1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • Filtering HELO / EHLO names before MAIL FROM

    From Grant Taylor@21:1/5 to All on Fri Jan 3 19:07:18 2025
    Hi,

    Is there a method that I can use to filter & reject (return a 5xy error)
    for bad HELO / EHLO names at HELO / EHLO time?

    I see some options (FEATURE(`block_bad_helo')) but they seem to apply
    later in the SMTP transaction.

    I'm seeing what I suspect is bots looking to do credential stuffing, but
    I'm not offering authentication on this system, so they are bailing
    before usual protections would kick in.

    Initial searches haven't turned up much that happens before MAIL FROM.



    --
    Grant. . . .

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Grant Taylor on Sat Jan 4 00:43:53 2025
    Grant Taylor wrote:

    Is there a method that I can use to filter & reject (return a 5xy error)
    for bad HELO / EHLO names at HELO / EHLO time?

    A milter should be able to do that.
    Give it a try and let us know.

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to All on Sat Jan 4 00:44:45 2025
    On 1/3/25 23:43, Claus Aßmann wrote:
    A milter should be able to do that.

    That's what I assumed.

    Give it a try and let us know.

    I'm trying a few different things.

    Q: Is it possible to cause Sendmail to return something other than the
    220 (from memory) greeting in response to the HELO / EHLO?

    I'm trying milter-regex now and it seems like Sendmail still replies
    with a 220 <bla> in response to the unwanted "EHLO User" that I'm
    currently seeing.

    I'd like to return a "5xy go away" message. I don't remember the value
    for x and y at the moment. Maybe "550 5.7.1 go away" or something like
    that.



    --
    Grant. . . .

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Grant Taylor on Sat Jan 4 15:03:00 2025
    Grant Taylor wrote:

    Q: Is it possible to cause Sendmail to return something other than the
    220 (from memory) greeting in response to the HELO / EHLO?

    Yes, esp. 421.
    Maybe that's the best for your problem?

    I'm trying milter-regex now and it seems like Sendmail still replies
    with a 220 <bla> in response to the unwanted "EHLO User" that I'm
    currently seeing.

    But any command other than QUIT (and a few others which do not start
    a transaction) will be rejected, correct?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to All on Sat Jan 4 17:03:27 2025
    On 1/4/25 14:03, Claus Aßmann wrote:
    Yes, esp. 421.
    Maybe that's the best for your problem?

    I'll have to evaluate the temp fail.

    But any command other than QUIT (and a few others which do not start
    a transaction) will be rejected, correct?

    The command(s) that I tested do end up getting a 5xy error after causing
    the reject.

    I would have hoped there was a 5xy series error that could be returned
    when sending the SMFIS_REJECT (?from memory?) in response to the helo
    callback.

    I need to reference some RFCs to see if such is even allowed.



    --
    Grant. . . .

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Anthony Howe@21:1/5 to Grant Taylor on Tue Jan 7 20:32:38 2025
    On 2025-01-03 20:07, Grant Taylor wrote:
    Hi,

    Is there a method that I can use to filter & reject (return a 5xy error) for bad
    HELO / EHLO names at HELO / EHLO time?

    I see some options (FEATURE(`block_bad_helo')) but they seem to apply later in
    the SMTP transaction.

    I'm seeing what I suspect is bots looking to do credential stuffing, but I'm not
    offering authentication on this system, so they are bailing before usual protections would kick in.

    Initial searches haven't turned up much that happens before MAIL FROM.

    `milter-cli` could do it using an `envelope-from=` filter. Failing that I suppose I could tweak one of my other milters.

    BarricadeMX has the ability (not a milter).


    --
    Anthony C Howe
    achowe@snert.com BarricadeMX & Milters http://nanozen.snert.com/ http://software.snert.com/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to Anthony Howe on Tue Jan 7 21:08:09 2025
    Hi Anthony,

    On 1/7/25 19:32, Anthony Howe wrote:
    `milter-cli` could do it using an `envelope-from=` filter.  Failing that
    I suppose I could tweak one of my other milters.

    My impression when I previously looked at the manual.shtml file
    (included in the milter-cli source) was that content-filter and
    envelope-filter wouldn't filter in direct response to the client's HELO
    / EHLO.

    envelope-filter - ... This command is executed when the DATA command is
    sent.

    content-filter - ... used to filter the message headers and content - so
    after the DATA is closed with <CR><LF>.<CR><LF>.

    Hence I got the impression that milter-cli won't be able to reject
    immediately after the client's HELO / EHLO.

    Please correct me if I'm mis-understanding something.

    BarricadeMX has the ability (not a milter).

    Ya.... I'm still trying to work with Sendmail. It's what I know and am
    most comfortable with.



    --
    Grant. . . .

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)