You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Robert Koberg <ro...@koberg.com> on 2003/07/05 23:58:32 UTC
anyway to stop broadcasting server info for telnet?
Hi again,
I was wondering if there was some way to turn off telling attempted telnet
users what mail software/version is being run? Of course, announcing it to a
public mailing list doesn't help (which I tried to avoid...)
> telnet myserver.com smtp
Escape character is '^]'.
220 blahblah.com SMTP Server (JAMES SMTP Server 2.1.3) ready Sat, 5 Jul 2003
16:48:48 -0500 (CDT)
Or is there somewhere in the config where I can obfuscate this printing?
<note>
Also, I got hung up (on the server) in shutting down James while a telnet
user was trying to log (or logged in?) into 'mydomain 4555'
</note>
Thanks,
-Rob
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
RE: anyway to stop broadcasting server info for telnet?
Posted by "Noel J. Bergman" <no...@devtech.com>.
> > I also know the open ports on the servers handling your domains, and
more
> > than you would like for me to know about the services running on each.
> You're making the incorrect assumption that there was an attempt to keep
> this information from you.
In your case, Kevin, it was fairly inconsequential. Your public server
seems OK. Your personal workstation seemed less so, but I don't pay as much
attention to Windows vulnerabilities. That's like counting coal in
Newcastle.
In Robert's case, the details went via a private e-mail.
Today has the potential to be a long day.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: anyway to stop broadcasting server info for telnet?
Posted by "Kervin L. Pierre" <ke...@blueprintinc.com>.
I wasn't saying that it should be compulsory to use the feature.
But it would be useful for some, and thus up to them to decide whether
they'd use it or not. Obviously we've *decided* not to.
It's not just email servers, many web servers, DNS, etc. support this,
as you probably know.
Noel J. Bergman wrote:
> I also know the open ports on the servers handling your domains, and more
> than you would like for me to know about the services running on each.
You're making the incorrect assumption that there was an attempt to keep
this information from you.
--
------------------------------------------------
Kervin Pierre
http://kervin.net/
kervin@blueprintinc.com
kervin@kervin.net
kpierre@fit.edu
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
RE: anyway to stop broadcasting server info for telnet?
Posted by "Noel J. Bergman" <no...@devtech.com>.
> While I would agree allowing custom HELO status lines does nothing
> for security, if someone wants to submit a patch, we'd be happy to
> review it. Wouldn't we?
The current code is this:
responseBuffer.append("220 ")
.append(theConfigData.getHelloName())
.append(" SMTP Server (")
.append(SOFTWARE_TYPE)
.append(") ready ")
.append(rfc822DateFormat.format(new Date()));
Replacing it properly would also involve implementing replacable parameters
like we use for SQLResources.java and XMLResources.java. I've been thinking
of moving the string replacement code into a common utility class. There
was another use for it raised within the past week or so.
The minimum set of replacement parameters would be ${HELLONAME}, ${VERSION},
${DATE}. The default would be equivalent to:
<identification>
${HELLONAME} SMTP SERVER (JAMES SMTP Server ${VERSION}) ready ${DATE}
</identification>
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: anyway to stop broadcasting server info for telnet?
Posted by Serge Knystautas <se...@lokitech.com>.
Noel J. Bergman wrote:
>>didn't Todd Rundgren have a song 'I hate my ISP'
>
>
> Several of my hosted clients are ex-Servlets.com users; I'll leave it be at
> that. I've never used Servlets.com, but my clients have their reasons.
I think things are getting a little off-topic. :) While I would agree
allowing custom HELO status lines does nothing for security, if someone
wants to submit a patch, we'd be happy to review it. Wouldn't we?
--
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com/
p. 1.301.656.5501
e. sergek@lokitech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
RE: anyway to stop broadcasting server info for telnet?
Posted by "Noel J. Bergman" <no...@devtech.com>.
Rob,
> didn't Todd Rundgren have a song 'I hate my ISP'
Several of my hosted clients are ex-Servlets.com users; I'll leave it be at
that. I've never used Servlets.com, but my clients have their reasons.
> page 351 of the 3rd edition of _Practical Unix and Internet Security
> says, "In general, it is not a good practice for your server to
> reveal its identity in this fashion."
As a practical matter, there are few hosts whose e-mail servers are
obfuscated. There is really little point. It isn't as if it is hard to
find out what they are using via other means. And the automated scanners
just try various vulnerabilities regardless. We see that all the time with
various Internet applications. As cryptographers would tell you, security
by obscurity is not a particularly secure approach:
http://slashdot.org/features/980720/0819202.shtml
http://www.vnunet.com/Analysis/1126488
http://www.softlab.ntua.gr/~taver/security/secur3.html
I'll leave you to browse the other 76,000+ references from Google. ;-)
> The book goes on to say that Sendmail has an option to disable
> [its announce string]
> http://www.sendmail.org/tips/DontBlameSendmail.html)
LOL The name is apt, but I don't see the feature on that page.
