[exim] Re(2): Forbid HELO

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\MIan Eiloart at <-
MMMDennis Davis at ->
Delete this message
Reply to this message
Author: Bill Hacker
Date:  
To: exim-user
Subject: [exim] Re(2): Forbid HELO
>
>
>--On 26 October 2006 09:40:30 +0100 Philip Hazel <ph10@???>
>wrote:
>
>> On Thu, 26 Oct 2006, Peter Bowyer wrote:
>>
>>> > 250 xxx.net Hello xxx.net [82.230.172.234]
>>> >
>>> > HELO is still allowed. I really would like to deny it here.
>>>
>>> HELO support is a required part of SMTP, as has already been
>>> explained. It's not possible, and not sensible, to disallow it.
>>
>> Well, it is possible, though I entirely agree that it is not sensible!
>
>I think the OP is saying that HELO on an authenticated connection would be
>unexpected, and it might be useful to bar it as a precaution.

I don't know if 'unexpected' would necessarily be the case.

Might not a calling host first HELO and invoke the list of 'advertised'
services, and only then use an EHLO if such were 'advertised', ELSE not?

Might not also a calling host that was itself NOT equipped with
extensions be confused / disinterested in requesting same, but not
necessarily insecure (by other means) nor unwelcome?

And it should probably be clarified by the OP if this is primarily about
MTA-MTA 'peer' traffic exchange, or sometimes/never/always appplicable to
MUA MSA submission connections.

Bill


> Presumably
>the idea is that any well written client that's authenticating is going to
>use EHLO,

At some point, 'almost certainly' yes. But not necessarily always as
'first verb' on initial arrival.

- OK - perhaps we are 'presuming' the ruleset under discussion is applied
at next stage - but I don't (yet) see that we have made that a certainty.

>and barring HELO might just catch out some piece of malware
>(whether extant or theoretical) that's trying to crack the authentication.
>
>I don't know off the top of my head whether it's true that the RFCs require
>that a proper authenticated connection must have used EHLO.
>
>> You can check for HELO vs EHLO in an ACL.
>>
>> --
>> Philip Hazel            University of Cambridge Computing Service
>> Get the Exim 4 book:    http://www.uit.co.uk/exim-book

>
>
>
>--
>Ian Eiloart
>IT Services, University of Sussex
>
>--
>## List details at http://www.exim.org/mailman/listinfo/exim-users
>## Exim details at http://www.exim.org/
>## Please use the Wiki with this list - http://www.exim.org/eximwiki/




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Possible bug in 4.63 default configRe: [exim] "Ghost" user running exim?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)