Proposed patch to enforce STARTTLS before MAIL FROM

Community Proposed lists at
Mon Mar 4 19:06:58 UTC 2019

Hello, in nginx 1.14.2 using a configuration directive of 'starttls only;' and
'smtp_auth none;' I noticed this was only applied to the AUTH section of the
SMTP transaction.  I have written the below to be applied to the MAIL FROM
section which should be enforced over STARTTLS.  MAIL FROM should occur before
RCPT TO and DATA to avoid out of sequence errors.  Scenarios where the patch
changes would be seen in the real world would be for NGINX in front of an MTA
which is the final destination.  Without enforcing STARTTLS before the MAIL
FROM the full conversation inclusive of the DATA command can occur in clear
text during testing.

--- /tmp/nginx-1.14.2/src/mail/ngx_mail_smtp_handler.c  2018-12-04
09:52:24.000000000 -0500
+++ /root/src/nginx-1.14.2/src/mail/ngx_mail_smtp_handler.c     2019-03-04
13:27:56.514409692 -0500
@@ -46,7 +46,7 @@
static u_char  smtp_invalid_argument[] = "501 5.5.4 Invalid argument" CRLF;
static u_char  smtp_auth_required[] = "530 5.7.1 Authentication required" CRLF;
static u_char  smtp_bad_sequence[] = "503 5.5.1 Bad sequence of commands" CRLF;
+static u_char  smtp_tls_required[] = "530 5.7.0 Must issue a STARTTLS command
first" CRLF;

 static ngx_str_t  smtp_unavailable = ngx_string("[UNAVAILABLE]");
static ngx_str_t  smtp_tempunavail = ngx_string("[TEMPUNAVAIL]");
@@ -441,6 +441,13 @@

             case NGX_SMTP_MAIL:
+/* Nathan Fowler <nathan at>, 2019-03-04 */
+                if (ngx_mail_starttls_only(s, c)) {
+                    ngx_str_set(&s->out, smtp_tls_required);
+                    break;
+                }
                 rc = ngx_mail_smtp_mail(s, c);


More information about the nginx-devel mailing list