nginx.git/src/mail/ngx_mail_smtp_handler.c, branch release-1.30.0 nginx Mail: host validation. 2026-03-24T14:46:08+00:00 Roman Arutyunyan arut@nginx.com 2026-02-26T07:52:53+00:00 6f3145006b41a4ec464eed4093553a335d35e8ac Now host name resolved from client address is validated to only contain the characters specified in RFC 1034, Section 3.5. The validation allows to avoid injections when using the resolved host name in auth_http and smtp proxy. Reported by Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou University). 
Now host name resolved from client address is validated to only contain
the characters specified in RFC 1034, Section 3.5.  The validation allows
to avoid injections when using the resolved host name in auth_http and
smtp proxy.

Reported by Asim Viladi Oglu Manizada, Colin Warren,
Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
Bird Liu (Lanzhou University).
Mail: reset stale auth credentials with "smtp_auth none;". 2025-08-13T14:20:34+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-07T19:48:44+00:00 9c02c84a7443f3d736a1a5eb3f596de9af8a0c9c They might be reused in a session if an SMTP client proceeded unauthenticated after previous invalid authentication attempts. This could confuse an authentication server when passing stale credentials along with "Auth-Method: none". The condition to send the "Auth-Salt" header is similarly refined. 
They might be reused in a session if an SMTP client proceeded
unauthenticated after previous invalid authentication attempts.
This could confuse an authentication server when passing stale
credentials along with "Auth-Method: none".

The condition to send the "Auth-Salt" header is similarly refined.
Mail: added missing event handling after reading data. 2021-03-05T14:16:17+00:00 Maxim Dounin mdounin@mdounin.ru 2021-03-05T14:16:17+00:00 065a1641b242538073e92065e20fd788203108ab If we need to be notified about further events, ngx_handle_read_event() needs to be called after a read event is processed. Without this, an event can be removed from the kernel and won't be reported again, notably when using oneshot event methods, such as eventport on Solaris. For consistency, existing ngx_handle_read_event() call removed from ngx_mail_read_command(), as this call only covers one of the code paths where ngx_mail_read_command() returns NGX_AGAIN. Instead, appropriate processing added to the callers, covering all code paths where NGX_AGAIN is returned. 
If we need to be notified about further events, ngx_handle_read_event()
needs to be called after a read event is processed.  Without this,
an event can be removed from the kernel and won't be reported again,
notably when using oneshot event methods, such as eventport on Solaris.

For consistency, existing ngx_handle_read_event() call removed from
ngx_mail_read_command(), as this call only covers one of the code paths
where ngx_mail_read_command() returns NGX_AGAIN.  Instead, appropriate
processing added to the callers, covering all code paths where NGX_AGAIN
is returned.
Mail: added missing event handling after blocking events. 2021-03-05T14:16:16+00:00 Maxim Dounin mdounin@mdounin.ru 2021-03-05T14:16:16+00:00 8ed63c936c1493a25bdcb351a812de1ebac8b976 As long as a read event is blocked (ignored), ngx_handle_read_event() needs to be called to make sure no further notifications will be triggered when using level-triggered event methods, such as select() or poll(). 
As long as a read event is blocked (ignored), ngx_handle_read_event()
needs to be called to make sure no further notifications will be
triggered when using level-triggered event methods, such as select() or
poll().
Mail: fixed duplicate resolving. 2019-08-01T10:50:07+00:00 Maxim Dounin mdounin@mdounin.ru 2019-08-01T10:50:07+00:00 abe660636c93315b4acb8531b83aec8d309d2eca When using SMTP with SSL and resolver, read events might be enabled during address resolving, leading to duplicate ngx_mail_ssl_handshake_handler() calls if something arrives from the client, and duplicate session initialization - including starting another resolving. This can lead to a segmentation fault if the session is closed after first resolving finished. Fix is to block read events while resolving. Reported by Robert Norris, http://mailman.nginx.org/pipermail/nginx/2019-July/058204.html. 
When using SMTP with SSL and resolver, read events might be enabled
during address resolving, leading to duplicate ngx_mail_ssl_handshake_handler()
calls if something arrives from the client, and duplicate session
initialization - including starting another resolving.  This can lead
to a segmentation fault if the session is closed after first resolving
finished.  Fix is to block read events while resolving.

Reported by Robert Norris,
http://mailman.nginx.org/pipermail/nginx/2019-July/058204.html.
Mail: make it possible to disable SASL EXTERNAL. 2017-01-12T16:22:03+00:00 Sergey Kandaurov pluknet@nginx.com 2017-01-12T16:22:03+00:00 b5a3cc3781e95068cd8d0d8c84a7d8296b6682e6 






Mail: support SASL EXTERNAL (RFC 4422).
2016-10-08T07:05:00+00:00

Rob N ★
robn@fastmail.com

2016-10-08T07:05:00+00:00

66c23edf6308867572d5c4b8341e7a3fe7e97864

This is needed to allow TLS client certificate auth to work. With
ssl_verify_client configured, the auth daemon can choose to allow the
connection to proceed based on the certificate data.

This has been tested with Thunderbird for IMAP only. I've not yet found a
client that will do client certificate auth for POP3 or SMTP, and the method is
not really documented anywhere that I can find. That said, its simple enough
that the way I've done is probably right.





This is needed to allow TLS client certificate auth to work. With
ssl_verify_client configured, the auth daemon can choose to allow the
connection to proceed based on the certificate data.

This has been tested with Thunderbird for IMAP only. I've not yet found a
client that will do client certificate auth for POP3 or SMTP, and the method is
not really documented anywhere that I can find. That said, its simple enough
that the way I've done is probably right.







Style.
2016-03-30T08:52:16+00:00

Ruslan Ermilov
ru@nginx.com

2016-03-30T08:52:16+00:00

7ad57da59821294255610545b2b5ce07e74124a5












Mail: discard pipelined commands after SMTP STARTTLS.
2014-08-05T08:22:07+00:00

Maxim Dounin
mdounin@mdounin.ru

2014-08-05T08:22:07+00:00

44f45a54667275878236991afab0472c209dac78

The bug had appeared in nginx 1.5.6 (04e43d03e153).

Reported by Chris Boulton.





The bug had appeared in nginx 1.5.6 (04e43d03e153).

Reported by Chris Boulton.







Mail: added a check for the number of arguments in MAIL/RCPT.
2014-05-21T17:56:20+00:00

Maxim Dounin
mdounin@mdounin.ru

2014-05-21T17:56:20+00:00

ca02a1020c41cc771d4ed6f854213edf594b4480

Missed during introduction of the SMTP pipelining support (04e43d03e153,
1.5.6).  Previously, the check wasn't needed as s->buffer was used directly
and the number of arguments didn't matter.

Reported by Svyatoslav Nikolsky.





Missed during introduction of the SMTP pipelining support (04e43d03e153,
1.5.6).  Previously, the check wasn't needed as s->buffer was used directly
and the number of arguments didn't matter.

Reported by Svyatoslav Nikolsky.