EHLO localhost.localdomain

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
random
Normal user
Normal user
Posts: 108
Joined: 2006-07-16 09:51
Location: Germany

EHLO localhost.localdomain

Post by random » 2012-12-03 21:48

Hi,

im my logs are many entries with "EHLO localhost.localdomain" and after that a "AUTH LOGIN".
The authentification fails and by the way I do not belive that this is a legitimate user.

My questions:
- Ist EHLO localhost.localdomain a legit domain name?
- Can I close the connection based on the submitted ELHO?

lg
random

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: EHLO localhost.localdomain

Post by dzekas » 2012-12-03 23:13

random wrote:Hi,

im my logs are many entries with "EHLO localhost.localdomain" and after that a "AUTH LOGIN".
The authentification fails and by the way I do not belive that this is a legitimate user.

My questions:
- Ist EHLO localhost.localdomain a legit domain name?
- Can I close the connection based on the submitted ELHO?
EHLO name is legit, if connection is coming from 127.0.0.1 or any other loopback address.

If somebody is trying to bruteforce your passwords, enable autoban. It will minimize effectiveness of bruteforce password attacks regardless of used EHLO.

random
Normal user
Normal user
Posts: 108
Joined: 2006-07-16 09:51
Location: Germany

Re: EHLO localhost.localdomain

Post by random » 2012-12-04 00:01

Hi dzekas,

thank you for your reply.

The ELHO is not originating from localhost. I think it is a not entirely correct configured mailserver or mailclient.
Autoban is now on. Just to be sure. :)

BTW: How can I see the account name that is probed? It is not shown up in the logs as far as I see.

lg
random

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: EHLO localhost.localdomain

Post by dzekas » 2012-12-04 00:08

random wrote:Hi dzekas,

thank you for your reply.

The ELHO is not originating from localhost. I think it is a not entirely correct configured mailserver or mailclient.
Autoban is now on. Just to be sure. :)

BTW: How can I see the account name that is probed? It is not shown up in the logs as far as I see.

lg
random
gobbledygook that comes after AUTH LOGIN line contains base64 encoded account name. See http://www.base64decode.org/

random
Normal user
Normal user
Posts: 108
Joined: 2006-07-16 09:51
Location: Germany

Re: EHLO localhost.localdomain

Post by random » 2012-12-04 00:15

Bookmarked - very useful.
Thank you.
random

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: EHLO localhost.localdomain

Post by mattg » 2012-12-04 01:33

And FYI, ^Doom^s log analyser http://damnation.org.uk/log/loganalyzer.php does this as part of the analysing process
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply