Does anyone know how to completely disable VRFY in exchange server 2007? We've had an audit from a security firm and this (although it isn't, in fact, a problem, I know) is showing up as a breach I just wondered if I could simply disable VRFY before I ring up and start shouting the odds with them? Thanks

VRFY is one of the basic SMTP commands. It is used to verify the existence of a user on an SMTP e-mail server. If a wildcard is used in the VRFY command (i.e. VRFY *), a remote server would return the complete list of users. This should be disabled or remote attackers could exploit this command to gather information about users for future attacks. What is your OS version? Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|

I guess it is disable by default in Exchange since 2000/2003, isn't it? Do telnet to your Exchange 2007 server on port 25 and check... telnet Exchange2007ServerName 25 vrfy * vrfy username@exchangedomain.com You will get below result... 252 2.1.5 Cannot VRFY userAmit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

Microsoft does not enable VRFY in any version of Exchange after E2K that I am aware of. Like MANY things in a security consultant's report, tell them this is a false positive. Security consultants often just do very generic scans and report finding such as the VRFY command is showing up when their scanner does an EHLO to the Exchange server. They don't bother to investigate that this is an Exchange server and that the verb really does not do anything. Jim McBee - Blog - http://mostlyexchange.blogspot.com

Hi, Base on my research, it is hard coded in exchange 2007 not to support vrfy command. Just like Amit said, it will actually respond back with internal static, readonly SmtpResponse UnableToVrfyUser = new SmtpResponse("252", "2.1.5", "Cannot VRFY user"); Regards, Xiu

Microsoft does not enable VRFY in any version of Exchange after E2K that I am aware of. Like MANY things in a security consultant's report, tell them this is a false positive. Security consultants often just do very generic scans and report finding such as the VRFY command is showing up when their scanner does an EHLO to the Exchange server. They don't bother to investigate that this is an Exchange server and that the verb really does not do anything. Jim McBee - Blog - http://mostlyexchange.blogspot.com I agree with the false-positives thing Jim. It's these type of checklist auditors that give other security consultants a bad name. If a vulnerability is worth noting on a report (especially if it's listed as a "breach") then it's probably worth validating.