[GH-ISSUE #621] MAIL FROM accepted before HELO/EHLO greeting #390

Closed
opened 2026-03-15 14:11:44 +03:00 by kerem · 1 comment
Owner

Originally created by @rsingha108 on GitHub (Jan 21, 2026).
Original GitHub issue: https://github.com/axllent/mailpit/issues/621

Description

Mailpit accepts a MAIL FROM command before any HELO/EHLO greeting, returning a 250 response instead of rejecting the command. This violates SMTP sequencing requirements and allows a mail transaction to start without the mandatory greeting phase.

Affected Version

v1.28

Steps to Reproduce

  1. Start Mailpit (Docker: axllent/mailpit:v1.28) and ensure it is listening on 127.0.0.1:8030.
  2. From a terminal, connect to Mailpit: telnet 127.0.0.1 8030 (or nc 127.0.0.1 8030 ensuring CRLF line endings).
  3. After the 220 banner, send: MAIL FROM:alice@example.com followed by CRLF.
  4. Observe the server’s response.

Buggy Behavior

Mailpit responds with 250 2.1.0 Ok to MAIL FROM even though no HELO/EHLO was issued first, allowing the transaction to proceed.

Expected Behavior

The server should reject MAIL FROM before any HELO/EHLO with 503 Bad sequence of commands (or an equivalent 5.5.x error).
As per RFC [4.1.1.1] In any event, a client MUST issue HELO or EHLO before starting a mail transaction.

Originally created by @rsingha108 on GitHub (Jan 21, 2026). Original GitHub issue: https://github.com/axllent/mailpit/issues/621 ### Description Mailpit accepts a MAIL FROM command before any HELO/EHLO greeting, returning a 250 response instead of rejecting the command. This violates SMTP sequencing requirements and allows a mail transaction to start without the mandatory greeting phase. ### Affected Version v1.28 ### Steps to Reproduce 1. Start Mailpit (Docker: axllent/mailpit:v1.28) and ensure it is listening on 127.0.0.1:8030. 2. From a terminal, connect to Mailpit: telnet 127.0.0.1 8030 (or nc 127.0.0.1 8030 ensuring CRLF line endings). 3. After the 220 banner, send: MAIL FROM:<alice@example.com> followed by CRLF. 4. Observe the server’s response. ### Buggy Behavior Mailpit responds with 250 2.1.0 Ok to MAIL FROM even though no HELO/EHLO was issued first, allowing the transaction to proceed. ### Expected Behavior The server should reject MAIL FROM before any HELO/EHLO with 503 Bad sequence of commands (or an equivalent 5.5.x error). As per RFC [4.1.1.1] In any event, a client MUST issue HELO or EHLO before starting a mail transaction.
kerem 2026-03-15 14:11:44 +03:00
  • closed this issue
  • added the
    bug
    label
Author
Owner

@axllent commented on GitHub (Jan 24, 2026):

I have released v1.28.4 which includes a fix for this. Thank you (and your AI tools) for finding the bug.

<!-- gh-comment-id:3795527612 --> @axllent commented on GitHub (Jan 24, 2026): I have released [v1.28.4](https://github.com/axllent/mailpit/releases/tag/v1.28.4) which includes a fix for this. Thank you (and your AI tools) for finding the bug.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mailpit#390
No description provided.