Bug#880905: exim4-config: Sender verification could be exploited for brute-force scan
Paul Graham
debianbts at omega-software.com
Mon Nov 6 21:47:28 UTC 2017
Hi
Same as I told Exim devs: we finally opted for enabling Exim support in fail2ban. This gives better result for all brute-force attempts as they're soon cut off and don't waste bandwidth.
Thanks for your feedback :)
At 05/11/17 18:59, Marc Haber wrote:
> On Sun, Nov 05, 2017 at 04:09:37PM +0100, Andreas Metzler wrote:
>> I do not see the attacker gain, the same information can be extracted by
>> trying out RCPT TO *@omega-software.com with FROM attacker at gmail.com.
> Additionally, we are desperately trying to stay close to the upstream
> configuration. If this is really an issue, then all non-Debian exim
> installations are vulnerable as well.
>
> What I am trying to say is, this issue should be reported and
> discussed with upstream _before_ we make this change. Paul, can you do
> that to make your point there?
>
> Greetings
> Marc
>
--
Paul Graham
Development Dept.
http://Omega-Software.com/
Omega Software
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20171106/8e6fe3ec/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nbfjkagfjkpceggm.jpeg
Type: image/jpeg
Size: 3512 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20171106/8e6fe3ec/attachment.jpeg>
More information about the Pkg-exim4-maintainers
mailing list