Add support for VRFY with IP ranges limitations

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply

Support for VRFY (with IP range checking)

Yes, I think it's a good idea
9
90%
No, I don't need it
1
10%
 
Total votes: 10

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Add support for VRFY with IP ranges limitations

Post by ObiWan » 2011-03-09 10:40

I know that there have been other requests to implement the "VRFY" SMTP command in hMailServer and usually those have been dropped saying that it may be a security issue; now, this is true, since allowing any host to issue "VRFY" commands toward hMS may help spammers gathering "good" mail addresses, on the other hand, my suggestion is to implement the VRFY code (all in all it's the same check which is performed when hMS receives an "RCPT TO") but to tie it to "IP ranges" that is, adding a checkbox to the "IP ranges" configuration panel (not checked by default) to enable the use of VRFY for that given IP range; this will avoid the VRFY issues and, at the same time, will allow "good" hosts to use the VRFY command to check the existence of given recipients

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Add support for VRFY with IP ranges limitations

Post by ^DooM^ » 2011-03-09 11:13

Can you explain a bit more why someone would need this?
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Add support for VRFY with IP ranges limitations

Post by ObiWan » 2011-03-09 11:39

^DooM^ wrote:Can you explain a bit more why someone would need this?
One of the main reasons is to be able to use ASSP at its full potential; see, ASSP may use VRFY to check if a given recipient address exists and if it doesn't it will then reject the incoming message, not just that, if so configured, ASSP may also turn the heavily "used" invalid addresses into spamtraps so allowing to improve the junk filtering

Another example, lets' say we have an hMS sitting on a given connection and that we did setup a second box running a vanilla SMTP receiver on an alternate connection just to be able to keep receiving emails in case the primary connection goes down; now, to avoid "bounces" the secondary box may use VRFY against hMS to check if a given recipient exists and reject emails to non existing recipients

As I wrote, I know that the implementation of "VRFY" has been refused in a past saying that it may be a "security hole" but, what I'm proposing is to tie "VRFY" to the "IP ranges" so that one may ONLY enable it for given, trusted hosts/subnets; also, the "VRFY" should be disabled by default to avoid "accidental misconfigurations" and, given that implementing the "VRFY" code should be quite straightforward (it's the same kind of check hMS already does when checking the "RCPT TO" recipient address) I can't see a reason not to implement it :)

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Add support for VRFY with IP ranges limitations

Post by ^DooM^ » 2011-03-09 12:52

I like that idea very much especially if it helps eliminate spam to backup MX's.

Got my vote for IP range based VRFY!
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

arkadas
New user
New user
Posts: 2
Joined: 2010-08-23 11:03

Re: Add support for VRFY with IP ranges limitations

Post by arkadas » 2011-04-05 00:09

You could also be solved like mdaemon does, with an minger solution.

They use this also to do domainsharing....

In other word 1 domain on multiple servers.

see: http://www.altn.com/Support/KnowledgeBa ... =KBA-02008

Arkadas

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Add support for VRFY with IP ranges limitations

Post by Bill48105 » 2011-10-29 19:35

Personally I am secondary host for many domains & would love a better solution than manually keeping up the list of valid users for each domain. VRFY restricted by IP sounds like a great plan.

I looked at the minger stuff but doesn't look like it ever got completed:
http://tools.ietf.org/html/draft-hathcock-minger-06

I'm inclined to spend some time looking into getting IP based VRFY working in hmail but also something I've been considering is a syncing method between hmail servers but haven't spent much time thinking on how to implement that. Perhaps even via generated emails but much to consider like security etc.

Anyway I think VRFY shouldn't be too hard to add & could be useful with ASSP too.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Add support for VRFY with IP ranges limitations

Post by ObiWan » 2011-10-31 10:33

Bill48105 wrote:Personally I am secondary host for many domains & would love a better solution than manually keeping up the list of valid users for each domain. VRFY restricted by IP sounds like a great plan.

I looked at the minger stuff but doesn't look like it ever got completed:
http://tools.ietf.org/html/draft-hathcock-minger-06

I'm inclined to spend some time looking into getting IP based VRFY working in hmail but also something I've been considering is a syncing method between hmail servers but haven't spent much time thinking on how to implement that. Perhaps even via generated emails but much to consider like security etc.

Anyway I think VRFY shouldn't be too hard to add & could be useful with ASSP too.
Bill
First of all... yes, VRFY will help when using ASSP or similar apps which are able to use VRFY against the backend mailserver to check for valid recipients/domains; then, as for the "VRFY IP range" I think that adding a checkbox "enable VRFY" in the IP range definition panel should fit the bill; at that point, given that hMS already checks IP ranges at the start of a session; the code may switch on a "flag" so that hMS, for that session, will reply to EHLO/HELP command offering the VRFY option and so that hMS will also allow the session to use the VRFY command (optionally EXPN... but that isn't strictly needed)

As for config syncing... what about dumping the config to an XML file and then using (e.g.) something like "rsync" to move it around ? This way, the other "peers" may just check, from time to time, for a config change by contacting the "master" and in case the config was changed, use rsync to update the local XML and once transferred, parse it and change the local config (just thinking loud btw); another approach (but it may be some more complex) may be using whatever native database replication mechanism; in such a case some special (additional ?) tables will be replicated from a "master" hMS to the "secondary" ones

rjk
Normal user
Normal user
Posts: 248
Joined: 2010-03-30 19:30
Location: uʍop ǝpısdn

Re: Add support for VRFY with IP ranges limitations

Post by rjk » 2014-07-03 17:28

Bump. My backup mail service (rollernet.us) supports VRFY, and it would be superb to be able to use it with them. IP limited of course, and not open to the whole world. Any chance of a feature request to add this please?
hMailServer 5.5.2-B2129 on Server 2008 R2 VM
MySQL 5.5.25, IIS 7.5, PHP 5.6.2 via FastCGI, RoundCube 1.0.3
XenServer 6.0 on HP DL380 G5 32GB RAM

Post Reply