> -----Original Message----- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Rich Wales > Sent: Tuesday, May 03, 2011 9:18 AM > To: postfix users > Subject: Re: security vulnerability : SMTP daemon supports EHLO > > I can imagine that some hackers might use the SIZE info in an EHLO response > as an invitation to try to crash a server by sending huge messages that are > just under the advertised maximum length -- hence the idea of omitting this > item from the EHLO response. I'd certainly be interested in hearing other > thoughts about EHLO-related security concerns.
It's hard to give a general answer, but specifically, every SMTP extension listed by EHLO has an RFC that defines it, and those each have a "Security Considerations" section. So if you want to be ultra-diligent, go read them all and then turn off the ones that scare you.
