server: Allow authentication only once

Closes #151.
emersion · Jul 22, 2021 · df83e63 · df83e63
1 parent 17a4bee
commit df83e63
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 3 deletions.
diff --git a/conn.go b/conn.go
@@ -48,6 +48,7 @@ type Conn struct {
 
 	fromReceived bool
 	recipients   []string
+	didAuth      bool
 }
 
 func newConn(c net.Conn, s *Server) *Conn {
@@ -501,6 +502,10 @@ func (c *Conn) handleAuth(arg string) {
 		c.WriteResponse(502, EnhancedCode{5, 5, 1}, "Please introduce yourself first.")
 		return
 	}
+	if c.didAuth {
+		c.WriteResponse(503, EnhancedCode{5, 5, 1}, "Already authenticated")
+		return
+	}
 
 	parts := strings.Fields(arg)
 	if len(parts) == 0 {
@@ -573,9 +578,8 @@ func (c *Conn) handleAuth(arg string) {
 		}
 	}
 
-	if c.Session() != nil {
-		c.WriteResponse(235, EnhancedCode{2, 0, 0}, "Authentication succeeded")
-	}
+	c.WriteResponse(235, EnhancedCode{2, 0, 0}, "Authentication succeeded")
+	c.didAuth = true
 }
 
 func (c *Conn) handleStartTLS() {
@@ -610,6 +614,7 @@ func (c *Conn) handleStartTLS() {
 		session.Logout()
 		c.SetSession(nil)
 	}
+	c.didAuth = false
 	c.reset()
 }
 

diff --git a/server_test.go b/server_test.go
@@ -260,6 +260,38 @@ func testServerAuthenticated(t *testing.T) (be *backend, s *smtp.Server, c net.C
 	return
 }
 
+func TestServerAuthTwice(t *testing.T) {
+	_, _, c, scanner, caps := testServerEhlo(t)
+
+	if _, ok := caps["AUTH PLAIN"]; !ok {
+		t.Fatal("AUTH PLAIN capability is missing when auth is enabled")
+	}
+
+	io.WriteString(c, "AUTH PLAIN AHVzZXJuYW1lAHBhc3N3b3Jk\r\n")
+	scanner.Scan()
+	if !strings.HasPrefix(scanner.Text(), "235 ") {
+		t.Fatal("Invalid AUTH response:", scanner.Text())
+	}
+
+	io.WriteString(c, "AUTH PLAIN AHVzZXJuYW1lAHBhc3N3b3Jk\r\n")
+	scanner.Scan()
+	if !strings.HasPrefix(scanner.Text(), "503 ") {
+		t.Fatal("Invalid AUTH response:", scanner.Text())
+	}
+
+	io.WriteString(c, "RSET\r\n")
+	scanner.Scan()
+	if !strings.HasPrefix(scanner.Text(), "250 ") {
+		t.Fatal("Invalid AUTH response:", scanner.Text())
+	}
+
+	io.WriteString(c, "AUTH PLAIN AHVzZXJuYW1lAHBhc3N3b3Jk\r\n")
+	scanner.Scan()
+	if !strings.HasPrefix(scanner.Text(), "503 ") {
+		t.Fatal("Invalid AUTH response:", scanner.Text())
+	}
+}
+
 func TestServerCancelSASL(t *testing.T) {
 	_, _, c, scanner, caps := testServerEhlo(t)