Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authOptional and maxAllowedUnauthenticatedCommands #161

Open
clizSec opened this issue Jan 25, 2021 · 1 comment
Open

authOptional and maxAllowedUnauthenticatedCommands #161

clizSec opened this issue Jan 25, 2021 · 1 comment

Comments

@clizSec
Copy link

clizSec commented Jan 25, 2021

When using AUTH as optional using authOptional: true flag, the default of maxAllowedUnauthenticatedCommands cannot be changed, as it expects the value to be a number. maxAllowedUnauthenticatedCommands: false cannot be set on maxAllowedUnauthenticatedCommands as it will take the default, which is 10.

// Max allowed unauthenticated commands
this._maxAllowedUnauthenticatedCommands = this._server.options.maxAllowedUnauthenticatedCommands || 10;

cannot be false

I fixed on my end, by using maxAllowedUnauthenticatedCommands: Infinity, but the better way of it being handled, is by adding sanity to the condition below, to check for the authOptional: true flag which was set at the initinal options.

Before

// block users that try to fiddle around without logging in
if (!this.session.user && this._isSupported('AUTH') && commandName !== 'AUTH' && this._maxAllowedUnauthenticatedCommands !== false) {
    this._unauthenticatedCommands++;
    if (this._unauthenticatedCommands >= this._maxAllowedUnauthenticatedCommands) {
        return this.send(421, 'Error: too many unauthenticated commands');
    }
}

After

// block users that try to fiddle around without logging in
if (!this.session.user && this._isSupported('AUTH') && !this._server.options.authOptional && commandName !== 'AUTH' && this._maxAllowedUnauthenticatedCommands !== false) {
    this._unauthenticatedCommands++;
    if (this._unauthenticatedCommands >= this._maxAllowedUnauthenticatedCommands) {
        return this.send(421, 'Error: too many unauthenticated commands');
    }
}

Added !this._server.options.authOptional

What do you think?
@andris9
Copy link
Member

andris9 commented Jan 25, 2021

Seems reasonable, can you make a PR?

@jaspervann jaspervann mentioned this issue Apr 29, 2021
Open
immjs added a commit to immjs/smtp-server that referenced this issue Oct 24, 2023
@immjs
Do not impose an unauthenticated command limit when auth is optional
72db181 
Proposed as a fix to nodemailer#161
@immjs immjs mentioned this issue Oct 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andris9 @clizSec