Re: [exim] Forbid HELO

Top Page
Delete this message
Reply to this message
Author: Dennis Davis
Date:  
To: exim-users
Subject: Re: [exim] Forbid HELO
On Thu, 26 Oct 2006, Ian Eiloart wrote:

> From: Ian Eiloart <iane@???>
> To: exim-users@???, Peter Bowyer <peter@???>
> Date: Thu, 26 Oct 2006 12:00:30 +0100
> Subject: Re: [exim] Forbid HELO


...

> I think the OP is saying that HELO on an authenticated connection
> would be unexpected, and it might be useful to bar it as a
> precaution. Presumably the idea is that any well written client
> that's authenticating is going to use EHLO, and barring HELO
> might just catch out some piece of malware (whether extant or
> theoretical) that's trying to crack the authentication.
>
> I don't know off the top of my head whether it's true that the
> RFCs require that a proper authenticated connection must have used
> EHLO.


Exim won't advertise SMTP service extensions -- SIZE, 8BITMIME,
PIPELINING, STARTTLS, HELP, AUTH, etc -- in response to an HELO
greeting[1]. Any subsequent attempt by the client to offer AUTH
should be rejected.

It's still probably worth including:


  # Connections must be authenticated.
  deny    message = Unauthenticated connections are not allowed.
          ! authenticated = *



early in your acl_smtp_rcpt set. And make sure that your
acl_smtp_auth is properly set up, eg requiring an encrypted
connection for PLAIN or LOGIN authentication.

[1] I strongly suspect that this is because HELO handling is still
    governed by RFC 821 which didn't know anything about SMTP
    service extensions.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@???               Phone: +44 1225 386101