Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: SMTP VRFY again
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-users <curl-users_at_lists.haxx.se>
Date: Wed, 7 Jun 2023 14:41:56 -0400
On Wed, Jun 7, 2023 at 2:24 PM Andrea Venturoli via curl-users
<curl-users_at_lists.haxx.se> wrote:
>
> I'm using libcurl to send emails via SMTP.
>
> In the past I was it by the fact that it uses VRFY, which is not
> supported on my mail server and I had to set option CURLOPT_UPLOAD to 1.
> Fine.
>
> This worked with 8.0.1.
> Then I upgraded to 8.1.0 due to security issues and later to 8.1.1: now
> I'm hit by the VRFY thing again (even if my code did not change).
>
> Is something different needed with these newer versions?
> Or is it a regression?
I _thought_ SMTP's VRFY command was frowned upon because it allowed
attackers to enumerate users. Then the actor could go lateral, like
using the username to try a login in another protocol like SSH.
I _think_ one of the things mail administrators do nowadays is to
always return success, even for non-existent users.
According to Bernstein at [1], rejecting VRFY is dangerous. Maybe you
should reach out to the mail admin on the site you are trying to send
mail to.
Jeff
[1] https://cr.yp.to/smtp/vrfy.html
Date: Wed, 7 Jun 2023 14:41:56 -0400
On Wed, Jun 7, 2023 at 2:24 PM Andrea Venturoli via curl-users
<curl-users_at_lists.haxx.se> wrote:
>
> I'm using libcurl to send emails via SMTP.
>
> In the past I was it by the fact that it uses VRFY, which is not
> supported on my mail server and I had to set option CURLOPT_UPLOAD to 1.
> Fine.
>
> This worked with 8.0.1.
> Then I upgraded to 8.1.0 due to security issues and later to 8.1.1: now
> I'm hit by the VRFY thing again (even if my code did not change).
>
> Is something different needed with these newer versions?
> Or is it a regression?
I _thought_ SMTP's VRFY command was frowned upon because it allowed
attackers to enumerate users. Then the actor could go lateral, like
using the username to try a login in another protocol like SSH.
I _think_ one of the things mail administrators do nowadays is to
always return success, even for non-existent users.
According to Bernstein at [1], rejecting VRFY is dangerous. Maybe you
should reach out to the mail admin on the site you are trying to send
mail to.
Jeff
[1] https://cr.yp.to/smtp/vrfy.html
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-06-07