Reject Non-FQDN bypass via IP address literals [IPv4/v6]

Le_Pham_Ngoc_Nha · June 14, 2026, 11:54am

Description

When ehlo_reject_non_fqdn is enabled, Stalwart still accepts IP address literals (e.g., EHLO [123.45.67.89]).

While IP literals are RFC-compliant, they are heavily exploited by botnets without domains to bypass FQDN filters and brute-force passwords (AUTH LOGIN).

Technical Root Cause

The issue stems from a logical gap between Stalwart and the mail-auth crate. In Stalwart’s SMTP inbound layer:

if self.params.ehlo_reject_non_fqdn && !domain.as_ref().has_valid_labels() {
    return self.write(b"550 5.5.0 Invalid EHLO domain.\r\n").await;
}

The has_valid_labels() implementation in mail-auth loops through chars but ignores square brackets [...]. Since the string contains numbers and dots, it returns true (valid), letting the botnet bypass the FQDN check.

Proposed Solution

Please separate this into two distinct options/levels of enforcement:

Reject Invalid EHLO (Default/Strict Caching): Reject completely malformed strings, raw IPs without brackets, or syntax violations (e.g., EHLO 1.2.3.4 or EHLO botnet).
Reject Non-FQDN / IP Literals: A configurable option (e.g., ehlo_reject_ip_literal) to explicitly block RFC-compliant IP address literals (EHLO [1.2.3.4]) to stop domainless botnets from reaching the AUTH stage.

Topic		Replies	Views
When using CF automatic dns mgnmnt with a token, entering an email will let it fail Issues	2	25	May 20, 2026
DNS TXT record not enclosed with `"` Issues	4	64	May 10, 2026
Error when using specified source IP addresses Questions	5	20	May 31, 2026
IPv6 "only" DNS64/NAT64 & NAT46/SIIT-DC support? Questions	3	23	May 28, 2026
Can we use stalwart with these features? Questions	3	41	June 24, 2026

Reject Non-FQDN bypass via IP address literals [IPv4/v6]

Description

Technical Root Cause

Proposed Solution

Related topics