220 too much information220 fully.qualified.host.name ESMTP Service (Lotus Domino Release 6.5.4) ready at Wed, 14 Dec 2005 12:44:22 +0000
Or this?
220 ******************************************************************************************200***2****22**0000
The former is RFC correct, but arguably discloses too much information - all that is required for RFC correctness in a 220 greeting is that it includes the fully qualified hostname of the local server. The latter is RFC incorrect and an indication that your SMTP is behind a Pix firewall with SMTP fixup turned on.
Fortunately the fix to both is very easy.
- In both cases, edit notes.ini at the server in question and include
smtpgreeting=fully.qualified.host.name ready at %s
where "fully.qualified.host.name" is your server's own FQHN. The %s will be subsituted by the local server time when a remote client connects.
- In the latter case, just turn off SMTP fixup at the firewall. You don't need it and it does more harm than good provided you take a few simple precautions.
Try it now:
220 fully.qualified.host.name ready at Wed, 14 Dec 2005 12:44:22 +0000
Much better.
Category: Domino: Administration
Technorati: Domino: Administration
1. Sean Burgess14/12/2005 21:49:37
Homepage: http://www.phigsaidwhat.com
Nice find Chris! This should make some of the more security conscious folks happy, but can also allow admins to send a warning message to people trying to telnet on 25. Something like "Welcome to host.name. We know who you are and are sending the police to find you. Have a nice life! ready at %s" might be as much fun as an admin can handle in one day.
Sean---
2. Gregg Eldred15/12/2005 02:03:22
Homepage: http://www.ns-tech.com/blog/geldred.nsf
Thanks for the kick in the pants. I have been meaning to make that change, and when I saw that you commented on it, I did it. But I like Sean's idea a little more. 
3. Chris Linfoot15/12/2005 09:08:57
@Sean - the admin at lotus.com already did something very similar.
4. Bart Severein16/01/2007 09:57:34
You might as well consider SMTPNoVersionInRcvdHdr=1 :
When you set this variable to 1, it prevents Domino server product information from being disclosed in the SMTP Received headers. The default is 0.
5. Chris Linfoot16/01/2007 10:19:10
Useful tip, though I'm not sure why that's generally useful.
For the benefit of other readers, notes.ini SMTPGreeting=... is the only way of altering the server's 220 greeting so that it does not reveal that the server is running Domino version x.y.z
notes.ini SMTPNoVersionInRcvdHdr=1 tells the SMTP listener not to write the Domino version into its own received header on an inbound message and has no effect on the 220 greeting.
6. Bart Severein17/01/2007 06:54:03
I thought this header is being kept when replying to the email.
7. Chris Linfoot17/01/2007 08:39:16
No.
The only circumstances in which the header is kept is if you have a forwarding address (an external SMTP address) set up in the PAB. In this case, the Domino server will accept the message and queue it locally and the router will spot the forwarding address and send the message on to the MX host for the domain of the forwarding address with all headers intact, without that message ever touching any local user mailbox.
Forwards, replies with history etc become new messages and none of the headers of the original message is preserved. I've often thought it would be useful if they were, but they're not.
Actually, if you have one of those email clients which includes forward as attachment or equivalent, then messages forwarded as attachments do usually keep all headers, but Notes does not do this.
8. Bart Severein17/01/2007 16:23:21
OK, thanks for clearing that up. Then it's not useful regarding spam IMHO. Anyway, have a nice evening with presents etc.
Unable to post a comment? Please read this for a possible explanation...
- 
