smtp: Validate mail transaction and disable SMTP analyzer if excessive

An invalid mail transaction is determined as * RCPT TO command without a preceding MAIL FROM * a DATA command without a preceding RCPT TO and logged as a weird. The testing pcap for invalid mail transactions was produced with a Python script against a local exim4 configured to accept more errors and unknown commands than 3 by default: # exim4.conf.template smtp_max_synprot_errors = 100 smtp_max_unknown_commands = 100 See also: https://www.rfc-editor.org/rfc/rfc5321#section-3.3
2025-10-17 14:08:20 +00:00 · 2023-03-23 17:13:52 +01:00 · 2023-03-23 17:13:52 +01:00 · b8dc6ad120
commit b8dc6ad120
parent 0eccd8a7a2
14 changed files with 1649 additions and 1506 deletions
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/out
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/out
@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+XXXXXXXXXX.XXXXXX, disabling_analyzer, CHhAvVGS1DHFjwGM9, Analyzer::ANALYZER_SMTP, 3
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/smtp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/smtp.log
@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	cc	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	1	Bob-PC	bob@example.org	alice@example.org	-	-	-	-	-	-	-	-	-	-	-	250 OK id=1pgobK-001mwq-ED	127.0.0.1,127.0.0.1	-	F	(empty)
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	2	Bob-PC	-	alice@example.org	-	-	-	-	-	-	-	-	-	-	-	500 unrecognized command	127.0.0.1,127.0.0.1	-	F	(empty)
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	2	Bob-PC	bob@example.org	-	-	-	-	-	-	-	-	-	-	-	-	500 unrecognized command	127.0.0.1,127.0.0.1	-	F	(empty)
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.mail-transactions-invalid-disable-analyzer/weird.log
@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	smtp_mail_transaction_invalid	rcpt to missing mail from	F	zeek	SMTP
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	44478	127.0.0.1	25	smtp_excessive_invalid_mail_transactions	-	F	zeek	SMTP
+#close XXXX-XX-XX-XX-XX-XX