Telnet to port reveals that I am running mailinabox

Hi,

I feel revealing that I am running “mailinabox” may be not a good idea. When I simply telnet into port 25, without any fuhter information, it says "Hi, I’m Mail in a Box Ubunbu Postfix etc) May be, we could hide this information? Does that sound like a good idea?

Thank you for your comments.

Security through obfuscation isn’t really ideal. Port 25 is a standard SMTP port, so it’s not like anyone who stumbles across it isn’t going to know what to do there. A user still has to authenticate to the server to be able to send a mail from it.

1 Like

I have to use port 587, but the announcement essentially declares the server was configured by the MiaB project.

However, going to box.example.com/admin also reveals essentially the same thing, even the subdomain box as where is this usually used? And how many servers are configured to assign their DKIM record to mail._dkim.example.com? Likely there are other “fingerpints” we can find if we keep looking.

Also, this is configured /etc/postfix/main.cf with:

smtpd_banner=$myhostname ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)
1 Like

You could … by changing this configuration value:

but it is not really recommended as the change will be overwritten when you update MiaB.

1 Like

+1 for obfuscation — good idea.

Port 25 is a standard SMTP port, so it’s not like anyone who stumbles across it isn’t going to know what to do there.

Leave Telnet and check for web server and related software exploits, of course.

We should flip the question.
What benefit could be gained by announcing a running software stack to the general public?

Disclaimer:
I do not advocate paranoia nor was my post in support of this Improvement idea.

1 Like

While “security by obscurity” might not be infallible, it is far more superior than openly advertising the search term for potential exploits.

I’m not a security professional and you shouldn’t take my thoughts as anything but opinion.

Things that announce details about the system (such as the specific software versions, libraries, os, etc) are sometimes called “information disclosure vulnerabilities.” Hiding this kind of information can be part of a strategy to defend the system, but I wouldn’t call it “security by obscurity.” I would think of security by obscurity as something like hiding the SMTP port and not using authentication nor encryption.

The kind of information in the SMTP banner can’t cause any harm on its own, but as others have pointed out it would be easy to search for known exploits for any software installed by MIAB by checking the SMTP banner and then looking at the github repo.

I would also love to remove the name of MIAB from the SMTP banner to stop revealing detailed information about my system’s configuration as the default in MIAB.

https://tools.ietf.org/html/rfc5321#page-18

SMTP server implementations MAY include identification of their
software and version information in the connection greeting reply
after the 220 code, a practice that permits more efficient isolation
and repair of any problems. Implementations MAY make provision for
SMTP servers to disable the software and version announcement where
it causes security concerns.

Considering the amount of troubleshooting that seems to be necessary in resolving some users’ issues, I think that “more efficient isolation and repair of any problems” should be the norm.

Considering the purpose of the MIAB project, I find “more efficient isolation and repair of any problems” to be compelling. I’d rather do it differently on my machine, but you’ve persuaded me that the current default is the best one.