Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: EHLO vs HELO

  1. #1
    atevewr is offline Active Member
    Join Date
    Jul 2009
    Posts
    32
    Rep Power
    6

    Default EHLO vs HELO

    This question is intended for the audience whose smtp authentication is working & the server is able to authenticate when the session starts from EHLO.
    I want to ask, what is the behavior when the user just connects from a HELO session?
    In my case, from a HELO session, it doesn't ask for authentication & the user is able to send the mail?
    Should there be a way to disable HELO & only allow EHLO ?

    Can you please tell me the exact expected behavior ? & the solution to resolve this ?

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,486
    Rep Power
    56

    Default

    Anyone can connect to port 25 and send mail without authentication, it will deliver the mail if it's destined for a domain that's hosted on that server (unless you've modified Zimbra to be an open relay ). When you change this to authenticate then that user can send mail to the domains hosted on that server and relay mail to other (external) domains. If you are actually using port 25 for authenticated users then that isn't correct, you should be using port 587 which is the correct (RFC) Submissions port.

    Quote Originally Posted by atevewr View Post
    Can you please tell me the exact expected behavior ? & the solution to resolve this ?
    Resolve what, exactly? If you have a problem perhaps you'd describe that in more detail.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    atevewr is offline Active Member
    Join Date
    Jul 2009
    Posts
    32
    Rep Power
    6

    Default EHLO vs HELO

    I will try to explain my problem,
    Our mailserver is behind a firewall. The firewall scans all the inbound & all outbound mails for A/V, spam etc.
    The problem comes with the internal mailserver, now when a user sends a mail to another user on the same server/domain.
    He can basically connect through a telnet session, & send a mail via HELO, in this case i am unable to authenticate the user.
    Few days back somebody launched a script for sending mails like that & our mailserver was clogged.
    So all i want is to block the HELO & only allow EHLO, since my authentication is working.
    Have i explained the problem enough ?

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,486
    Rep Power
    56

    Default

    Please update your forum profile with the output of the following command (do not post it in this thread):

    Code:
    zmcontrol -v
    You should search the forums and wiki for the word 'ZimbraMtaMyNetworks' you'll find details on what you need to do to obtain the behaviour you want.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    atevewr is offline Active Member
    Join Date
    Jul 2009
    Posts
    32
    Rep Power
    6

    Default

    I have seen the ZimbraMtaMyNetworks setting, the user is not is my trusted networks.
    If the user is in my trusted network, i know that their is no need for authentication.
    Let me restate my problem,
    The user when starts from a HELO session, can send a mail, even when he is not in my trusted network.
    I just want to deny the HELO session to the user & force him to start with the EHLO session.
    Is it possible?

  6. #6
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,486
    Rep Power
    56

    Default

    Quote Originally Posted by atevewr View Post
    I have seen the ZimbraMtaMyNetworks setting, the user is not is my trusted networks.
    If the user is in my trusted network, i know that their is no need for authentication.
    Let me restate my problem,
    I understood what you wrote earlier.

    Quote Originally Posted by atevewr View Post
    The user when starts from a HELO session, can send a mail, even when he is not in my trusted network.
    I just want to deny the HELO session to the user & force him to start with the EHLO session.
    Is it possible?
    So are you saying that this user is relaying through your server or just sending mail to your domain?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    atevewr is offline Active Member
    Join Date
    Jul 2009
    Posts
    32
    Rep Power
    6

    Default

    Basically the user is sending mail to the domain only, but the case is without authentication he started the script & shot 5000 mails with it.

    With no authentication, the 'Mail From' attribute was set to root@domain.com and the script was ran overloading our servers.
    We do not want this to happen in the future and for that we want the mails to be authenticated, so even if he uses the script again, we know his real credentials.

  8. #8
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,486
    Rep Power
    56

    Default

    Quote Originally Posted by atevewr View Post
    Basically the user is sending mail to the domain only, but the case is without authentication he started the script & shot 5000 mails with it.
    That is how email is sent. You need to improve the anti-spam system, look at this wiki article and add the 'reject unlisted recipients' to your postfix configuration (don't forget to restart postfix or Zimbra). If you have a specific IP that's a problem then you can blacklist that but I'd suggest that before you do that you should add some RBLs (such as spamhaus) to your system and see how you get on with that.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  9. #9
    atevewr is offline Active Member
    Join Date
    Jul 2009
    Posts
    32
    Rep Power
    6

    Default

    Look you are right, thats how an email is sent.
    First thing- I cannot block any particular IP unless any such activity is done, after that i can take any action.
    Second thing- None of the users in the script were unlisted recipients, so even that attribute won't help me, by the way, we have implemented that already.

    I am still unsure how the RBL will help me for my inside network, i do not want to do any lookup for my internal clients.

    let me restate the problem if there has been a misunderstanding till now.
    I want my Internal User to authenticate, for sending any mail, Internal or External and even if he is not in my trusted networks, he is able to send an email.
    Just tell me what i can do for blocking HELO command and only allow EHLO command.
    Moreover if this information will help, my Internal server does not talk to any other mail servers on Internet, it sends all the outbound mail to my gateway where the gateway appliance does the rest.
    So all i am worried about is my internal users scripting mails without authentication?

  10. #10
    atevewr is offline Active Member
    Join Date
    Jul 2009
    Posts
    32
    Rep Power
    6

    Default

    Can anyone please answer my question?

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. HELO hostname
    By tkramis in forum Administrators
    Replies: 5
    Last Post: 03-04-2013, 09:48 AM
  2. 450 Helo command rejected: Host not found
    By quietas in forum Administrators
    Replies: 4
    Last Post: 05-12-2010, 06:51 AM
  3. Deferred while performing the EHLO handshake
    By joyfulway in forum Administrators
    Replies: 4
    Last Post: 12-10-2009, 01:21 PM
  4. Replies: 2
    Last Post: 11-17-2008, 02:21 PM
  5. multi domain / multi IP / SMTP HELO problem
    By fisch09 in forum Administrators
    Replies: 3
    Last Post: 04-04-2007, 05:22 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •