[CNB] Post 0.10.2 upgrade: EHLO is too strict
chibenwa opened this issue · 5 comments
{"timestamp":"2024-08-28T13:24:32.938Z","level":"ERROR","thread":"smtpserver-global-2","mdc":{"charset":"US-ASCII","action":"EHLO","sessionId":"3e0480cc"},"logger":"org.apache.james.protocols.smtp.core.esmtp.EhloCmdHandler","message":"Invalid EHLO argument received: 7kO2OrE. Must be a domain name or an IP address.","context":"default"}
Coming from a legitimate user.
IMO we can relax EHLO to accept inputs made only of a-z,A-Z,0-9 characters in addition to the currently accepted value.
Prevents legitimate users from sending mails...
Is this legitimate though?
As per the RFC, it seems the identifier of the smtp client used in the ehlo command should be a domain name or IP => https://www.ietf.org/rfc/rfc2821.txt
4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO)
These commands are used to identify the SMTP client to the SMTP
server. The argument field contains the fully-qualified domain name
of the SMTP client if one is available. In situations in which the
SMTP client system does not have a meaningful domain name (e.g., when
its address is dynamically allocated and no reverse mapping record is
available), the client SHOULD send an address literal (see section
4.1.3), optionally followed by information that will help to identify
the client system. y The SMTP server identifies itself to the SMTP
client in the connection greeting reply and in the response to this
command.
Address literals are literally ipv4 or ipv6 IP addresses from what I can see.
Here in this error message the argument is: 7kO2OrE. How is it legitimate?
Here in this error message the argument is: 7kO2OrE. How is it legitimate?
I have read that too. But my feeling is that we can be flexible than that.
For example, Postfix does support the 7kO2OrE hostname.
hp@hp-quanth:~$ telnet localhost 41055
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 incoming.upn.integration-open-paas.org ESMTP Postfix (Ubuntu)
EHLO 7kO2OrE
250-incoming.upn.integration-open-paas.orgOk fair. Not impossible there is maybe a later RFC that relaxes that too, that I could have missed, it's a bit of a mess regarding old protocols^^'
the client SHOULD send an address literal
It's not a MUST. Expect bad clients not to do this...