                                        
                                   * * * * *
                                        
                               Expanding on EXPN
                                        
Once again Spring [1] is having problems with mailing her journal entries,
[2] only this time it's with Yahoo. [3]

What is it? EXPN is all the rage now? Must expand email addresses?

Sigh.

So I decide to fix it once and for all. I check the configuration file for
Sendmail [4] and don't see any obvious way to disable the EXPN command. Not
wanting to hack the source code to remove the EXPN command I figure the next
easiest way is to hack the actual binary and change any occurence of E-S-P-N-
NULBYTE such that sendmail will no longer be able to actually respond to the
EXPN command. I have some software I wrote years ago that makes this
relatively easy to do.

So, I find the occurences of E-X-P-N-NULBYTE and make the changes.

No go. Sendmail still reponds to the EXPN command.

Okay, so next it's occurrences of e-x-p-n-NULLBYTE and that's when I find the
curious string “noexpn” in the executable. Hmmmmmmmm …  I think to myself.
Might there actually be a way to disable the EXPN command?

So I search the site [5] for noexpn and I find this: [6]

> PrivacyOptions=opt,opt,…

>         Set the privacy options. “Privacy” is really a misnomer; many of
>         these are just a way of insisting on stricter adherence to the SMTP
>         protocol. The options can be selected from:
>         
>         public

>                 Allow open access
>         needmailhelo

>                 Insist on HELO or EHLO command before MAIL
>         needexpnhelo

>                 Insist on HELO or EHLO command before EXPN
>         noexpn

>                 Disallow EXPN entirely
>         needvrfyhelo

>                 Insist on HELO or EHLO command before VRFY
>         novrfy

>                 Disallow VRFY entirely
>         restrictmailq

>                 Restrict mailq command
>         restrictqrun

>                 Restrict -q command line flag
>         noreceipts

>                 Don't return success DSNs
>         goaway

>                 Disallow essentially all SMTP status queries
>         authwarnings

>                 Put X-Authentication-Warning: headers in messages
>         
>         The goaway pseudo-flag sets all flags except restrictmailq and
>         restrictqrun. If mailq is restricted, only people in the same group
>         as the queue directory can print the queue. If queue runs are
>         restricted, only root and the owner of the queue directory can run
>         the queue. Authentication Warnings add warnings about various
>         conditions that may indicate attempts to spoof the mail system,
>         such as using an non-standard queue directory.
>         
> 

I don't know if it's A Good Thing or A Bad Thing that you can learn more
about a program from scanning the executable than you could probably get
reading the documentation.

[1] http://www.springdew.com/
[2] gopher://gopher.conman.org/1Phlog:2000/08/23
[3] http://www.yahoo.com/
[4] http://www.sendmail.org/
[5] http://www.altavista.com/cgi-bin/query?pg=q&text=yes&what=web&fmt=&fmt=&q=%2Bhost%3Awww.sendmail.org+noexpn
[6] http://www.sendmail.org/~ca/email/doc8.8/op-sh-5.html

Email Sean Conner at sean@conman.org

.