Ubuntu mail headers are not best practice

Stephan Hermann sh at sourcecode.de
Wed Jul 11 07:47:48 BST 2007


Good Morning Matthew, 

Am Dienstag, den 10.07.2007, 15:38 +0100 schrieb Matthew Garrett:
> On Tue, Jun 19, 2007 at 09:02:01AM -0700, Sherman Boyd wrote:
> > The default postfix configuration sets the mail header to something like this:
> > 
> > 220 mx.myhostname.com ESMTP Postfix (Ubuntu)
> > 
> > This gives anyone who connects to port 25 both the name of your SMTP
> > software and your Linux distribution.  There is no reason to disclose
> > this information, and from a security perspective it is a best
> > practice not to.
> 
> In reality, anyone can figure out which mail daemon and Linux 
> distribution you're running with a high degree of certainty anyway. 
> Hiding this information doesn't actually buy you anything and makes 
> debugging various issues harder.

That is totally right, but there are some so called "security companies"
who are auditing your company for certain things regarding public
available IT security, and they are complaining about obvious names in
public services. 
When this happens, you can't fullfil some needed tests for e.g. having
creditcard acceptance for your product.

But I think it's possible to overwrite the name and os for postfix in
the main.cf, so it's actually a admin thing.

Regards,

\sh 
-- 
Stephan Hermann
eMail: sh at sourcecode.de         Blog: http://linux.blogweb.de/
JID: sh at linux-server.org        
OSS-Developer and Admin





More information about the ubuntu-devel mailing list