I've been scanning a Win2k and a Linux box in a captive lab environment, and reviewing the Sniffer traces of the SMTP scans. It would appear the SMTP scripts need to be updated to reflect more current email implementations. For example:
a) the scripts used to identify "mail to a file" issues have been hard coded as [EMAIL PROTECTED] (substitute the nessus interface IP for the 1.2.3.4). Since a large number of mail systems have been configured to accept mail only from valid userid and/or domains, the script will only be truthful if run against a totally open and older UNIX mail system. In the more current mail systems, if the sender's userid/domain is not recognized by the mail system as valid, the system returns "sender domain must exist" to nessus which actually has nothing to do with whether the system will relay or not. The script never gets to the point of being able to actually test the intended function (because of the invalid userid). b) same issue with the tests piping an email to an application (|testing). c) on some systems, the same issue probably exists with "mail relay". The current logic for (a) and (b) essentially provides a false sense of acceptance since there is no indication the test did not actually complete. Proposal / thoughts: Recode the SMTP tests to allow the user to enter a valid userid-domain as a SMTP parameter just like the nessus preferences for POP3 and IMAP (instead of the hardcoded [EMAIL PROTECTED] or [EMAIL PROTECTED] addresses). Then add logic to the scripts to look for "sender domain must exist" (etc) to provide positive feedback to the user. Any thoughts? Rich
