smtpsrv: Reject HTTP commands

To help with defense-in-depth on cross-protocol attacks (e.g. https://alpaca-attack.com/), this patch makes chasquid reject HTTP commands.
2025-12-17 14:37:02 +00:00 · 2021-06-10 18:42:56 +01:00
parent 85305f4bd9
commit 8c8e64dc29
3 changed files with 27 additions and 0 deletions
--- a/internal/smtpsrv/conn.go
+++ b/internal/smtpsrv/conn.go
@@ -51,6 +51,8 @@ var (
 		"result", "incoming security level check results")
 	hookResults = expvarom.NewMap("chasquid/smtpIn/hookResults",
 		"result", "count of hook invocations, by result")
+	wrongProtoCount = expvarom.NewMap("chasquid/smtpIn/wrongProtoCount",
+		"command", "count of commands for other protocols")
 )

 var (
@@ -272,6 +274,14 @@ loop:
 		case "QUIT":
 			_ = c.writeResponse(221, "2.0.0 Be seeing you...")
 			break loop
+		case "GET", "POST", "CONNECT":
+			// HTTP protocol detection, to prevent cross-protocol attacks
+			// (e.g. https://alpaca-attack.com/).
+			wrongProtoCount.Add(cmd, 1)
+			c.tr.Errorf("http command, closing connection")
+			_ = c.writeResponse(502,
+				"5.7.0 You hear someone cursing shoplifters")
+			break loop
 		default:
 			// Sanitize it a bit to avoid filling the logs and events with
 			// noisy data. Keep the first 6 bytes for debugging.