From 68729fa5a31223b949785ccfb7edbe5fe0bf15dc Mon Sep 17 00:00:00 2001 From: Mechiel Lukkien Date: Fri, 28 Mar 2025 17:46:08 +0100 Subject: [PATCH] in smtp banner and imap ID command response when unauthenticated, don't send the mox version number Attackers scanning the internet can use it to easily create a database of hosts, software and versions. Let's not make it too easy to find old versions that may be vulnerable to potential bugs found in the future. We could try hiding the name "mox" as well, but the banner will still be identifyable, so there isn't much point, and the public knowing approximately which software is running can be useful for debugging. The ID command in IMAP is used by clients to announce their software and version. We only respond with our version when the user is authenticated. There are still ways to discover the version number. But they don't involve standard banner scanning, so someone would have to specifically target mox. We could tighten that in the future. For issue #322, based on email. Thanks everyone for discussing. --- imapserver/server.go | 8 ++++++-- smtpserver/server.go | 3 +-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/imapserver/server.go b/imapserver/server.go index d538f7d..abdf24f 100644 --- a/imapserver/server.go +++ b/imapserver/server.go @@ -1837,8 +1837,12 @@ func (c *conn) cmdID(tag, cmd string, p *parser) { c.log.Info("client id", slog.Any("params", params)) // Response syntax: ../rfc/2971:243 - // We send our name and version. ../rfc/2971:193 - c.bwritelinef(`* ID ("name" "mox" "version" %s)`, string0(moxvar.Version).pack(c)) + // We send our name, and only the version for authenticated users. ../rfc/2971:193 + if c.state == stateAuthenticated || c.state == stateSelected { + c.bwritelinef(`* ID ("name" "mox" "version" %s)`, string0(moxvar.Version).pack(c)) + } else { + c.bwritelinef(`* ID ("name" "mox")`) + } c.ok(tag, cmd) } diff --git a/smtpserver/server.go b/smtpserver/server.go index 1990c73..def9194 100644 --- a/smtpserver/server.go +++ b/smtpserver/server.go @@ -52,7 +52,6 @@ import ( "github.com/mjl-/mox/mlog" "github.com/mjl-/mox/mox-" "github.com/mjl-/mox/moxio" - "github.com/mjl-/mox/moxvar" "github.com/mjl-/mox/publicsuffix" "github.com/mjl-/mox/queue" "github.com/mjl-/mox/ratelimit" @@ -1001,7 +1000,7 @@ func serve(listenerName string, cid int64, hostname dns.Domain, tlsConfig *tls.C // We include the string ESMTP. https://cr.yp.to/smtp/greeting.html recommends it. // Should not be too relevant nowadays, but does not hurt and default blackbox // exporter SMTP health check expects it. - c.writelinef("%d %s ESMTP mox %s", smtp.C220ServiceReady, c.hostname.ASCII, moxvar.Version) + c.writelinef("%d %s ESMTP mox", smtp.C220ServiceReady, c.hostname.ASCII) for { command(c)