| An attacker can use sendmail's vrfy (verify recipient existence) and expn (expand recipient alias/list contents) commands to learn more about accounts on the system. The expn command, for instance, could be used to find out who the "postmaster" and "abuse" aliases redirect mail to, which identifies which user account belongs to the system administrator.
These sendmail commands can probably be disabled without breaking anything and will make the system cracker's job more difficult. The only reasons to leave them on are (1) you are running an old-fashioned, friendly site, (2) you are using them to debug your own mail server, or (3) the very small chance that some software you use relies on this. |