On Mon, Aug 02, 2021 at 04:11:42PM -0400, John Levine <[email protected]> wrote:
> People in the web world are in a kerfuffle about an attack called ALPACA
> which (leaving out
> a lot of details) gets a web browser to send requests to a non-web server and
> then get the
> browser to interpret the responses in unfortunate ways. Most of the
> unfortunateness comes
> from the server replying to invalid commands and including parts of the
> commands in the reply.
> Since most mail servers will let you send a lot of invalid commands, the bad
> guy can splice
> a lot of bits of invalid command response together.
>
> It occurs to me that real mail clients almost never send invalid commands, so
> if a server
> sees more than, say, two of them, it's not a real client, so it's better to
> disconnect.
>
> I don't see a parameter to limit the number of bad commands in a session. Is
> there one?
> Would it be hard to add?
>
> R's,
> John
>
> PS: I know this is not our problem but the web crowd can be awfully pushy.
It's already there, and it stops at the first invalid command:
smtpd_forbidden_commands (default: CONNECT GET POST regexp:{{/^[^A-Z]/
Bogus}})
Perhaps other HTTP reqeust methods could be added
(i.e. HEAD PUT DELETE OPTIONS TRACE PATCH) but it's
probably enough as it is.
cheers,
raf
