Add option trusted_host_patterns

config/defaults.inc.php

@@ -475,6 +475,11 @@ $config['ip_check'] = false;
 // X_FORWARDED_* and X_REAL_IP headers are only accepted from these IPs
 $config['proxy_whitelist'] = array();
 
+// List of trusted host names
+// since $_SERVER['SERVER_NAME'] can be modified via the Host header
+// An empty list accepts any host name.
+$config['trusted_host_patterns'] = array();
+
 // check referer of incoming requests
 $config['referer_check'] = false;
 

program/lib/Roundcube/rcube_smtp.php

@@ -102,7 +102,8 @@ class rcube_smtp
             $helo_host = $CONFIG['smtp_helo_host'];
         }
         else if (!empty($_SERVER['SERVER_NAME'])) {
-            $helo_host = preg_replace('/:\d+$/', '', $_SERVER['SERVER_NAME']);
+            $server_name = rcube_utils::server_name();
+            $helo_host = preg_replace('/:\d+$/', '', $server_name);
         }
         else {
             $helo_host = 'localhost';

program/lib/Roundcube/rcube_utils.php

@@ -604,6 +604,30 @@ class rcube_utils
         return str_replace(array('%n', '%t', '%d', '%h', '%z', '%s'), array($n, $t, $d, $h, $z, $s[2]), $name);
     }
 
+    /**
+     * Returns the server name after checking it against trusted hostname patterns,
+     * otherwise returns localhost
+     *
+     * @return string Server name
+     */
+    public static function server_name()
+    {
+        $server_name = $_SERVER['SERVER_NAME'];
+        $trusted_host_patterns = rcube::get_instance()->config->get('trusted_host_patterns', array());
+
+        if (empty($trusted_host_patterns) || in_array($server_name, $trusted_host_patterns)) {
+            return $server_name;
+        }
+
+        foreach ($trusted_host_patterns as $pattern) {
+            if (preg_match("/$pattern/", $server_name)) {
+                return $server_name;
+            }
+        }
+
+        return 'localhost';
+    }
+
     /**
      * Returns remote IP address and forwarded addresses if found
      *