[exim] Re(2): Forbid HELO

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Bill Hacker
Date:  
À: exim-user
Sujet: [exim] Re(2): Forbid HELO
>
>
>--On 26 October 2006 09:40:30 +0100 Philip Hazel <ph10@???>
>wrote:
>
>> On Thu, 26 Oct 2006, Peter Bowyer wrote:
>>
>>> > 250 xxx.net Hello xxx.net [82.230.172.234]
>>> >
>>> > HELO is still allowed. I really would like to deny it here.
>>>
>>> HELO support is a required part of SMTP, as has already been
>>> explained. It's not possible, and not sensible, to disallow it.
>>
>> Well, it is possible, though I entirely agree that it is not sensible!
>
>I think the OP is saying that HELO on an authenticated connection would be
>unexpected, and it might be useful to bar it as a precaution.


I don't know if 'unexpected' would necessarily be the case.

Might not a calling host first HELO and invoke the list of 'advertised'
services, and only then use an EHLO if such were 'advertised', ELSE not?

Might not also a calling host that was itself NOT equipped with
extensions be confused / disinterested in requesting same, but not
necessarily insecure (by other means) nor unwelcome?

And it should probably be clarified by the OP if this is primarily about
MTA-MTA 'peer' traffic exchange, or sometimes/never/always appplicable to
MUA MSA submission connections.

Bill


> Presumably
>the idea is that any well written client that's authenticating is going to
>use EHLO,


At some point, 'almost certainly' yes. But not necessarily always as
'first verb' on initial arrival.

- OK - perhaps we are 'presuming' the ruleset under discussion is applied
at next stage - but I don't (yet) see that we have made that a certainty.

>and barring HELO might just catch out some piece of malware
>(whether extant or theoretical) that's trying to crack the authentication.
>
>I don't know off the top of my head whether it's true that the RFCs require
>that a proper authenticated connection must have used EHLO.
>
>> You can check for HELO vs EHLO in an ACL.
>>
>> --
>> Philip Hazel            University of Cambridge Computing Service
>> Get the Exim 4 book:    http://www.uit.co.uk/exim-book

>
>
>
>--
>Ian Eiloart
>IT Services, University of Sussex
>
>--
>## List details at http://www.exim.org/mailman/listinfo/exim-users
>## Exim details at http://www.exim.org/
>## Please use the Wiki with this list - http://www.exim.org/eximwiki/