Ad-Hoc-Email-Server icon indicating copy to clipboard operation
Ad-Hoc-Email-Server copied to clipboard
verified publisher icon o4oren

Server stores email sent to random addresses

Open gcleaves opened this issue 5 years ago • 8 comments

Hi, I was looking through my MongoDB instance used by AHEM and see emails are being stored even when the recipient address is not in the allowed domains list. Mailboxes are not being created. Is this the expected behavior?

It seems spammers are just looking for mail servers on random IP addresses and stumbled upon my AHEM server.

gcleaves avatar Jun 16 '20 16:06 gcleaves

It shouldn't. When the destination address is not in the allowed domains it should reject the email before storing it. Probably the code stores it, reads the recipients, and then not creating the mailbox. But it spams mongodb. I will look into it, though it shouldn't have a real effect if you have the emails deleted after a period of time.

On Tue, Jun 16, 2020, 19:22 Geoffrey Cleaves [email protected] wrote:

Hi, I was looking through my MongoDB instance used by AHEM and see emails are being stored even when the recipient address is not in the allowed domains list. Mailboxes are not being created. Is this the expected behavior?

It seems spammers are just looking for mail servers on random IP addresses and stumbled upon my AHEM server.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/o4oren/Ad-Hoc-Email-Server/issues/23, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTF65QYUNFS6EGFGIK54E3RW6L4VANCNFSM4N7Y35AQ .

o4oren avatar Jun 16 '20 16:06 o4oren

As you can see - https://github.com/o4oren/Ad-Hoc-Email-Server/blob/master/server/app/smtp.js - on line 27 there is a validation of the email (unless allowedDomains is not set or only has my.domain.com). When failed, the RCPT TO: phase of SMTP should fail and the email would not be written to the db. I will look into it, give me a few days.

On Tue, Jun 16, 2020 at 7:40 PM Oren Geva [email protected] wrote:

It shouldn't. When the destination address is not in the allowed domains it should reject the email before storing it. Probably the code stores it, reads the recipients, and then not creating the mailbox. But it spams mongodb. I will look into it, though it shouldn't have a real effect if you have the emails deleted after a period of time.

On Tue, Jun 16, 2020, 19:22 Geoffrey Cleaves [email protected] wrote:

Hi, I was looking through my MongoDB instance used by AHEM and see emails are being stored even when the recipient address is not in the allowed domains list. Mailboxes are not being created. Is this the expected behavior?

It seems spammers are just looking for mail servers on random IP addresses and stumbled upon my AHEM server.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/o4oren/Ad-Hoc-Email-Server/issues/23, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTF65QYUNFS6EGFGIK54E3RW6L4VANCNFSM4N7Y35AQ .

o4oren avatar Jun 16 '20 17:06 o4oren

I've confirmed that I have set up allowedDomains as evidenced when visiting the /api/properties endpoint on my server.

gcleaves avatar Jun 16 '20 21:06 gcleaves

Looking at smtp.js, I guess onData completes before onRcptTo has a chance to return an error. onData saves the email to Mongo.

gcleaves avatar Jun 20 '20 20:06 gcleaves

The client should nkt be able to send data though because the rcpt to command will fail. SMTP protocol runs these commands serially.

On Sat, Jun 20, 2020, 23:59 Geoffrey Cleaves [email protected] wrote:

Looking at smtp.js, I guess onData completes before onRcptTo has a chance to return an error. onData saves the email to Mongo.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/o4oren/Ad-Hoc-Email-Server/issues/23#issuecomment-647044784, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTF65XE2VF7V7IBV3SR4ODRXUPMBANCNFSM4N7Y35AQ .

o4oren avatar Jun 20 '20 21:06 o4oren

Hi. Do you think this issue will receive any attention or is it unlikely to be fixed?

gcleaves avatar Jul 30 '20 08:07 gcleaves

I don't know. Right nkw its not high on my priority list.

On Thu, Jul 30, 2020, 11:15 Geoffrey Cleaves [email protected] wrote:

Hi. Do you think this issue will receive any attention or is it unlikely to be fixed?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/o4oren/Ad-Hoc-Email-Server/issues/23#issuecomment-666216540, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFTF65XRLJTT6LCTPGTNHRLR6ET3HANCNFSM4N7Y35AQ .

o4oren avatar Jul 30 '20 09:07 o4oren

#36 resolves the issue. There is a missing negation symbol (!) in the validateEmail function.

gcleaves avatar Sep 27 '20 21:09 gcleaves