infrastructure/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2025-06-28 02:28:15 +03:00
Code Issues Packages Projects Releases Wiki Activity

in smtp banner and imap ID command response when unauthenticated, don't send the mox version number

Browse Source 
Attackers scanning the internet can use it to easily create a database of
hosts, software and versions. Let's not make it too easy to find old versions
that may be vulnerable to potential bugs found in the future. We could try
hiding the name "mox" as well, but the banner will still be identifyable, so
there isn't much point, and the public knowing approximately which software is
running can be useful for debugging.

The ID command in IMAP is used by clients to announce their software and
version. We only respond with our version when the user is authenticated.

There are still ways to discover the version number. But they don't involve
standard banner scanning, so someone would have to specifically target mox. We
could tighten that in the future.

For issue #322, based on email. Thanks everyone for discussing.
This commit is contained in:
Mechiel Lukkien 2025-03-28 17:46:08 +01:00
parent 789e4875ca
commit 68729fa5a3
No known key found for this signature in database
2 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
imapserver/server.go
View File

@ -1837,8 +1837,12 @@ func (c *conn) cmdID(tag, cmd string, p *parser) {
c.log.Info("client id", slog.Any("params", params))
// Response syntax: ../rfc/2971:243
// We send our name and version. ../rfc/2971:193
c.bwritelinef(`* ID ("name" "mox" "version" %s)`, string0(moxvar.Version).pack(c))
// We send our name, and only the version for authenticated users. ../rfc/2971:193
if c.state == stateAuthenticated || c.state == stateSelected {
c.bwritelinef(`* ID ("name" "mox" "version" %s)`, string0(moxvar.Version).pack(c))
} else {
c.bwritelinef(`* ID ("name" "mox")`)
}
c.ok(tag, cmd)
}

3
smtpserver/server.go
View File

@ -52,7 +52,6 @@ import (
"github.com/mjl-/mox/mlog"
"github.com/mjl-/mox/mox-"
"github.com/mjl-/mox/moxio"
"github.com/mjl-/mox/moxvar"
"github.com/mjl-/mox/publicsuffix"
"github.com/mjl-/mox/queue"
"github.com/mjl-/mox/ratelimit"
@ -1001,7 +1000,7 @@ func serve(listenerName string, cid int64, hostname dns.Domain, tlsConfig *tls.C
// We include the string ESMTP. https://cr.yp.to/smtp/greeting.html recommends it.
// Should not be too relevant nowadays, but does not hurt and default blackbox
// exporter SMTP health check expects it.
c.writelinef("%d %s ESMTP mox %s", smtp.C220ServiceReady, c.hostname.ASCII, moxvar.Version)
c.writelinef("%d %s ESMTP mox", smtp.C220ServiceReady, c.hostname.ASCII)
for {
command(c)