smtpserver: also allow space after "MAIL FROM:" and "RCPT TO:" command for SMTP delivery (unless in pedantic mode)

we already allowed it for (authenticated) SMTP submission. it turns out also legitimate senders can use this invalid syntax to deliver messages. for issue #101 by Fell, thanks for reporting & explaining!
2024-12-26 16:33:47 +03:00 · 2023-12-11 15:34:11 +01:00 · 2023-12-11 15:34:11 +01:00 · af5da17623
commit af5da17623
parent 02eb7b5033
1 changed files with 8 additions and 8 deletions
--- a/smtpserver/server.go
+++ b/smtpserver/server.go
@ -1285,10 +1285,10 @@ func (c *conn) cmdMail(p *parser) {
 		}
 	}()
 	p.xtake(" FROM:")
-	// note: no space after colon. ../rfc/5321:1093
+	// note: no space allowed after colon. ../rfc/5321:1093
-	// Allow illegal space for submission only, not for regular SMTP. Microsoft Outlook
+	// Microsoft Outlook 365 Apps for Enterprise sends it with submission. For delivery
-	// 365 Apps for Enterprise sends it.
+	// it is mostly used by spammers, but has been seen with legitimate senders too.
-	if c.submission && !moxvar.Pedantic {
+	if !moxvar.Pedantic {
 		p.space()
 	}
 	rawRevPath := p.xrawReversePath()
@ -1426,10 +1426,10 @@ func (c *conn) cmdRcpt(p *parser) {
 	// ../rfc/5321:1985
 	p.xtake(" TO:")
-	// note: no space after colon. ../rfc/5321:1093
+	// note: no space allowed after colon. ../rfc/5321:1093
-	// Allow illegal space for submission only, not for regular SMTP. Microsoft Outlook
+	// Microsoft Outlook 365 Apps for Enterprise sends it with submission. For delivery
-	// 365 Apps for Enterprise sends it.
+	// it is mostly used by spammers, but has been seen with legitimate senders too.
-	if c.submission && !moxvar.Pedantic {
+	if !moxvar.Pedantic {
 		p.space()
 	}
 	var fpath smtp.Path