From: Martijn van Duren <openbsd+tech@list.imperialat.at>
Subject: Re: smtpd: Don't allow max-rcpt lower 100
To: tech@openbsd.org
Date: Fri, 2 Jan 2026 18:26:41 +0100

On 1/2/26 17:42, Kirill A. Korinsky wrote:
> On Fri, 02 Jan 2026 17:05:34 +0100,
> Martijn van Duren <openbsd+tech@list.imperialat.at> wrote:
>>
>> According to RFC5321 section 4.5.3.1.8 we aren't allowed to have a
>> max-rcpt lower than 100 (MUST). This diff prevents admins from setting
>> max-rcpt to anything lower than 100.
>>
>> OK?
>>
> 
> Not sure that it right, but maybe add reference to RFC section here as a
> reason why we enforce that magic constatn?
> 
After some back and forth with kirill I see the utility of having a
reference to the RFC as an explanation for the arbitrary number, but
finding the right words is hard. Below is what we ended up with, but
if someone can come up with a better phrasing it would be appreciated.

diff /usr/src
path + /usr/src
commit - b9146a17035f22954d6f1be04af1b32218d3b317
blob - b4cf1f21ddb02dce7a4911285e33eebfcf517067
file + usr.sbin/smtpd/parse.y
--- usr.sbin/smtpd/parse.y
+++ usr.sbin/smtpd/parse.y
@@ -2037,6 +2037,12 @@ limits_smtp	: opt_limit_smtp limits_smtp
 
 opt_limit_smtp : STRING NUMBER {
 			if (!strcmp($1, "max-rcpt")) {
+				if ($2 < 100) {
+					yyerror("RFC5321 requires "
+					    "max-rcpt >= 100");
+					free($1);
+					YYERROR;
+				}
 				conf->sc_session_max_rcpt = $2;
 			}
 			else if (!strcmp($1, "max-mails")) {