git » chasquid » commit c2d0d5f

smtpsrv: Only allow authenticated email on submission

author Alberto Bertogli
2016-10-13 11:54:11 UTC
committer Alberto Bertogli
2016-10-21 21:18:53 UTC
parent fe146f00e5955ac8a57d4d0ee35e4af4cae5d3e0

smtpsrv: Only allow authenticated email on submission

The submission port is expected to be used only by authenticated
clients, so this patch makes chasquid enforce this, which also helps
to reduce spam.

https://www.rfc-editor.org/rfc/rfc6409.txt

internal/smtpsrv/conn.go +3 -0
internal/smtpsrv/server_test.go +9 -0

diff --git a/internal/smtpsrv/conn.go b/internal/smtpsrv/conn.go
index 592091f..1031c61 100644
--- a/internal/smtpsrv/conn.go
+++ b/internal/smtpsrv/conn.go
@@ -298,6 +298,9 @@ func (c *Conn) MAIL(params string) (code int, msg string) {
 	if !strings.HasPrefix(strings.ToLower(params), "from:") {
 		return 500, "unknown command"
 	}
+	if c.mode == ModeSubmission && !c.completedAuth {
+		return 550, "mail to submission port must be authenticated"
+	}
 
 	rawAddr := ""
 	_, err := fmt.Sscanf(params[5:], "%s ", &rawAddr)
diff --git a/internal/smtpsrv/server_test.go b/internal/smtpsrv/server_test.go
index e7969c2..51f9286 100644
--- a/internal/smtpsrv/server_test.go
+++ b/internal/smtpsrv/server_test.go
@@ -146,6 +146,15 @@ func TestAuth(t *testing.T) {
 	sendEmailWithAuth(t, c, auth)
 }
 
+func TestSubmissionWithoutAuth(t *testing.T) {
+	c := mustDial(t, ModeSubmission, true)
+	defer c.Close()
+
+	if err := c.Mail("from@from"); err == nil {
+		t.Errorf("Mail not failed as expected")
+	}
+}
+
 func TestAuthOnSMTP(t *testing.T) {
 	c := mustDial(t, ModeSMTP, true)
 	defer c.Close()