Sendmail is a completely different beast from James. Sendmail wants
privileged access, James doesn't. Sendmail has buffer overflow issues.
James doesn't. Etc. James does not need or want any special permissions
other than to access the ports. You can easily run James as a normal user
using just:
$ iptables -t nat -A PREROUTING -p tcp --dport smtp -j
REDIRECT --to-ports 10025
$ iptables -t nat -A PREROUTING -p tcp --dport pop3 -j
REDIRECT --to-ports 10026
and changing the ports in config.xml.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
RE: anyway to stop broadcasting server info for telnet?
Posted by Robert Koberg <ro...@koberg.com>.
Thanks Noel,
Sure, fair enough. One of the reasons I am looking at running my own email
server is that I don't trust my ISP (servlets.net - spam up the butt coming
from there...) or out of the box solutions that I use for hosting client
sites. (didn't Todd Rundgren have a song 'I hate my ISP')
Then, reading page 351 of the 3rd edition of _Practical Unix and Internet
Security_ (ISBN#0-596-00323-4), it says, "In general, it is not a good
practice for your server to reveal its identity in this fashion."
Servlets.net ISP I don't have control over. James on my machine, I do.
I would prefer not to display it. The book goes on to say that Sendmail has
an option to disable this (DontBlameSendmail -
http://www.sendmail.org/tips/DontBlameSendmail.html)
Just trying to do some homework - nothing against James!
-Rob
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: Saturday, July 05, 2003 7:19 PM
> To: James Users List
>
> Kervin and Robert,
>
> Here are the response strings from blueprintinc.com and koberg.com:
>
> 220 blueprint-tech.com ESMTP Sendmail 8.12.9/8.12.8; Sat, 5 Jul 2003
> 20:45:14 -0400
> 220 s5.servlets.net ESMTP Sendmail 8.9.3/8.9.3; Sat, 5 Jul 2003
> 17:49:29 -0700
>
> Plus, every e-mail you send conveys information about your workstation,
> operating system, the build of the MUA, etc.
>
> I also know the open ports on the servers handling your domains, and more
> than you would like for me to know about the services running on each.
> You
> should be more worried about exploits against them. Running nmap is
> child's
> play.
>
> --- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
RE: anyway to stop broadcasting server info for telnet?
Posted by "Noel J. Bergman" <no...@devtech.com>.
Kervin and Robert,
Here are the response strings from blueprintinc.com and koberg.com:
220 blueprint-tech.com ESMTP Sendmail 8.12.9/8.12.8; Sat, 5 Jul 2003
20:45:14 -0400
220 s5.servlets.net ESMTP Sendmail 8.9.3/8.9.3; Sat, 5 Jul 2003
17:49:29 -0700
Plus, every e-mail you send conveys information about your workstation,
operating system, the build of the MUA, etc.
I also know the open ports on the servers handling your domains, and more
than you would like for me to know about the services running on each. You
should be more worried about exploits against them. Running nmap is child's
play.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: anyway to stop broadcasting server info for telnet?
Posted by "Kervin L. Pierre" <ke...@blueprintinc.com>.
Robert Koberg wrote:
>>Not without changing the code. Why do you care?
>
>
> Mainly because it tells someone something to get them to the next step
>
I agree.
James is making it much easier for hackers to build scanners for
vulnerbilities.
Many servers ( eg. sendmail ) make the hello string configurable,
allowing the sysadmin to give as much or little info as he/she feels
comfortable with.
--
------------------------------------------------
Kervin Pierre
http://kervin.net/
kervin@blueprintinc.com
kervin@kervin.net
kpierre@fit.edu
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
RE: anyway to stop broadcasting server info for telnet?
Posted by Robert Koberg <ro...@koberg.com>.
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: Saturday, July 05, 2003 4:00 PM
> To: James Users List
>
> > I was wondering if there was some way to turn off telling attempted
> > telnet users what mail software/version is being run?
>
> Not without changing the code. Why do you care?
Mainly because it tells someone something to get them to the next step
>
> > Also, I got hung up (on the server) in shutting down James while a
> > telnet user was trying to log (or logged in?) into 'mydomain 4555'
>
> Firewall 4555 if it isn't already part of your blanket coverage, bind
> remotemanager to localhost (<bindaddress>localhost</bindaddress>), and use
> ssh to access the server remotely. That is SOP for server administrators.
Yes, I do this but what if they:
telnet myhost smtp
It tells them server make and model - why?
-Rob
>
> --- Noel
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
RE: anyway to stop broadcasting server info for telnet?
Posted by "Noel J. Bergman" <no...@devtech.com>.
> I was wondering if there was some way to turn off telling attempted
> telnet users what mail software/version is being run?
Not without changing the code. Why do you care?
> Also, I got hung up (on the server) in shutting down James while a
> telnet user was trying to log (or logged in?) into 'mydomain 4555'
Firewall 4555 if it isn't already part of your blanket coverage, bind
remotemanager to localhost (<bindaddress>localhost</bindaddress>), and use
ssh to access the server remotely. That is SOP for server administrators.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org