Exchange Server 2007 VRFY
Does anyone know how to completely disable VRFY in exchange server 2007? We've had an audit from a security firm and this (although it isn't, in fact, a problem, I know) is showing up as a breach I just wondered if I could simply disable VRFY before I ring up and start shouting the odds with them? Thanks
August 7th, 2009 1:14pm
VRFY is one of the basic SMTP commands. It is used to verify the existence of a user on an SMTP e-mail server. If a wildcard is used in the VRFY command (i.e. VRFY *), a remote server would return the complete list of users. This should be disabled or remote attackers could exploit this command to gather information about users for future attacks. What is your OS version?
Vinod
|CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2009 3:53pm
I guess it is disable by default in Exchange since 2000/2003, isn't it?
Do telnet to your Exchange 2007 server on port 25 and check...
telnet Exchange2007ServerName 25
vrfy *
vrfy username@exchangedomain.com
You will get below result...
252 2.1.5 Cannot VRFY userAmit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com
August 7th, 2009 8:29pm
Microsoft does not enable VRFY in any version of Exchange after E2K that I am aware of. Like MANY things in a security consultant's report, tell them this is a false positive. Security consultants often just do very generic scans and report finding such as the VRFY command is showing up when their scanner does an EHLO to the Exchange server. They don't bother to investigate that this is an Exchange server and that the verb really does not do anything. Jim McBee - Blog - http://mostlyexchange.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2009 9:48pm
Hi,
Base on my research, it is hard coded in exchange 2007 not to support vrfy command.
Just like Amit said, it will actually respond back with internal static, readonly SmtpResponse UnableToVrfyUser = new SmtpResponse("252", "2.1.5", "Cannot VRFY user");
Regards,
Xiu
August 10th, 2009 11:56am
Microsoft does not enable VRFY in any version of Exchange after E2K that I am aware of. Like MANY things in a security consultant's report, tell them this is a false positive. Security consultants often just do very generic scans and report finding such as the VRFY command is showing up when their scanner does an EHLO to the Exchange server. They don't bother to investigate that this is an Exchange server and that the verb really does not do anything.
Jim McBee - Blog - http://mostlyexchange.blogspot.com
I agree with the false-positives thing Jim. It's these type of checklist auditors that give other security consultants a bad name. If a vulnerability is worth noting on a report (especially if it's listed as a "breach") then it's probably worth validating.
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2009 4:26pm