Hi,
im my logs are many entries with "EHLO localhost.localdomain" and after that a "AUTH LOGIN".
The authentification fails and by the way I do not belive that this is a legitimate user.
My questions:
- Ist EHLO localhost.localdomain a legit domain name?
- Can I close the connection based on the submitted ELHO?
lg
random
EHLO localhost.localdomain
Re: EHLO localhost.localdomain
EHLO name is legit, if connection is coming from 127.0.0.1 or any other loopback address.random wrote:Hi,
im my logs are many entries with "EHLO localhost.localdomain" and after that a "AUTH LOGIN".
The authentification fails and by the way I do not belive that this is a legitimate user.
My questions:
- Ist EHLO localhost.localdomain a legit domain name?
- Can I close the connection based on the submitted ELHO?
If somebody is trying to bruteforce your passwords, enable autoban. It will minimize effectiveness of bruteforce password attacks regardless of used EHLO.
Re: EHLO localhost.localdomain
Hi dzekas,
thank you for your reply.
The ELHO is not originating from localhost. I think it is a not entirely correct configured mailserver or mailclient.
Autoban is now on. Just to be sure.
BTW: How can I see the account name that is probed? It is not shown up in the logs as far as I see.
lg
random
thank you for your reply.
The ELHO is not originating from localhost. I think it is a not entirely correct configured mailserver or mailclient.
Autoban is now on. Just to be sure.

BTW: How can I see the account name that is probed? It is not shown up in the logs as far as I see.
lg
random
Re: EHLO localhost.localdomain
gobbledygook that comes after AUTH LOGIN line contains base64 encoded account name. See http://www.base64decode.org/random wrote:Hi dzekas,
thank you for your reply.
The ELHO is not originating from localhost. I think it is a not entirely correct configured mailserver or mailclient.
Autoban is now on. Just to be sure.![]()
BTW: How can I see the account name that is probed? It is not shown up in the logs as far as I see.
lg
random
Re: EHLO localhost.localdomain
And FYI, ^Doom^s log analyser http://damnation.org.uk/log/loganalyzer.php does this as part of the analysing process
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation