We believe it is a popular to use the same certificate for web server and mail server (e.g. #296) therefore maddy could be affected by this attack when using in such way.
We should advise against using it and/or add necessary mitigations to the code.
[ ] Implement ALPN and require strict matching when negotiated (IMAP, there is no standard value for SMTP but negative check might be possible).
[x] Discard SMTP connections if commands look like HTTP requests.
[ ] Discard IMAP connections if commands look like HTTP requests.
[ ] Add recommendation in the documentation covering this problem.
On point 2: go-smtp terminates the connection after just 3 protocol errors, this is enough to terminate connection if any HTTP request is misdirected to the server.
Ref. https://alpaca-attack.com/
We believe it is a popular to use the same certificate for web server and mail server (e.g. #296) therefore maddy could be affected by this attack when using in such way.
We should advise against using it and/or add necessary mitigations to the code.
Implement ALPN and require strict matching when negotiated (IMAP, there is no standard value for SMTP but negative check might be possible).