You also would get generally better performance (at the cost of missing an EHLO if it's not the 1st command from the client) by doing this:
rule FixUP-SMTP {
when SERVER_CONNECTED {
peer { TCP::collect 4 }
}
when CLIENT_DATA {
if { [TCP::payload] starts_with "EHLO" } {
TCP::respond "500 5.3.3 Unrecognized command\r\n"
TCP::payload replace 0 [TCP::payload length] ""
}
TCP::release
}
}
This is probably the common case you're trying to resolve.
Comments:
1. We use SERVER_CONNECTED instead of CLIENT_ACCEPTED because SMTP is a banner protocol. Many clients will not send their first HELO/EHLO until they see the banner from the server. So we wait for the server connection prior to starting our client side collection.
2. Since the event is on the server side, we need to collect on the client side. Thus the use of the peer command.
3. We want to make sure we have at least 4 bytes of payload in our collect.
4. starts_with is more efficient than contains.
5. reject/discard/etc result in operations on the connection. You don't want this; you simply want the payload in that particular segment to be ignored. So we replace it with nothing and continue.
Hope this helps.