Skip to content

Replica: fix: send the SMTP greeting line and its CRLF in a single write#79

Open
lucaforni wants to merge 16 commits into
main-modalsourcefrom
flowww-cicd-postal-fix/smtp-greeting-single-write
Open

Replica: fix: send the SMTP greeting line and its CRLF in a single write#79
lucaforni wants to merge 16 commits into
main-modalsourcefrom
flowww-cicd-postal-fix/smtp-greeting-single-write

Conversation

@lucaforni

Copy link
Copy Markdown

Questa PR replica la PR originale: postalserver#3599

Autore originale: @flowww-cicd
Branch originale: fix/smtp-greeting-single-write
Repository originale: flowww-cicd/postal


Summary

The initial 220 greeting is emitted with IO#print, which writes the greeting string and then the $\ output record separator ("\r\n", set in prepare_environment) as two separate writes. On the wire these can be flushed as two TCP segments: the greeting text, then a delayed CRLF.

Impact

Strict clients that read the greeting text before its CRLF arrives may issue EHLO early; the trailing CRLF then arrives prepended to the EHLO reply and breaks their line parsing. Observed in production with Persits AspEmail.NET: the client keeps waiting for a "complete" greeting line, hangs until timeout, and never issues STARTTLS/AUTH — so no mail is ever sent.

TCP is a byte stream (RFC 5321 §2.1), so splitting a response across segments is legal server behaviour and such clients are arguably at fault. But every other response in the SMTP server is already written as a single line; making the greeting consistent (one atomic write, CRLF included) sidesteps the issue at zero cost.

Change

app/lib/smtp_server/server.rb: replace new_io.print("220 … ESMTP Postal/#{client.trace_id}") (string + $\) with new_io.write("220 … ESMTP Postal/#{client.trace_id}\r\n").

The bytes on the wire are identical (the previous print appended the same "\r\n" via $\); they are now guaranteed to be written together. No behaviour change for compliant clients, so existing specs are unaffected.

adamcooke and others added 16 commits February 1, 2026 14:48
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
The app-wide CSP already blocks inline script execution, but the HTML
preview iframe for a stored email was same-origin and un-sandboxed, and
the html_raw response had no per-action hardening. Add a sandbox on the
iframe and tighten the CSP on html_raw to script-src 'none' with
nosniff and no-referrer so the preview has defence in depth against a
future CSP bypass or regression.

Relates to GHSA-f6g9-8555-cw28.
The /img/<server>/<message> endpoint accepted a src=<url> query
parameter and proxied the body of that URL back to the caller. Nothing
in the codebase ever produces a src= parameter — the parser only
inserts a plain tracking pixel and rewrites href links — so this branch
is dead code inherited from the original AppMail import.

Drop the src branch: requests with src now return 400. The no-src path
that serves the tracking pixel and records loads is unchanged, and a
spec covers both the pixel-serving path and the removed branch.
The endpoint and domain option helpers interpolated model attributes
straight into an HTML string before marking the whole buffer html_safe.
Wrap the interpolations in h() so untrusted attributes can't break out
of the surrounding tag.

Also stop the helpers glob in rails_helper from eagerly requiring
_spec.rb files so helper specs can live under spec/helpers/, and add a
small application helper spec covering the escape behaviour.
url_with_return_to only checked that return_to started with a forward
slash, which also allowed protocol-relative values like //host and
/\host. Rails 7.1 already refuses to follow those via redirect_to, so
the user just saw a 500. Reject the same shapes in the helper instead
so we fall back to the default URL cleanly.

Adds a sessions request spec covering the rejected shapes plus the
happy-path relative redirect.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…rfpg-3xr5)

The Legacy API message lookup endpoints parsed the request body as JSON and
passed the `id` parameter straight through to the message database. A JSON
object supplied for `id` arrived as a Ruby Hash and was used as a raw set of
SQL `WHERE` conditions. `hash_to_sql` interpolated each Hash key directly
inside backtick identifier quoting while escaping only the value, so a key
containing a backtick could break out of the identifier and inject arbitrary
SQL into the SELECT (blind, time-based) against the message database.

Fixes:

- Escape all identifiers (columns, tables, database names) through a new
  `escape_identifier` helper that wraps in backticks and doubles embedded
  backticks. Applied across hash_to_sql, select, insert, insert_multi,
  update and delete so no caller can inject via an identifier.
- Validate the Legacy API `id` parameter at the controller boundary: reject
  any non-scalar value before it reaches the database and coerce it to an
  integer. Internal Hash-based lookups (e.g. tracking middleware) are
  unaffected.

Adds regression tests at the unit (hash_to_sql / escape_identifier) and
request (legacy messages/deliveries) levels.
Webhook and HTTP message endpoint deliveries both flow through
Postal::HTTP, which parsed the user-supplied URL and connected to its
host with no address validation. An authenticated user could point a
webhook or endpoint at a private, loopback or link-local address (e.g.
127.0.0.1, 169.254.169.254 cloud metadata, RFC1918 hosts) and make the
server issue requests into its own internal network.

Add Postal::HTTP::AddressGuard, which resolves the destination host and
rejects private/loopback/link-local/reserved/multicast IPv4 and IPv6
addresses, then pins the connection to the validated address so it cannot
be redirected via a DNS-rebinding race. Administrators can permit specific
destinations via the new postal.allowed_request_destinations config option
(hostnames or IP/CIDR ranges).

Address selection only uses families this server can actually reach so we
do not pin to an IPv6 address on a host without IPv6 connectivity; IPv4 is
preferred for predictability. HTTPEndpoint now validates that its URL is a
well-formed HTTP(S) URL with a host.
The spec relied on the test machine having real IPv6 connectivity,
which GitHub Actions runners do not have.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
The initial 220 greeting was emitted with IO#print, which writes the string
and then the $\ output record separator ("\r\n", set in prepare_environment)
as two separate writes. These can leave the socket as two TCP segments: the
greeting text, then a delayed CRLF.

Strict clients that read the greeting text before its CRLF arrives may issue
EHLO early; the trailing CRLF then arrives prepended to the EHLO reply and
breaks their line parsing (observed: the client waits for a "complete" reply
and hangs until timeout, never issuing STARTTLS/AUTH). TCP is a byte stream
(RFC 5321 2.1), so this is legal server behaviour, but writing the greeting
line atomically (matching how all other responses are written) avoids
tripping such clients.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants