From b5d61c3f6ead1284cb54b6f30e3e907f9c8a7ffe Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@dovecot.fi>
Date: Sun, 28 Jan 2018 00:14:21 +0100
Subject: [PATCH] submission: Properly handle omission of required
 authentication for relay connection.

Particularly, do not forward the 530 error to the client. Instead, log the
problem and close the client connection with an internal error.
---
 src/submission/submission-commands.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/submission/submission-commands.c b/src/submission/submission-commands.c
index 6c844f5ef8..8f2cbf37df 100644
--- a/src/submission/submission-commands.c
+++ b/src/submission/submission-commands.c
@@ -46,6 +46,19 @@ bool client_command_handle_proxy_reply(struct client *client,
 		client_destroy(client,
 			"4.4.0", "Lost connection to relay server");
 		return FALSE;
+	/* RFC 4954, Section 6: 530 5.7.0 Authentication required
+
+	   This response SHOULD be returned by any command other than AUTH,
+	   EHLO, HELO, NOOP, RSET, or QUIT when server policy requires
+	   authentication in order to perform the requested action and
+	   authentication is not currently in force. */
+	case 530:
+		i_error("Relay server requires authentication: %s",
+			smtp_reply_log(reply));
+		client_destroy(client, "4.3.5",
+			"Internal error occurred. "
+			"Refer to server log for more information.");
+		return FALSE;
 	default:
 		break;
 	}