Recipe 10.15 Requiring a Valid HELO

Problem

You do not want to accept mail from a host that does not first provide a HELO / EHLO command.

Solution

Require the HELO command by adding a confPRIVACY_FLAGS define to the sendmail configuration. Here is an example of the define:

 dnl Don't accept mail without a HELO define(`confPRIVACY_FLAGS', `needmailhelo')

Rebuild the configuration, copy it to /etc/mail/sendmail.cf , and restart sendmail, as shown in Recipe 1.8.

Discussion

By default, sendmail accepts incoming mail even if the remote host does not identify itself with an SMTP HELO or EHLO command, as the following test shows:

 #  sendmail -bs -Cgeneric-linux.cf  220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Mon, 10 Mar 2003 13:16:30 -0500  MAIL From:<craig@wrotethebook.com>  250 2.1.0 <craig@wrotethebook.com>... Sender ok  RCPT To:<kathy@chef.wrotethebook.com>  250 2.1.5 <kathy@chef.wrotethebook.com>... Recipient ok  QUIT  221 2.0.0 chef.wrotethebook.com closing connection

Adding the needmailhelo flag to the PrivacyOptions requires sendmail to receive a HELO or EHLO command before it will accept inbound mail. Rerunning the test with the configuration created by this recipe shows the effect of this flag:

 #  sendmail -bs  220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Mon, 10 Mar 2003 13:17:45 -0500  MAIL From:<craig@wrotethebook.com>  503 5.0.0 Polite people say HELO first  QUIT  221 2.0.0 chef.wrotethebook.com closing connection

Attempting to start the mail transfer without first issuing a HELO / EHLO command causes an error.

Two related PrivacyOptions flags are needvrfyhelo and needexpnhelo . With these flags the VRFY and EXPN commands, respectively, are rejected unless sendmail has received a HELO / EHLO command. needvrfyhelo and needexpnhelo provide very limited security benefits. From a security perspective, it is best just to disable EXPN and VRFY as described in Recipe 10.14.

Recipe 10.15 Requiring a Valid HELO

Problem

Solution

Discussion

See Also