Mailing List Archive: helo_try_verify_hosts and no helo command

Hi all,

According to spec.txt:
If "helo_verify_hosts" or "helo_try_verify_hosts" is set, Exim
refuses to accept messages from hosts that match either of them,
unless a HELO or EHLO command is received before the MAIL command.
Otherwise, MAIL commands are rejected with a 550 error.

Yet, setting helo_try_verify_hosts = * still allows someone to send no
HELO command before sending MAIL or even send an HELO which doesn't pass
the syntax check and gets rejected but still continue with the MAIL
command which is accepted. I've seen a couple of spammers using a literal
"HELO $domain" which gets rejected still able to send their mail because
their software does not even look at the response to HELO and continue
with the other commands.

To comply to spec.txt, smtp_in.c line 2110 should be changed (btw, using
4.05) from
if (helo_required && !helo_seen)
to
if ((helo_required || helo_verify) && !helo_seen)

And, I believe MAIL should be rejected also if HELO was tried but rejected
even without helo_required or helo_verify...

--
Patrice Fournier
pfournier@loups.net

On Tue, 23 Jul 2002, Patrice Fournier wrote:

> According to spec.txt:
> If "helo_verify_hosts" or "helo_try_verify_hosts" is set, Exim
> refuses to accept messages from hosts that match either of them,
> unless a HELO or EHLO command is received before the MAIL command.
> Otherwise, MAIL commands are rejected with a 550 error.

That's been changed in the 4.10 specification. It now reads:

helo_try_verify_hosts Type: host list* Default: unset |
|
The RFCs mandate that a server must not reject a message because it |
doesn't like the HELO or EHLO command. By default, Exim just checks the |
syntax of these commands (see "helo_accept_junk_hosts" and |
"helo_allow_chars" above). However, some sites like to be stricter. If the |
calling host matches "helo_try_verify_hosts", Exim checks that the host |
name given in the HELO or EHLO command either: |
|
. is an IP literal matching the calling address of the host (the RFCs |
specifically allow this), or |
|
. matches the host name that Exim obtains by doing a reverse lookup of |
the calling host address, or |
|
. when looked up using "gethostbyname()" (or "getipnodebyname()" when |
available) yields the calling host address. |
|
However, the EHLO or HELO command is not rejected if any of the checks |
fail. Processing continues, but the result of the check is remembered, and |
can be detected later in an ACL by the "verify = helo" condition. If you |
want verification failure to cause rejection of EHLO or HELO, use |
"helo_verify_hosts" instead. |
|
helo_verify_hosts Type: host list* Default: unset |
|
For hosts that match this option, Exim checks that the host name given in |
the HELO or EHLO in the same way as for "helo_try_verify_hosts". If the |
check fails, the HELO or EHLO command is rejected with a 550 error, and |
entries are written to the main and reject logs. If a MAIL command is |
received before EHLO or HELO, it is rejected with a 550 error. |

> Yet, setting helo_try_verify_hosts = * still allows someone to send no
> HELO command before sending MAIL or even send an HELO which doesn't pass
> the syntax check and gets rejected but still continue with the MAIL
> command which is accepted.

Yes, that's the idea. The "try" means "don't reject, just remember the
failure". (Actually, it *will* reject for syntax errors.)

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.