OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: EHLO, 502, HELO, 503 Duplicate HELO/EHLO sequence
From: Christopher Hoover (chmurgatroid.com)
Date: Thu Feb 17 2000 - 21:32:10 CST


Given that others on the net aren't seeing the same thing, I'm wondering if
there's not some evil firewall between my postfix and the 'net that is
causing the trouble.

See Per Hedeland's note here about Cisco's broken application-level SMTP
proxy:

http://www.help.com/cgi-perl/reply/3/325/330?sidx=434383&midx=1530568&page=5
&from=http://www.help.com

From the sendmail change log, it appears that Sendmail 8.8.1 is the release
that got picky about duplicate helo/ehlo's.

-ch

------
Christopher Hoover E-Cumulate, Inc.
+1-408-348-0304 voice mailto:chmurgatroid.com
+1-209-315-6378 facsimile http://www.e-cumulate.com

> -----Original Message-----
> From: Brad Knowles [mailto:blkskynet.be]
> Sent: Thursday, February 17, 2000 11:57 AM
> To: Christopher Hoover; Wietse Venema
> Cc: postfix-userscloud9.net
> Subject: RE: EHLO, 502, HELO, 503 Duplicate HELO/EHLO sequence
>
>
> At 11:16 AM -0800 2000/2/17, Christopher Hoover wrote:
>
> > I followed up my own post (bad form, I know) to note that I'm
> seeing this at
> > mail destined for several domains, including inktomi, The Well
> (well.com),
> > and Yahoo.
>
> I looked at inktomi, and they're either actually running Sun's
> version of sendmail 8.9.1 (or something pretty close to it), or
> they're doing a pretty good job of making it look like they are. I
> guess you could try some of the exploits for 8.9.1 and see if they
> work. ;-)
>
> The Well claims to be running sendmail 8.8.5 (if you do a "help",
> and although some people disable help they don't think to change the
> source code so that it doesn't display the software version number),
> but I'm not sure if I believe that. You'd have to try exploits for
> 8.8.x and see if they work to be sure.
>
> Yahoo at least says that they're running their own custom MTA,
> which I might actually believe if they're doing the proxy thing. It
> might also be a pretty severely hacked-up sendmail, or who knows what.
>
>
> Unfortunately, although rootshell.com used to be your friend,
> they don't have much in the way of useful details anymore. However,
> you might be able to find enough details in the BugTraq archives to
> be able to piece together what the exploits for the various versions
> of sendmail are.
>
> --
> These are my opinions and should not be taken as official Skynet policy
>
> _________________________________________________________________________
> |o| Brad Knowles, <blkskynet.be> Belgacom Skynet
> NV/SA |o|
> |o| Systems Architect, Mail/News/FTP/Proxy Admin Rue Col. Bourg,
> 124 |o|
> |o| Phone/Fax: +32-2-706.13.11/726.93.11 B-1140 Brussels
> |o|
> |o| http://www.skynet.be Belgium
> |o|
> \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
> Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
> Unix is very user-friendly. It's just picky who its friends are.
>