# VRFY, EXPN, RCPT TO Information Disclosure (Postfix)

## krani1

Hi there, I've followed the Email System For The Home Network - Version 2.1 manual to set up a complete email server using Postfix and it's running very very well.. but I've got a really nasty problem.

When I do a EHLO I've got this from server:

```
220 myhost ESMTP Postfix

EHLO localhost

250-myhost

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250 8BITMIME
```

So this thing is crap cause, if I use VRFY or RCPT TO commands I can get some information about the users in my system. For example:

```
MAIL FROM: <foo@bar.com>

250 Ok

VRFY <root@localhost>

252 root@localhost

VRFY <foobar@localhost>

450 <foobar@localhost>: Recipient address rejected: User unknown in local recipient table

RCPT TO: <foobar@localhost>

450 <foobar@localhost>: Recipient address rejected: User unknown in local recipient table

RCPT TO: <root@localhost>

250 Ok
```

I've searched the foruns and found nothing about this. So how can I disable the VRFY / EXPN option, and customize the RCPT TO message to say something like "Send mail, I'll try my best" ? Anyone can help me with this please?

TYA

----------

## ronaldmoes

You can use 

```
disable_vrfy_command = yes
```

 in main.conf to disable verifying. The RCPT TO: is how it's supposed to work. You can choose to accept all mail (so rcpt to always succeeds) but that means every piece of spam to an unknown address will end up as a bounce in your mailbox, which is not nice.

----------

## krani1

ok thx for the VRFY info.

I've been reading about the RCPT TO problem, and found that I need to make a compromise between possible information disclosure, and beeing treated as a bouncer by accepting all mails...

so now I'll not touch anything, thx for your help

----------

