You answered your own question - you should disable EXPN. It doesn't
break any RFCs. Disabled is the norm these days - it might even be the
Actually, the two methods of obscurity are not interdependent - you can
leave EXPN enabled and hide the list members very easily. But safest to
turn both off.
> From: David Coles[SMTP:email@example.com]
> Sent: 18 November 1997 15:34
> To: firstname.lastname@example.org
> Subject: Any point disabling 'who'?
> I'll probably get flamed for this, but I can't see anything in the FAQ
> It is possible to disable the 'who' command - fine.
> However, surely it's still possible to see who's on the list with the
> command to sendmail.
> Is there any way of stopping this (other than disabling EXPN in
> sendmail -
> would that be against some RFC or other)?
> -David Coles