Syntax error in address failure

[dontforget]

I'm having trouble with a small DoS on my Haraka.

Here's the full log: https://gist.github.com/dontforget/f88ffdbdcd297387aba0

When this happening Haraka can't receive any more emails because Haraka processing all of the email addresses starting from 0 and going up to few thousands.

Thanks.

[baudehlo]

What version of Haraka are you on? I had the same DoS a few months ago and fixed it by implementing line length limits.

Make sure you're on the latest release.

Matt.

On Nov 23, 2013, at 6:00 PM, dontforget notifications@github.com wrote:

I'm having trouble with a small DoS on my Haraka.

Here's the full log: https://gist.github.com/dontforget/f88ffdbdcd297387aba0

When this happening Haraka can't receive any more emails because Haraka processing all of the email addresses starting from 0 and going up to few thousands.

Thanks.

— Reply to this email directly or view it on GitHub.

[dontforget]

Haraka version is the latest. Thank you.

[baudehlo]

Oh wait, we actually released a buggy 2.2.7 which would exhibit this bug. Make sure you're on 2.2.8.

But I'll look into the bug anyway.

[baudehlo]

OK found the "bug" though really it's a problem with whatever is sending you this mail - the syntax of the RCPT TO is invalid. I'll work on a fix.

[dontforget]

I'm actually on 2.2.8.

When the DoS first time happened I have updated Haraka to latest version. After a few minutes DoS happened again, so the latest version has this bug as well.

[dontforget]

@baudehlo it's just a simple DoS with empty message body and wrong headers.

[baudehlo]

Then isn't it good it's getting rejected?

Anyway if you want to accept it, try the patch I just pushed: e520a33

[dontforget]

@baudehlo it should be rejected after "max_unrecognized_commands" but simply it's not doing it.

I don't think this is the normal behavior, when server said Error, Client pushing email to another recipient. I think such client should be simply kicked after "max_unrecognized_commands".

S: 501 Error: Syntax error in address C: RCPT TO: 2@rainmail.biz ... S: 501 Error: Syntax error in address C: RCPT TO: 3@rainmail.biz ... S: 501 Error: Syntax error in address C: RCPT TO: 4@rainmail.biz ...

And so on.

[baudehlo]

It's the right behaviour for SMTP though.

You could easily implement a plugin that counted DENY responses, and after a certain number changed the DENY to DENY_DISCONNECT.

something like this would work I think:

[code] exports.hook_connect = function (next, connection) { connection.notes.num_denies = 0; next(); }

exports.hook_deny = function (next, conn) { conn.notes.num_denies++; next(); }

// May want to do this over more hooks than just hook_rcpt exports.hook_rcpt = function (next, conn) { if (conn.notes.num_denies > 3) { return next(DENY_DISCONNECT, "You failed too many times"); } next(); } [/code]

On Sun, Nov 24, 2013 at 1:05 PM, dontforget notifications@github.comwrote:

@baudehlo https://github.com/baudehlo it should be rejected after "max_unrecognized_commands" but simply it's not doing it.

I don't think this is the normal behavior, when server said Error, Client pushing email to another recipient. I think such client should be simply kicked after "max_unrecognized_commands".

S: 501 Error: Syntax error in address C: RCPT TO: 2@rainmail.biz ... S: 501 Error: Syntax error in address C: RCPT TO: 3@rainmail.biz ... S: 501 Error: Syntax error in address C: RCPT TO: 4@rainmail.biz ...

And so on.

— Reply to this email directly or view it on GitHubhttps://github.com/baudehlo/Haraka/issues/387#issuecomment-29161440 .

[smfreegard]

I just pulled this and it doesn't work properly at all. It's rejecting valid recipients, so I've just had to revert it.

Also - these errors wont fire hook_deny as an error here will call respond directly.

[baudehlo]

As a solution to this, I propose when RCPT/MAIL parsing fails we run the unrecognized_command hook. This will return a 500 error if nothing responds. Sound good?

[xpepermint]

I also have this issue! The problem is when a sender or a recipient is in format <me@domain.com>. If you remove <,> the error disappears. Tools like http://mxtoolbox.com/ use < >. We should fix that.

MAIL FROM: <supertool@mxtoolbox.com>
501-[28BC40A8-21DC-4FEB-A0CA-911C22FB1FAE] Command parsing failed
501 [28BC40A8-21DC-4FEB-A0CA-911C22FB1FAE] Error: Invalid format of mail command: 

[xpepermint]

After a quick investigation I discovered that I configured config/strict_rfc1869 to 1. Setting it to 0 fix that error thus not a bug in my case ...

[smfreegard]

I was about to suggest that you might be using strict mode. In strict mode; you aren't allowed spaces between the : and the < e.g.:

MAIL FROM: foo@bar.com === invalid MAIL FROM:foo@bar.com === OK

As the RFC doesn't show the space.

[xpepermint]

yeah... I was testing on one server and editing code on the other and I did not see this setting ;)... @dontforget would suggestions above fix your problem?

[xpepermint]

@smfreegard I noticed that if I use this command

swaks -f 'MyName <me@domain.com>' -t 'me@gmail.com' -s 192.168.1.101 -p 587 -au username1 -ap pass1 --tls

I get

[ERROR] [E494AD37-022F-4CD6-BCD1-28A2544AEDB8] [core] Error: Invalid domain in address: MyName <me@domain.com>

[smfreegard]

xpepermint: correct - you're trying to add a display name to the envelope sender. You can't do that - it's not valid at all.

[xpepermint]

Aha... envelope... alright then. Thanks @smfreegard.

[smfreegard]

No problemo. That catches almost everyone out.

[xpepermint]

Hehe :). Btw... I really like this Haraka thing ;). Good job.

[msimerson]

@smfreegard "Unparsable MAIL commands will still not call the hooks though, so it's still an issue. They respond() directly." @baudehlo "We should have a "max_errors_before_disconnect" setting. similar to max_unrecognised_commands"

[msimerson]

@baudehlo "We should have a "max_errors_before_disconnect" setting. similar to max_unrecognised_commands"

We have a max_errors limit now, in the new limit plugin.