Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: SMTP VRFY again
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Andrea Venturoli via curl-users <curl-users_at_lists.haxx.se>
Date: Thu, 8 Jun 2023 08:57:53 +0200
On 6/7/23 20:41, Jeffrey Walton wrote:
Hello.
> I _thought_ SMTP's VRFY command was frowned upon because it allowed
> attackers to enumerate users.
I didn't investigate, but I believe what you say is likely.
Also, libcurl connects to *my* SMTP relay and uses VRFY with remote
users, so, even if VRFY was allowed, I believe it would fail.
> I _think_ one of the things mail administrators do nowadays is to
> always return success, even for non-existent users.
From the logs I think the SMTP server rejects VRFY; however I believe I
get a "success" from libcurl.
Not sure, though, as I didn't investigate.
> According to Bernstein at [1], rejecting VRFY is dangerous. Maybe you
> should reach out to the mail admin on the site you are trying to send
> mail to.
*I* am the mail admin of the SMTP server libcurl is connecting to and
I'm *NOT* going to enable VRFY.
That said, what I'm trying to achieve is that libcurl doesn't use VRFY,
but sends mail directly.
This used to work with curl 8.0.1; it doesn't with 8.1.0 or 8.1.1.
So, my question was: is the API changed?
bye & Thanks
av.
Date: Thu, 8 Jun 2023 08:57:53 +0200
On 6/7/23 20:41, Jeffrey Walton wrote:
Hello.
> I _thought_ SMTP's VRFY command was frowned upon because it allowed
> attackers to enumerate users.
I didn't investigate, but I believe what you say is likely.
Also, libcurl connects to *my* SMTP relay and uses VRFY with remote
users, so, even if VRFY was allowed, I believe it would fail.
> I _think_ one of the things mail administrators do nowadays is to
> always return success, even for non-existent users.
From the logs I think the SMTP server rejects VRFY; however I believe I
get a "success" from libcurl.
Not sure, though, as I didn't investigate.
> According to Bernstein at [1], rejecting VRFY is dangerous. Maybe you
> should reach out to the mail admin on the site you are trying to send
> mail to.
*I* am the mail admin of the SMTP server libcurl is connecting to and
I'm *NOT* going to enable VRFY.
That said, what I'm trying to achieve is that libcurl doesn't use VRFY,
but sends mail directly.
This used to work with curl 8.0.1; it doesn't with 8.1.0 or 8.1.1.
So, my question was: is the API changed?
bye & Thanks
av.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-06-08