Description
aioSMTPD accepts the invalid recipient syntax “RCPT TO:Postmaster” (missing angle brackets) and returns 250 OK, instead of rejecting it as a bad recipient address. The special Postmaster case that MUST be supported requires angle brackets; without them, the command should be rejected.
Affected Version
1.4.6
Steps to Reproduce
- Start the aioSMTPD server on 127.0.0.1:8034.
- Connect to the server (e.g., telnet 127.0.0.1 8034).
- Issue the commands in order:
- Observe the server’s response to the RCPT command.
Buggy Behavior
The server responds “250 OK” to “RCPT TO:Postmaster”, accepting the recipient without angle brackets.
Expected Behavior
The server should reject “RCPT TO:Postmaster” as invalid recipient syntax and return a 501 5.1.7-style error, only accepting the special Postmaster case when enclosed in angle brackets (“RCPT TO:”).
As per RFC 5321 [4.5.1]: "[4.5.1] The requirement to accept mail for postmaster implies that RCPT commands that specify a mailbox for postmaster at any of the domains for which the SMTP server provides mail service, as well as the special case of "RCPT TO:" (with no domain specification), MUST be supported."
Description
aioSMTPD accepts the invalid recipient syntax “RCPT TO:Postmaster” (missing angle brackets) and returns 250 OK, instead of rejecting it as a bad recipient address. The special Postmaster case that MUST be supported requires angle brackets; without them, the command should be rejected.
Affected Version
1.4.6
Steps to Reproduce
Buggy Behavior
The server responds “250 OK” to “RCPT TO:Postmaster”, accepting the recipient without angle brackets.
Expected Behavior
The server should reject “RCPT TO:Postmaster” as invalid recipient syntax and return a 501 5.1.7-style error, only accepting the special Postmaster case when enclosed in angle brackets (“RCPT TO:”).
As per RFC 5321 [4.5.1]: "[4.5.1] The requirement to accept mail for postmaster implies that RCPT commands that specify a mailbox for postmaster at any of the domains for which the SMTP server provides mail service, as well as the special case of "RCPT TO:" (with no domain specification), MUST be supported."