Filtering Packets with EHLO 'XYZ' Data



  • Greetings,

    Is there a way, either via pfsense rules or through a installed package, to filter EHLO email packets?

    Thanks

    Dino


  • Banned

    There's a (broken) postfix mail relay package.



  • Thanks for the reply!

    Dare I ask how "broken"?

    Thanks

    Dino


  • Banned

    Well, search the Packages subforum and you can see for yourself. I'm not personally using it, so… :)


  • Rebel Alliance Global Moderator

    what exactly are you trying to accomplish might I ask?



  • If EHLO = 'XYZ' and occurs > '###' of times than block.  Preferably drop the connections for that IP and add a rule.  But blocking is good enough for me right now.

    I've noticed a pattern in some of the EHLO values over the course of the year and would like to target that instead of just the IP or subnet.  In one example as to why I would want to do this;  one EHLO pattern is known but that pattern has reused an IP only 5% of the time.

    Thanks for the post!!

    Dino


  • Rebel Alliance Global Moderator

    You would have to do something like that with layer 7

    https://doc.pfsense.org/index.php/Layer_7


  • Banned

    Really this is best done on a mailserver. If you are on 2.2.x, I wouldn't touch L7 at all since it only produces a CPU burn-in test - https://redmine.pfsense.org/issues/4276


  • Netgate

    Exim:

    If HELO/EHLO is "bad-helo" drop the connection after delay

    acl_check_helo:
            drop
                    message = Service temporarily unavailable
                    condition = ${if eq {$sender_helo_name}{bad-helo}{yes}{no}}
                    delay = 30s

    accept


  • Moderator

    I have tried to do this in postfix but couldn't find a solution, so I ended up adding a custom rule to Snort…

    Getting hit by a usually EHLO  ylmf-pc  (Chinese OS)

    Snort won't block it fast enough to prevent a couple login attempts, but it will stop an IP after about three attempts. This is because currently Snort is acting on a copy of the packet.

    alert tcp $EXTERNAL_NET any -> any 25 (msg:"SMTP EHLO from ylmf-pc attempt"; threshold: type limit, track by_src, count 1, seconds 60; content:"ylmf-pc"; nocase; classtype:suspicious-login; sid:9000032; rev:2;)


  • Rebel Alliance Global Moderator

    ah ylmf-pc, isn't that pushdo – pretty sure most of the IPs that spambot net is coming from is in zen  https://www.spamhaus.org/zen/

    They are most likely hitting you fast are they not.. You could prob put in a rate limit rule on your rule that allows connection to your smtp server, pretty sure if that is triggered puts it into virusprot table and then they get dropped..

    Not sure exactly when the virusprot table clears..  Check the crons


  • Banned

    This is why we need Suricata Inline IPS. A good example here with EHLO from ylmf.
    I want to block all EHLO's of localserv, but not block the IP from future access.

    Can't be done without Inline Suricata, which is not working on PFsense right now. Not sure it ever will be.


  • Rebel Alliance Developer Netgate

    It's better to properly configure the mail server rather than relying on other layers as your only means of protection. Postfix can do this very easily.

    main.cf:

    smtpd_helo_required = yes
    
    smtpd_helo_restrictions =
              permit_sasl_authenticated
              permit_mynetworks
              check_helo_access hash:/usr/local/etc/postfix/helo_checks
    
    

    /usr/local/etc/postfix/helo_checks

    
    ylmf-pc REJECT Go away
    localhost REJECT None for me, thanks
    sometrustedserver OK
    
    

    Every time you edit that file from that dir, run

    postmap helo_checks
    

  • Netgate

    pfSense and snort/suricata should not be able to see that traffic anyway because it should be encrypted.

    I realize we have a LONG way to go with SMTP in this regard but it will only become more common, not less common.

    So you are better off implementing the proper solution.