Mirrors/go-chasquid-smtp
1
0
Fork 0
mirror of https://blitiri.com.ar/repos/chasquid synced 2025-12-17 14:37:02 +00:00
Code Releases Activity

smtpsrv: Reject HTTP commands

Browse Source 
To help with defense-in-depth on cross-protocol attacks (e.g.
https://alpaca-attack.com/), this patch makes chasquid reject HTTP
commands.
This commit is contained in:
Alberto Bertogli
2021-06-10 18:42:56 +01:00
parent 85305f4bd9
commit 8c8e64dc29
3 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/monitoring.md
View File

@@ -66,6 +66,8 @@ List of exported variables:
count of SPF checks, by result.
- **chasquid/smtpIn/tlsCount** (tls status -> counter)
count of TLS statuses (plain/tls) for incoming SMTP connections.
- **chasquid/smtpIn/wrongProtoCount** (command -> counter)
count of commands for other protocols (e.g. HTTP commands).
- **chasquid/smtpOut/securityLevelChecks** (result -> counter)
count of security level checks on outgoing connections, by result.
- **chasquid/smtpOut/sts/mode** (mode -> counter)

10
internal/smtpsrv/conn.go
View File

@@ -51,6 +51,8 @@ var (
"result", "incoming security level check results")
hookResults = expvarom.NewMap("chasquid/smtpIn/hookResults",
"result", "count of hook invocations, by result")
wrongProtoCount = expvarom.NewMap("chasquid/smtpIn/wrongProtoCount",
"command", "count of commands for other protocols")
)
var (
@@ -272,6 +274,14 @@ loop:
case "QUIT":
_ = c.writeResponse(221, "2.0.0 Be seeing you...")
break loop
case "GET", "POST", "CONNECT":
// HTTP protocol detection, to prevent cross-protocol attacks
// (e.g. https://alpaca-attack.com/).
wrongProtoCount.Add(cmd, 1)
c.tr.Errorf("http command, closing connection")
_ = c.writeResponse(502,
"5.7.0 You hear someone cursing shoplifters")
break loop
default:
// Sanitize it a bit to avoid filling the logs and events with
// noisy data. Keep the first 6 bytes for debugging.

15
test/t-12-minor_dialogs/wrong_proto.cmy Normal file
View File

@@ -0,0 +1,15 @@
c tcp_connect localhost:1025
c <~ 220
c -> GET /evil HTTP/1.1
c <- 502 5.7.0 You hear someone cursing shoplifters
c tcp_connect localhost:1025
c <~ 220
c -> POST /evil HTTP/1.1
c <- 502 5.7.0 You hear someone cursing shoplifters
c tcp_connect localhost:1025
c <~ 220
c -> CONNECT www.evil.com:80 HTTP/1.1
c <- 502 5.7.0 You hear someone cursing shoplifters