Discussion:
Filtering HELO / EHLO names before MAIL FROM
Add Reply
Grant Taylor
2025-01-04 01:07:18 UTC
Reply
Permalink
Hi,

Is there a method that I can use to filter & reject (return a 5xy error)
for bad HELO / EHLO names at HELO / EHLO time?

I see some options (FEATURE(`block_bad_helo')) but they seem to apply
later in the SMTP transaction.

I'm seeing what I suspect is bots looking to do credential stuffing, but
I'm not offering authentication on this system, so they are bailing
before usual protections would kick in.

Initial searches haven't turned up much that happens before MAIL FROM.
--
Grant. . . .
Claus Aßmann
2025-01-04 05:43:53 UTC
Reply
Permalink
Post by Grant Taylor
Is there a method that I can use to filter & reject (return a 5xy error)
for bad HELO / EHLO names at HELO / EHLO time?
A milter should be able to do that.
Give it a try and let us know.
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
Grant Taylor
2025-01-04 06:44:45 UTC
Reply
Permalink
Post by Claus Aßmann
A milter should be able to do that.
That's what I assumed.
Post by Claus Aßmann
Give it a try and let us know.
I'm trying a few different things.

Q: Is it possible to cause Sendmail to return something other than the
220 (from memory) greeting in response to the HELO / EHLO?

I'm trying milter-regex now and it seems like Sendmail still replies
with a 220 <bla> in response to the unwanted "EHLO User" that I'm
currently seeing.

I'd like to return a "5xy go away" message. I don't remember the value
for x and y at the moment. Maybe "550 5.7.1 go away" or something like
that.
--
Grant. . . .
Claus Aßmann
2025-01-04 20:03:00 UTC
Reply
Permalink
Post by Grant Taylor
Q: Is it possible to cause Sendmail to return something other than the
220 (from memory) greeting in response to the HELO / EHLO?
Yes, esp. 421.
Maybe that's the best for your problem?
Post by Grant Taylor
I'm trying milter-regex now and it seems like Sendmail still replies
with a 220 <bla> in response to the unwanted "EHLO User" that I'm
currently seeing.
But any command other than QUIT (and a few others which do not start
a transaction) will be rejected, correct?
Grant Taylor
2025-01-04 23:03:27 UTC
Reply
Permalink
Post by Claus Aßmann
Yes, esp. 421.
Maybe that's the best for your problem?
I'll have to evaluate the temp fail.
Post by Claus Aßmann
But any command other than QUIT (and a few others which do not start
a transaction) will be rejected, correct?
The command(s) that I tested do end up getting a 5xy error after causing
the reject.

I would have hoped there was a 5xy series error that could be returned
when sending the SMFIS_REJECT (?from memory?) in response to the helo
callback.

I need to reference some RFCs to see if such is even allowed.
--
Grant. . . .
Anthony Howe
2025-01-08 01:32:38 UTC
Reply
Permalink
Hi,
Is there a method that I can use to filter & reject (return a 5xy error) for bad
HELO / EHLO names at HELO / EHLO time?
I see some options (FEATURE(`block_bad_helo')) but they seem to apply later in
the SMTP transaction.
I'm seeing what I suspect is bots looking to do credential stuffing, but I'm not
offering authentication on this system, so they are bailing before usual
protections would kick in.
Initial searches haven't turned up much that happens before MAIL FROM.
`milter-cli` could do it using an `envelope-from=` filter. Failing that I
suppose I could tweak one of my other milters.

BarricadeMX has the ability (not a milter).
--
Anthony C Howe
***@snert.com BarricadeMX & Milters
http://nanozen.snert.com/ http://software.snert.com/
Grant Taylor
2025-01-08 03:08:09 UTC
Reply
Permalink
Hi Anthony,
`milter-cli` could do it using an `envelope-from=` filter.  Failing that
I suppose I could tweak one of my other milters.
My impression when I previously looked at the manual.shtml file
(included in the milter-cli source) was that content-filter and
envelope-filter wouldn't filter in direct response to the client's HELO
/ EHLO.

envelope-filter - ... This command is executed when the DATA command is
sent.

content-filter - ... used to filter the message headers and content - so
after the DATA is closed with <CR><LF>.<CR><LF>.

Hence I got the impression that milter-cli won't be able to reject
immediately after the client's HELO / EHLO.

Please correct me if I'm mis-understanding something.
BarricadeMX has the ability (not a milter).
Ya.... I'm still trying to work with Sendmail. It's what I know and am
most comfortable with.
--
Grant. . . .
Loading...