From a520d623224197e417b278853c8d6ff112461dfa Mon Sep 17 00:00:00 2001
From: Runxi Yu <me@runxiyu.org>
Date: Sun, 12 Jan 2025 13:49:27 +0800
Subject: Reject STARTTLS when already active or with excessive parameters

---
 mta_recv.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/mta_recv.go b/mta_recv.go
index 3f7f473..0ca81d9 100644
--- a/mta_recv.go
+++ b/mta_recv.go
@@ -56,6 +56,16 @@ func handle_incoming_server_connection(buf_conn *bufio.ReadWriter, net_conn *net
 	switch_cmd:
 		switch cmd {
 		case "STARTTLS":
+			if param != "" {
+				_, _ = buf_conn.WriteString("501 5.5.4 Syntax error (no parameters allowed)\r\n")
+				_ = buf_conn.Flush()
+				break
+			}
+			if tls_conn != nil {
+				_, _ = buf_conn.WriteString("554 5.5.1 Error: TLS already active\r\n")
+				_ = buf_conn.Flush()
+				break
+			}
 			_, _ = buf_conn.WriteString("220 2.0.0 Ready to start TLS\r\n")
 			_ = buf_conn.Flush()
 			tls_conn = tls.Server(*net_conn, tls_config)
-- 
cgit v1.2.3