[GH-ISSUE #622] Mailpit accepts RCPT TO with malformed source route syntax instead of rejecting it #389

New issue

Closed

opened 2026-03-15 14:11:44 +03:00 by kerem · 1 comment

kerem commented 2026-03-15 14:11:44 +03:00

Owner

Copy link

Originally created by @rsingha108 on GitHub (Jan 21, 2026).
Original GitHub issue: https://github.com/axllent/mailpit/issues/622

Description

Mailpit accepts an invalid RCPT TO address that includes a malformed source route (missing the required colon), returning 250 OK instead of rejecting the syntax error. This permits delivery attempts to an invalid recipient address and violates SMTP syntax handling per RFC 5321 §4.1.1.3.

Affected Version

v1.28

Steps to Reproduce

1. Ensure Mailpit is running on 127.0.0.1:8030 (docker image: axllent/mailpit:v1.28)
2. Connect to the SMTP port (e.g., telnet 127.0.0.1 8030).
3. Issue the following commands in order:

• EHLO client.example
• MAIL FROM:alice@example.com
• RCPT TO:<@route.example user@example.com>

4. Observe the server’s response to the RCPT TO command.

Buggy Behavior

Mailpit responds “250 2.1.5 Ok” to RCPT TO:<@route.example user@example.com>, accepting a recipient address with an invalid source route syntax (missing the colon).

Expected Behavior

The server should reject the malformed recipient address with a 501 syntax error (e.g., “501 Syntax error in parameters or arguments”) because the source route is not correctly formed.
As per RFC 5321 [4.1.1.3]: "[4.1.1.3] Receiving systems MUST recognize source route syntax but SHOULD strip off the source route specification and utilize the domain name associated with the mailbox as if the source route had not been provided."

Originally created by @rsingha108 on GitHub (Jan 21, 2026). Original GitHub issue: https://github.com/axllent/mailpit/issues/622 ### Description Mailpit accepts an invalid RCPT TO address that includes a malformed source route (missing the required colon), returning 250 OK instead of rejecting the syntax error. This permits delivery attempts to an invalid recipient address and violates SMTP syntax handling per RFC 5321 §4.1.1.3. ### Affected Version v1.28 ### Steps to Reproduce 1. Ensure Mailpit is running on 127.0.0.1:8030 (docker image: axllent/mailpit:v1.28) 2. Connect to the SMTP port (e.g., telnet 127.0.0.1 8030). 3. Issue the following commands in order: - EHLO client.example - MAIL FROM:<alice@example.com> - RCPT TO:<@route.example user@example.com> 4. Observe the server’s response to the RCPT TO command. ### Buggy Behavior Mailpit responds “250 2.1.5 Ok” to RCPT TO:<@route.example user@example.com>, accepting a recipient address with an invalid source route syntax (missing the colon). ### Expected Behavior The server should reject the malformed recipient address with a 501 syntax error (e.g., “501 Syntax error in parameters or arguments”) because the source route is not correctly formed. As per RFC 5321 [4.1.1.3]: "[4.1.1.3] Receiving systems MUST recognize source route syntax but SHOULD strip off the source route specification and utilize the domain name associated with the mailbox as if the source route had not been provided."

kerem 2026-03-15 14:11:44 +03:00

• closed this issue
• added the
  invalid
  label

kerem commented 2026-03-15 14:12:00 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Jan 23, 2026):

Thank you, but this issue was already fixed in v1.28.3.

<!-- gh-comment-id:3788158684 --> @axllent commented on GitHub (Jan 23, 2026): Thank you, but this issue was already fixed in v1.28.3.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

v1.29.7

v1.29.6

v1.29.5

v1.29.4

v1.29.3

v1.29.2

v1.29.1

v1.29.0

v1.28.4

v1.28.3

v1.28.2

v1.28.1

v1.28.0

v1.27.11

v1.27.10

v1.27.9

v1.27.8

v1.27.7

v1.27.6

v1.27.5

v1.27.4

v1.27.3

v1.27.2

v1.27.1

v1.27.0

v1.26.2

v1.26.1

v1.26.0

v1.25.1

v1.25.0

v1.24.2

v1.24.1

v1.24.0

v1.23.2

v1.23.1

v1.23.0

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.21.1

v1.21.0

v1.20.7

v1.20.6

v1.20.5

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.18.7

v1.18.6

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.1

v1.15.0

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.4

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.9.10

v1.9.9

v1.9.8

v1.9.7

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.1

v1.7.0

v1.6.22

v1.6.21

v1.6.20

v1.6.19

v1.6.18

v1.6.17

v1.6.16

v1.6.15

v1.6.14

v1.6.13

v1.6.12

v1.6.11

v1.6.10

v1.6.9

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.0

v1.3.11

v1.3.10

v1.3.9

v1.3.8

v1.3.7

v1.3.6

v1.3.5

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.9

v1.2.8

v1.2.7

v1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta1

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.9

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

0.0.1-beta

Labels

Clear labels   

awaiting feedback

  

bug

  

docker

  

documentation

  

enhancement

  

github_actions

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

wontfix

No labels

awaiting feedback

bug

docker

documentation

enhancement

github_actions

invalid

pull-request

question

stale

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mailpit#389

No description provided.