NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2006-07

Re: Helo command rejected : Why

From: Pascal Maes (pascal.maeselec.ucl.ac.be)
Date: Mon Jul 03 2006 - 07:49:56 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le 3 juil. 06 à 10:08, Robert Felber a écrit :

> On Mon, Jul 03, 2006 at 09:49:28AM +0200, Pascal Maes wrote:
>> germany2.chiltern.com[217.7.78.26];
>> from=<sebastien.ducarmechiltern.com>
>> to=<pascal.maesuclouvain.be> proto=ESMTP
>> helo=<german1.chiltern.com>
>
> If testing, then with germany1.chiltern.com
>
>> We have try with telnet on port 25 and it works... Not easy
>> because they have
>> a windows system and they can't see what they type so we got a
>> lot of typo
>> errors.
>>
>> But when they send a message with their mail client, they got the
>> same error
>> than before.
>> They will contact their "head system manager" to ask some
>> questions...
>
> Just let a tcpdump -X -s0 -n host 217.7.78.26 > debug.log 2>&1 run
> when they
> try to deliver mail (if neccessary with the right -i option).
>
> You will then see, to which port they try to deliver and whats
> going on until
> HELO.
>
> --
> Robert Felber (PGP: 896CF30B)
> Munich, Germany
>

they connect on port 465 :

13:52:41.642644 IP 217.7.78.26.59879 > 130.104.4.1.465: S
1203166760:1203166760(0) win 16384 <mss 1460,nop,nop,sackOK>

Our master.cf config fort smtps is ;

smtps inet n - n - - smtpd
    -o smtpd_proxy_filter=127.0.0.1:10025
    -o smtpd_tls_wrappermode=yes
    -o smtpd_use_tls=yes
    -o smtpd_tls_auth_only=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_security_options=noanonymous
    -o
smtpd_helo_restrictions=permit_mynetworks,permit_sasl_authenticated,reje
  ct
    -o
smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,re
  ject

Well, in that case they get the same result than a connection on port
587 without any authentication

Two questions :

- it is rigth to connect on port 465 for somebody which is not
from our domain (cannot be authenticated) ?
- why didn't I see anything in the log file (even with
debub_peer_list = 217.7.78.26) ?
--
Pascal

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]