AUTH TLS before or after HELO/EHLO?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

AUTH TLS before or after HELO/EHLO?

Gordon Ewasiuk
Hi List,

Can I get a sanity check please?  Am seeing 50-60 of these a day:

Out: 220 fortirwin.blackhorselabs.net ESMTP Postfix
In:  AUTH TLS
Out: 503 5.5.1 Error: send HELO/EHLO first

Is that a mis-config on my part (very possible) or just a random
scanner?  The AUTH TLS lines are coming from a single provider - which
I won't name and shame here.

Thanks all,

-Gordon

Reply | Threaded
Open this post in threaded view
|

Re: AUTH TLS before or after HELO/EHLO?

Bill Cole-3
On 29 Mar 2021, at 20:56, Gordon Ewasiuk wrote:

> Hi List,
>
> Can I get a sanity check please?  Am seeing 50-60 of these a day:
>
> Out: 220 fortirwin.blackhorselabs.net ESMTP Postfix
> In:  AUTH TLS
> Out: 503 5.5.1 Error: send HELO/EHLO first
>
> Is that a mis-config on my part (very possible) or just a random
> scanner?  The AUTH TLS lines are coming from a single provider - which
> I won't name and shame here.

That's a *broken* scanner of some sort. There's no rational way for any
client to try any AUTH command without first sending EHLO and getting a
response with the available mechanisms. Beyond that, I'm fairly certain
that the only protocol where "AUTH TLS" is a valid command is in FTP,
where it is the unfortunately-named analog of the "STARTTLS" command in
SMTP. There is no SMTP server that should ever respond usefully to "AUTH
TLS."

If you were to "name and shame," it would likely only to be of a
malicious or at least extremely stupid actor.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: AUTH TLS before or after HELO/EHLO?

Gordon Ewasiuk
On Mon, 2021-03-29 at 21:18 -0400, Bill Cole wrote:

> On 29 Mar 2021, at 20:56, Gordon Ewasiuk wrote:
>
> > Hi List,
> >
> > Can I get a sanity check please?  Am seeing 50-60 of these a day:
> >
> > Out: 220 fortirwin.blackhorselabs.net ESMTP Postfix
> > In:  AUTH TLS
> > Out: 503 5.5.1 Error: send HELO/EHLO first
> >
> > Is that a mis-config on my part (very possible) or just a random
> > scanner?  The AUTH TLS lines are coming from a single provider -
> > which
> > I won't name and shame here.
>
> That's a *broken* scanner of some sort. There's no rational way for
> any
> client to try any AUTH command without first sending EHLO and getting
> a
> response with the available mechanisms. Beyond that, I'm fairly
> certain
> that the only protocol where "AUTH TLS" is a valid command is in
> FTP,
> where it is the unfortunately-named analog of the "STARTTLS" command
> in
> SMTP. There is no SMTP server that should ever respond usefully to
> "AUTH
> TLS."
>
> If you were to "name and shame," it would likely only to be of a
> malicious or at least extremely stupid actor.

Thanks, Bill, for the sanity check.  It seemed odd but given how many
options and config bits exist for Postfix (a good thing!), I figured I
should check with the pros just in case I missed something.

Thanks again!

-Gordon