[PATCH 04 of 10] Mail: max_commands directive

Maxim Dounin mdounin at mdounin.ru
Fri Mar 15 18:14:18 UTC 2024 

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1710526245 -10800
#      Fri Mar 15 21:10:45 2024 +0300
# Node ID c2e67d39c6daab0c67b68aaa199f42975c37d676
# Parent  970059108845286afec7ae37ba5f55b0cf30feef
Mail: max_commands directive.

The directive specifies the maximum number of commands allowed during
authentication, after which the connection is closed.  The default
limit is 1000, which is not expected to affect any well-behaving clients,
since authentication usually requires at most several commands, though
will effectively stop malicious clients from flooding the server with
with commands.

diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
@@ -116,6 +116,7 @@ typedef struct {
     ngx_msec_t              resolver_timeout;
 
     ngx_uint_t              max_errors;
+    ngx_uint_t              max_commands;
 
     ngx_str_t               server_name;
 
@@ -234,6 +235,7 @@ typedef struct {
     ngx_array_t             args;
 
     ngx_uint_t              errors;
+    ngx_uint_t              commands;
     ngx_uint_t              login_attempt;
 
     /* used to parse POP3/IMAP/SMTP command */
diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
--- a/src/mail/ngx_mail_core_module.c
+++ b/src/mail/ngx_mail_core_module.c
@@ -92,6 +92,13 @@ static ngx_command_t  ngx_mail_core_comm
       offsetof(ngx_mail_core_srv_conf_t, max_errors),
       NULL },
 
+    { ngx_string("max_commands"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_core_srv_conf_t, max_commands),
+      NULL },
+
       ngx_null_command
 };
 
@@ -171,6 +178,7 @@ ngx_mail_core_create_srv_conf(ngx_conf_t
     cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
 
     cscf->max_errors = NGX_CONF_UNSET_UINT;
+    cscf->max_commands = NGX_CONF_UNSET_UINT;
 
     cscf->resolver = NGX_CONF_UNSET_PTR;
 
@@ -192,6 +200,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t 
                               30000);
 
     ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+    ngx_conf_merge_uint_value(conf->max_commands, prev->max_commands, 1000);
 
     ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
 
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -896,6 +896,18 @@ ngx_mail_read_command(ngx_mail_session_t
         return NGX_ERROR;
     }
 
+    s->commands++;
+
+    if (s->commands > cscf->max_commands) {
+
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "client sent too many commands");
+
+        s->quit = 1;
+
+        return NGX_MAIL_PARSE_INVALID_COMMAND;
+    }
+
     return NGX_OK;
 }

More information about the nginx-devel mailing list