HELO/EHLO argument validation.

issuefiler commented 5 years ago

RFC 5321

……In any event, a
   client MUST issue HELO or EHLO before starting a mail transaction.

   These commands, and a "250 OK" reply to one of them, confirm that
   both the SMTP client and the SMTP server are in the initial state,
   that is, there is no transaction in progress and all state tables and
   buffers are cleared.

   Syntax:

   ehlo           = "EHLO" SP ( Domain / address-literal ) CRLF

   helo           = "HELO" SP Domain CRLF

https://github.com/flashmob/go-guerrilla/blob/51f7dda326b1e9878e5f679ccb34a134127951b0/server.go#L426-L445

We don’t want the HELO introduction to be used for some nasty injections. I know that’s unlikely, but……. I just think it’s a good idea to validate it. Yeah, why not?

220 mail.guerrillamail.com SMTP Guerrilla(v1.6.0-11-g032f80b) #22873638 (126) 2019-11-24T03:37:24Z
HELO realfacebook.com ([IPv6:::FACE:B00C]); 
250 mail.guerrillamail.com Hello
MAIL FROM: <we-are@facebook.com>
250 2.1.0 OK
RCPT TO: <support@grr.la>
250 2.1.5 OK
DATA
354 Enter message, ending with '.' on a line by itself
Subject: hi
yes.
.
250 2.0.0 OK: queued as 268f7e4195afb936e3d0865376acb5e8
QUIT
221 2.0.0 Bye

Delivered-To: support@sharklasers.com
Received: from realfacebook.com ([IPv6:::FACE:B00C]); (realfacebook.com ([IPv6:::FACE:B00C]);  [(THE.REAL.IP.ADDRESS.USED)])
    by grr.la with SMTP id 268f7e4195afb936e3d0865376acb5e8@grr.la;
    Sun, 24 Nov 2019 03:38:12 +0000
Subject: hi
yes.

flashmob commented 5 years ago

Sure, sounds good.

TODO:

Parse the HELO / EHLO according to the ABNF rules. We can reuse the existing domain and addressLiteral productions in parse.go
We can also add a new HeloDomain to the Envelope struct, that will contain the syntactically-validated domain, ready to be rDNS validated (perhaps by a backend or further up the stack)
Test cases for both domain and address-literal, valid and invalid

Question: Currently, the addressLiteral does not support the General-address-literal rule (RFC 5321 4.1.3). Should that be added to go-guerrilla? It looks like the IANA lists just one tag: IPv6 https://www.iana.org/assignments/address-literal-tags/address-literal-tags.xhtml#address-literal-tags-1

issuefiler commented 5 years ago

My personal opinion is that we can ignore the General-address-literal rule. I don’t think we’ll have another Standardized-tag other than “IPv6” in a decade. Nobody knows the future though.

flashmob commented 4 years ago

Ready to test in PR #202

Helo is validated
Decided not to add newHeloDomain to the Envelope struct
The server will error when the syntax is invalid and not open the transaction, logging an error

flashmob / go-guerrilla

HELO/EHLO argument validation. #200

RFC 5321