Suricata

SMTP is a widely deployed protocol that network firewalls commonly need to inspect and control. In Suricata 8.0.4, SMTP app-layer hook states are not registered for firewall mode. Attempting to use any smtp:* hook in a firewall rule fails with the error: "protocol smtp does not support hook" .

Without SMTP hooks, SMTP traffic on port 25/587 cannot be inspected at the application layer in firewall mode. Packet-layer rules can accept the TCP handshake, but once the SMTP app-layer parser engages, the flow is dropped by default_app_policy because no hooks exist for the firewall engine to evaluate.

This prevents common firewall use cases such as:

• Allowing or blocking SMTP based on sender/recipient commands
• Inspecting MAIL FROM / RCPT TO for policy enforcement
• Controlling DATA transfer based on content inspection
• Enforcing STARTTLS requirements

Potential SMTP states:

• Connected
• HELO/EHLO sent
• Server greeting received
• MAIL FROM sent
• RCPT TO sent
• DATA command sent
• Message body transfer
• Message accepted
• QUIT sent
• Connection closed
• STARTTLS initiated
• Authentication in progress

These states should be mapped to firewall hook points that allow rules to make accept/drop decisions at meaningful protocol transitions — for example, after EHLO, after MAIL FROM/RCPT TO, during DATA transfer, after STARTTLS negotiation, etc.