit the config file so for me this is not a big problem, however to stay in the realm of keeping your data (and email adresses) private it might be an idea to turn it of by default an/or give people the option to disable it trough the webadmin panel.

like to hear what you guys think, I think mail in abox is a great project no matter what.

Regards, Sjaak

1 Like

We can turn it off for everyone. Feel free to submit a pull request on github.

@sjaak if you do so (opening a PR on github) could you please add the helo requirement option too?

See smtpd_helo_required and All About SPAM