From: Stan Hoeppner on
Hay Wietse,

Someone was wondering on spam-l why Postfix defaults smtpd VRFY to ON instead of
OFF. Their theory being that the default of ON makes it easier for spammers to
harvest addresses.

Most people shut if off (including me). Then spammers go to RCPT TO checking,
so IMO it makes little difference. Just wanted your position on this so I can
post an official response to spam-l. I don't want Postfix (or you) getting any
kind of ill-deserved reputation due to VRFY defaulting to on. Minor issue,
silly yes, but apparently important to some.

So, what do I tell them? Has this already been answered long ago? Link?

Thanks.

--
Stan

From: Wietse Venema on
Stan Hoeppner:
> Hay Wietse,
>
> Someone was wondering on spam-l why Postfix defaults smtpd VRFY
> to ON instead of OFF. Their theory being that the default of ON
> makes it easier for spammers to harvest addresses.

Postfix implements the SMTP protocol according to the RFCs that
describe the protocol. If someone believes that Postfix default
settings do not follow the recommendations of the protocol, then
they can point out the discrepancy and report a bug on the
postfix-users mailinglist.

There is no evidence that VRFY makes the spammer's job easier. In
fact, VRFY responses in Postfix disclose no more information than
is already available with RCPT TO responses.

Wietse

From: LuKreme on
On 29-Jan-2010, at 18:20, Stan Hoeppner wrote:

> Their theory being that the default of ON makes it easier for spammers to
> harvest addresses.

That's a pretty stupid theory though.

--
"I don't care if Bill Gates is the world's biggest philanthropist.
The pain he has inflicted on the world in the past 20 years
through lousy products easily outweighs any good he has
done.... Apple is as arrogant as Microsoft but at least its
stuff works as advertised" -- Graem Philipson

From: Jacqui Caren-home on
LuKreme wrote:
> On 29-Jan-2010, at 18:20, Stan Hoeppner wrote:
>
>> Their theory being that the default of ON makes it easier for spammers to
>> harvest addresses.
>
> That's a pretty stupid theory though.

I recommend joining the spam-l list and joining the discussion there.
It was noted that the RFCs mention VRFY as a feature but does not state that
it has to be enabled or disabled by default.

I collect deliverability metrics and as part of this track (netcraft style)
enabled features including who has VRFY enabled - lets just say very very few
people have it enabled...

Jacqu

From: Wietse Venema on
Jacqui Caren-home:
> It was noted that the RFCs mention VRFY as a feature but does not state that
> it has to be enabled or disabled by default.

Citing RFC 2821:

Server implementations SHOULD support both VRFY and EXPN. For
security reasons, implementations MAY provide local installations a
way to disable either or both of these commands through configuration
options or the equivalent.

Citing RFC 5321:

Server implementations SHOULD support both VRFY and EXPN. For
security reasons, implementations MAY provide local installations a
way to disable either or both of these commands through configuration
options or the equivalent (see Section 7.3).

A server SHOULD implement VRFY and EXPN, the OFF switch is optional,
therefore the default is as if the OFF switch does not exist. People
who read this RFC otherwise should become politicians.

Wietse