[GH-ISSUE #621] MAIL FROM accepted before HELO/EHLO greeting #390

New issue

Closed

opened 2026-03-15 14:11:44 +03:00 by kerem · 1 comment

kerem commented 2026-03-15 14:11:44 +03:00

Owner

Copy link

Originally created by @rsingha108 on GitHub (Jan 21, 2026).
Original GitHub issue: https://github.com/axllent/mailpit/issues/621

Description

Mailpit accepts a MAIL FROM command before any HELO/EHLO greeting, returning a 250 response instead of rejecting the command. This violates SMTP sequencing requirements and allows a mail transaction to start without the mandatory greeting phase.

Affected Version

v1.28

Steps to Reproduce

1. Start Mailpit (Docker: axllent/mailpit:v1.28) and ensure it is listening on 127.0.0.1:8030.
2. From a terminal, connect to Mailpit: telnet 127.0.0.1 8030 (or nc 127.0.0.1 8030 ensuring CRLF line endings).
3. After the 220 banner, send: MAIL FROM:alice@example.com followed by CRLF.
4. Observe the server’s response.

Buggy Behavior

Mailpit responds with 250 2.1.0 Ok to MAIL FROM even though no HELO/EHLO was issued first, allowing the transaction to proceed.

Expected Behavior

The server should reject MAIL FROM before any HELO/EHLO with 503 Bad sequence of commands (or an equivalent 5.5.x error).
As per RFC [4.1.1.1] In any event, a client MUST issue HELO or EHLO before starting a mail transaction.

Originally created by @rsingha108 on GitHub (Jan 21, 2026). Original GitHub issue: https://github.com/axllent/mailpit/issues/621 ### Description Mailpit accepts a MAIL FROM command before any HELO/EHLO greeting, returning a 250 response instead of rejecting the command. This violates SMTP sequencing requirements and allows a mail transaction to start without the mandatory greeting phase. ### Affected Version v1.28 ### Steps to Reproduce 1. Start Mailpit (Docker: axllent/mailpit:v1.28) and ensure it is listening on 127.0.0.1:8030. 2. From a terminal, connect to Mailpit: telnet 127.0.0.1 8030 (or nc 127.0.0.1 8030 ensuring CRLF line endings). 3. After the 220 banner, send: MAIL FROM:<alice@example.com> followed by CRLF. 4. Observe the server’s response. ### Buggy Behavior Mailpit responds with 250 2.1.0 Ok to MAIL FROM even though no HELO/EHLO was issued first, allowing the transaction to proceed. ### Expected Behavior The server should reject MAIL FROM before any HELO/EHLO with 503 Bad sequence of commands (or an equivalent 5.5.x error). As per RFC [4.1.1.1] In any event, a client MUST issue HELO or EHLO before starting a mail transaction.

kerem 2026-03-15 14:11:44 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-03-15 14:12:00 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Jan 24, 2026):

I have released v1.28.4 which includes a fix for this. Thank you (and your AI tools) for finding the bug.

<!-- gh-comment-id:3795527612 --> @axllent commented on GitHub (Jan 24, 2026): I have released [v1.28.4](https://github.com/axllent/mailpit/releases/tag/v1.28.4) which includes a fix for this. Thank you (and your AI tools) for finding the bug.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

v1.29.7

v1.29.6

v1.29.5

v1.29.4

v1.29.3

v1.29.2

v1.29.1

v1.29.0

v1.28.4

v1.28.3

v1.28.2

v1.28.1

v1.28.0

v1.27.11

v1.27.10

v1.27.9

v1.27.8

v1.27.7

v1.27.6

v1.27.5

v1.27.4

v1.27.3

v1.27.2

v1.27.1

v1.27.0

v1.26.2

v1.26.1

v1.26.0

v1.25.1

v1.25.0

v1.24.2

v1.24.1

v1.24.0

v1.23.2

v1.23.1

v1.23.0

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.21.1

v1.21.0

v1.20.7

v1.20.6

v1.20.5

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.18.7

v1.18.6

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.1

v1.15.0

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.4

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.9.10

v1.9.9

v1.9.8

v1.9.7

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.1

v1.7.0

v1.6.22

v1.6.21

v1.6.20

v1.6.19

v1.6.18

v1.6.17

v1.6.16

v1.6.15

v1.6.14

v1.6.13

v1.6.12

v1.6.11

v1.6.10

v1.6.9

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.0

v1.3.11

v1.3.10

v1.3.9

v1.3.8

v1.3.7

v1.3.6

v1.3.5

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.9

v1.2.8

v1.2.7

v1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta1

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.9

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

0.0.1-beta

Labels

Clear labels   

awaiting feedback

  

bug

  

docker

  

documentation

  

enhancement

  

github_actions

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

wontfix

No labels

awaiting feedback

bug

docker

documentation

enhancement

github_actions

invalid

pull-request

question

stale

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mailpit#390

No description provided.