Chris-Linfoot.net

As soon as any host says "HELO mymta.mydomain", that is all I need to see to know with certainty that I do not want the mail.

It should therefore be possible to configure the local MTA to say "554 you are not me - please go away" as soon as that sending MTA says "MAIL FROM:<...>", which would be the very next thing that happened after the bogus HELO.

I digress. Absent a protocol level fix for this, what Daniel has done (among several other things) is to demonstrate how to handle bogus HELO/EHLO using mail rules. Haven't tried it yet, but I will do so I think. Looks too simple not to have a go.

Thanks Daniel.

Category: Domino: Administration
Technorati: Domino: Administration

1. Nathan T. Freeman09/12/2003 17:56:36

Very interesting article you linked to, Chris. I've sent an inquiry to Mr. Koffler asking whether I can pre-fab his modifications into a 6.5 Directory template and put it on the OpenNTF site. We'll see.

2. Stoomaroo09/12/2003 21:09:13

Hmmm...maybe not the posting string to hook this message into -- but nevertheless.

I dug up the Notes C API reference documentation from IBM's website. I figured the least I could do is trawl through the stuff looking for some SMTP handling calls & hopefully work my own Whitelisting/HELO-EHLO solutions.

While looking, I found an Extension Manger call "SMTPConnectEMCallback" (introduced in ND6) -- which can be used (when compiled properly into code in an API) to produce your own Whitelisting system. (...and I quote...)

"The callback routine can implement its own anti-relay checks and/or bypass Domino related checks through the use of [the variable] and return status of value NOERROR. Return STATUS other than...NOERROR sets AccessDenied flag which causes subsequent commands to be rejected...[the] event occurs after the SMTP listener task has accepted the connection but prior to sending the SMTP greeting to the connecting host."

Seems to me that there is a possibility of HELO/EHLO here -- but perhaps I am reading to deeply into something too arcane?

I am pulling this from the Lotus C API Notes/Domino 6.5 Reference Guide database (the description of the SMTPConnectEMCallback function), available at:
http://www-10.lotus.com/ldd/toolkits

It looks like this is where Raymond Neeves headed with his little whitelist -- but maybe someone better than I could see whether this works with HELO/EHLO or not.
stoomaroo

3. Chris Linfoot10/12/2003 09:02:38

Nathan -- that would be a good thing to do, though there are subtle differences between an ND65 directory and an ND6 directory as described and illustrated in the article. I will watch OpenNTF for this option to appear.

Stewart -- I discussed this with Raymond briefly and the conclusion appeared to be that the HELO/EHLO phrase was not available to the API, but only the IP address (thus, with a bit of work the resolved name and the status of both on various white/black lists). To get the HELO phrase, we have to wait for the complete MIME to be accepted and itemised by the router. Then, of course, mail rules can take over and it is too late to do anything in the protocol, that phase of message delivery having finished.

Would be delighted to be proved wrong though.

cwl

4. Daniel Koffler11/12/2003 15:55:40

Nathan -- It should actually be possible to alter the Mail Rules functionality in the Domino Directory to allow admins to input the name of any mail header or field they want to test against in a rule without having to change the underlying code for each new addition.

I'm currently trying to work out all the details on how to do this and I will prepare a template for OpenNTF with this functionality when it is complete (hopefully not too long after the new year). In the meantime, everyone should feel free to use the original concepts & code in my Domino Power article as they see fit.

Unable to post a comment? Please read this for a possible explanation...