From c2d0d5f70554bbb1783462a8bc4b1ae58844cfa1 Mon Sep 17 00:00:00 2001
From: Alberto Bertogli <albertito@blitiri.com.ar>
Date: Thu, 13 Oct 2016 12:54:11 +0100
Subject: [PATCH] smtpsrv: Only allow authenticated email on submission

The submission port is expected to be used only by authenticated
clients, so this patch makes chasquid enforce this, which also helps
to reduce spam.

https://www.rfc-editor.org/rfc/rfc6409.txt
---
 internal/smtpsrv/conn.go        | 3 +++
 internal/smtpsrv/server_test.go | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/internal/smtpsrv/conn.go b/internal/smtpsrv/conn.go
index 592091f..1031c61 100644
--- a/internal/smtpsrv/conn.go
+++ b/internal/smtpsrv/conn.go
@@ -298,6 +298,9 @@ func (c *Conn) MAIL(params string) (code int, msg string) {
 	if !strings.HasPrefix(strings.ToLower(params), "from:") {
 		return 500, "unknown command"
 	}
+	if c.mode == ModeSubmission && !c.completedAuth {
+		return 550, "mail to submission port must be authenticated"
+	}
 
 	rawAddr := ""
 	_, err := fmt.Sscanf(params[5:], "%s ", &rawAddr)
diff --git a/internal/smtpsrv/server_test.go b/internal/smtpsrv/server_test.go
index e7969c2..51f9286 100644
--- a/internal/smtpsrv/server_test.go
+++ b/internal/smtpsrv/server_test.go
@@ -146,6 +146,15 @@ func TestAuth(t *testing.T) {
 	sendEmailWithAuth(t, c, auth)
 }
 
+func TestSubmissionWithoutAuth(t *testing.T) {
+	c := mustDial(t, ModeSubmission, true)
+	defer c.Close()
+
+	if err := c.Mail("from@from"); err == nil {
+		t.Errorf("Mail not failed as expected")
+	}
+}
+
 func TestAuthOnSMTP(t *testing.T) {
 	c := mustDial(t, ModeSMTP, true)
 	defer c.Close()