Home » Kerio User Forums » Kerio Connect » Username enumeration via RCPT command allowed

Messages: 13

Karma: 0
Send a private message to this user
I'm using Kerio Connect latest and greatest version. During annual penetration test it was discovered that username enumeration via RCPT is allowed. And I agree with pentester, this is an issue.
I also created support ticket but thought it may be useful for other Kerio users to acknowldge this issue and is anybody has, to share thoughts.

I removed all server and domain specific information though.


Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
By default Kerio Connect allows up to 5 failed guesses before blocking the remote host. You can lower this value to pass the test. This setting is in the STMP server in the security options.

Brian Carmichael
Instructional Content Architect
Previous Topic: Kerio Connect refuses to start after important kernel update
Next Topic: Thunderbird train SpamAssassin
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 20 08:50:27 CET 2018

Total time taken to generate the page: 0.91752 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.