fix: reject empty HELO/EHLO with 501 per RFC 5321

EHLO/HELO require a domain or address-literal argument. Previously the server accepted bare EHLO with no argument and responded 250, which deviates from the spec and makes the honeypot easier to fingerprint.
2026-04-14 00:30:46 -04:00
parent c2f7622fbb
commit 5631d09aa8
2 changed files with 19 additions and 0 deletions
--- a/tests/service_testing/test_smtp.py
+++ b/tests/service_testing/test_smtp.py
@@ -114,6 +114,20 @@ def test_ehlo_returns_250_multiline(relay_mod):
    assert "PIPELINING" in combined


+def test_ehlo_empty_domain_rejected(relay_mod):
+    proto, _, written = _make_protocol(relay_mod)
+    _send(proto, "EHLO")
+    replies = _replies(written)
+    assert any(r.startswith("501") for r in replies)
+
+
+def test_helo_empty_domain_rejected(relay_mod):
+    proto, _, written = _make_protocol(relay_mod)
+    _send(proto, "HELO")
+    replies = _replies(written)
+    assert any(r.startswith("501") for r in replies)
+
+
 # ── OPEN RELAY MODE ───────────────────────────────────────────────────────────

 class TestOpenRelay: