GEN004680 - The SMTP service must not have the Verify (VRFY) feature active.

Information

The VRFY command allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. VRFY may provide additional information about users on the system, such as the full names of account owners.

Solution

Add the 'novrfy' flag to your sendmail in /etc/mail/sendmail.cf.

Procedure:
Edit the definition of 'confPRIVACY_FLAGS' in /etc/mail/sendmail.mc to include 'novrfy'.

Rebuild the sendmail.cf file with:
# make -C /etc/mail

Restart the sendmail service.
# service sendmail restart

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_5_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Rule-ID|SV-218551r603259_rule, STIG-ID|GEN004680, STIG-Legacy|SV-62859, STIG-Legacy|V-4693, Vuln-ID|V-218551

Plugin: Unix

Control ID: 2fd581f7dccaed6ad6b535f254c7c7f766139425b58e185bf84d9868af32da3b