Home --> IAQ -->

EXPN and VRFY

By Jeffrey Howard
All rights reserved unless noted otherwise

Some users of Sendmail ask what the expn and vrfy commands are, why they should be disabled, and how they should be disabled.

What VRFY and EXPN Are

The vrfy command allows someone to telnet to your Sendmail server and ask to verify that an address is valid. This is good in that it allows a foreign server to check whether an address works before sending mail to that address. There are problems, though, as we'll discuss below.

The expn command allows someone to telnet to your Sendmail server and give the server an alias. The expn command expands the alias into the list of actual recipients. For example, if I have a list called "all-users" on my machine (quotes not included), someone could use "expn all-users" to get a list of the email addresses that all-users sends to. If you use a .forward file, expn will show someone the real forwarding destination of mail sent to you. One can expn root to find out who reads mail sent to the administrator of a system, for example, or to find out the members of a mailing list.

Why EXPN and VRFY Should Be Disabled

If anyone can verify that an address is valid, spammers have a very easy time decided who to send mail to. Worse yet, many attacks on networked computers begin by finding a valid account name on the machine. (This is why a UNIX machine won't tell you whether it was the login name or the password that was mis-typed if you fail to log in.) VRFY allows an attacker to keep trying email addresses until he or she finds one that works. This isn't as difficult a process as it sounds, given that some patterns of login names (first name, last name, first initial and last name, etc.) are very widespread.

The EXPN command is even more dangerous. Many computers have lists for all, staff, users, or the like. By guessing and expanding those lists, a spammer or attacker gets the names of several of the users of the machine.

How To Disable EXPN and VRFY

Find the line in your /etc/sendmail.cf that reads:

O PrivacyOptions=

To disable expn and vrfy, change the line to read the following:

O PrivacyOptions=noexpn novrfy

Or, to set all of sendmail's privacy options to their most private settings:

O PrivacyOptions=goaway

Now force sendmail to reload the configuration. You can telnet to localhost 25 and enter a "vrfy username" manually to check that it worked.