Title

The SMTP services SMTP greeting must not provide version information. (Cat III impact)

Discussion

The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version.

Check Content

Check for the Sendmail version being displayed in the greeting. # telnet localhost 25 If a version number is displayed, this is a finding. If telnet is unavailable for testing, check the value of the SmtpGreetingMessage parameter in the sendmail.cf file. # grep SmtpGreetingMessage /etc/mail/sendmail.cf If the value of the SmtpGreetingMessage parameter contains the $v or $Z macros, this is a finding.

Fix Text

Ensure Sendmail or its equivalent has been configured to mask the version information. If necessary, change the O SmtpGreetingMessage line in the /etc/mail/sendmail.cf file as noted below. O SmtpGreetingMessage=$j Sendmail $v/$Z; $b Change it to: O SmtpGreetingMessage= Mail Server Ready ; $b

Additional Identifiers

Rule ID: SV-220047r603265_rule

Vulnerability ID: V-220047

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.