EHLO vs HELO

[atevewr]

This question is intended for the audience whose smtp authentication is working & the server is able to authenticate when the session starts from EHLO.
I want to ask, what is the behavior when the user just connects from a HELO session?
In my case, from a HELO session, it doesn't ask for authentication & the user is able to send the mail?
Should there be a way to disable HELO & only allow EHLO ?

Can you please tell me the exact expected behavior ? & the solution to resolve this ?

[phoenix]

Anyone can connect to port 25 and send mail without authentication, it will deliver the mail if it's destined for a domain that's hosted on that server (unless you've modified Zimbra to be an open relay ). When you change this to authenticate then that user can send mail to the domains hosted on that server and relay mail to other (external) domains. If you are actually using port 25 for authenticated users then that isn't correct, you should be using port 587 which is the correct (RFC) Submissions port.

Quote:

Originally Posted by atevewr

Can you please tell me the exact expected behavior ? & the solution to resolve this ?

Resolve what, exactly? If you have a problem perhaps you'd describe that in more detail.

[atevewr]

I will try to explain my problem,
Our mailserver is behind a firewall. The firewall scans all the inbound & all outbound mails for A/V, spam etc.
The problem comes with the internal mailserver, now when a user sends a mail to another user on the same server/domain.
He can basically connect through a telnet session, & send a mail via HELO, in this case i am unable to authenticate the user.
Few days back somebody launched a script for sending mails like that & our mailserver was clogged.
So all i want is to block the HELO & only allow EHLO, since my authentication is working.
Have i explained the problem enough ?

[phoenix]

Please update your forum profile with the output of the following command (do not post it in this thread):

Code:

zmcontrol -v

You should search the forums and wiki for the word 'ZimbraMtaMyNetworks' you'll find details on what you need to do to obtain the behaviour you want.

[atevewr]

I have seen the ZimbraMtaMyNetworks setting, the user is not is my trusted networks.
If the user is in my trusted network, i know that their is no need for authentication.
Let me restate my problem,
The user when starts from a HELO session, can send a mail, even when he is not in my trusted network.
I just want to deny the HELO session to the user & force him to start with the EHLO session.
Is it possible?

[phoenix]

Quote:

Originally Posted by atevewr

I have seen the ZimbraMtaMyNetworks setting, the user is not is my trusted networks.
If the user is in my trusted network, i know that their is no need for authentication.
Let me restate my problem,

I understood what you wrote earlier.

Quote:

Originally Posted by atevewr

The user when starts from a HELO session, can send a mail, even when he is not in my trusted network.
I just want to deny the HELO session to the user & force him to start with the EHLO session.
Is it possible?

So are you saying that this user is relaying through your server or just sending mail to your domain?

[atevewr]

Basically the user is sending mail to the domain only, but the case is without authentication he started the script & shot 5000 mails with it.

With no authentication, the 'Mail From' attribute was set to root@domain.com and the script was ran overloading our servers.
We do not want this to happen in the future and for that we want the mails to be authenticated, so even if he uses the script again, we know his real credentials.

[phoenix]

Quote:

Originally Posted by atevewr

Basically the user is sending mail to the domain only, but the case is without authentication he started the script & shot 5000 mails with it.

That is how email is sent. You need to improve the anti-spam system, look at this wiki article and add the 'reject unlisted recipients' to your postfix configuration (don't forget to restart postfix or Zimbra). If you have a specific IP that's a problem then you can blacklist that but I'd suggest that before you do that you should add some RBLs (such as spamhaus) to your system and see how you get on with that.

[atevewr]

Look you are right, thats how an email is sent.
First thing- I cannot block any particular IP unless any such activity is done, after that i can take any action.
Second thing- None of the users in the script were unlisted recipients, so even that attribute won't help me, by the way, we have implemented that already.

I am still unsure how the RBL will help me for my inside network, i do not want to do any lookup for my internal clients.

let me restate the problem if there has been a misunderstanding till now.
I want my Internal User to authenticate, for sending any mail, Internal or External and even if he is not in my trusted networks, he is able to send an email.
Just tell me what i can do for blocking HELO command and only allow EHLO command.
Moreover if this information will help, my Internal server does not talk to any other mail servers on Internet, it sends all the outbound mail to my gateway where the gateway appliance does the rest.
So all i am worried about is my internal users scripting mails without authentication?

[atevewr]

Can anyone please answer my question?