On Thu, 26 Oct 2006, Ian Eiloart wrote:
> From: Ian Eiloart <iane@???>
> To: exim-users@???, Peter Bowyer <peter@???>
> Date: Thu, 26 Oct 2006 12:00:30 +0100
> Subject: Re: [exim] Forbid HELO
...
> I think the OP is saying that HELO on an authenticated connection
> would be unexpected, and it might be useful to bar it as a
> precaution. Presumably the idea is that any well written client
> that's authenticating is going to use EHLO, and barring HELO
> might just catch out some piece of malware (whether extant or
> theoretical) that's trying to crack the authentication.
>
> I don't know off the top of my head whether it's true that the
> RFCs require that a proper authenticated connection must have used
> EHLO.
Exim won't advertise SMTP service extensions -- SIZE, 8BITMIME,
PIPELINING, STARTTLS, HELP, AUTH, etc -- in response to an HELO
greeting[1]. Any subsequent attempt by the client to offer AUTH
should be rejected.
It's still probably worth including:
# Connections must be authenticated.
deny message = Unauthenticated connections are not allowed.
! authenticated = *
early in your acl_smtp_rcpt set. And make sure that your
acl_smtp_auth is properly set up, eg requiring an encrypted
connection for PLAIN or LOGIN authentication.
[1] I strongly suspect that this is because HELO handling is still
governed by RFC 821 which didn't know anything about SMTP
service extensions.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@??? Phone: +44 1225 386101
