Description

Mailpit accepts a nested MAIL command during an active mail transaction (after RCPT TO but before DATA), responding with 250 instead of rejecting the command. This violates SMTP command sequencing rules and allows starting a new transaction without properly concluding or aborting the previous one.

Affected Version

v1.28

Steps to Reproduce

1. Start Mailpit (Docker image axllent/mailpit:v1.28) and ensure it is listening on 127.0.0.1:8030.
2. Connect to Mailpit via an SMTP client (e.g., telnet 127.0.0.1 8030).
3. Issue the following commands in order:

• EHLO example.com
• MAIL FROM:[email protected]
• RCPT TO:[email protected]
• MAIL FROM:[email protected]

4. Observe the server’s response to the second MAIL command.

Buggy Behavior

Mailpit replies “250 2.1.0 Ok” to the second MAIL command even though a mail transaction is already open (RCPT accepted, DATA not yet sent).

Expected Behavior

• The server should reject a second MAIL command during an open transaction with a 503 Bad sequence of commands (or equivalent).
• As per RFC 5321: [4.1.4] MAIL (or SEND, SOML, or SAML) MUST NOT be sent if a mail transaction is already open, i.e., it should be sent only if no mail transaction had been started in the session, or if the previous one successfully concluded with a successful DATA command, or if the previous one was aborted, e.g., with a RSET or new EHLO.