No, it's a qmail bug.

502 should only be sent for commands which are valid, recognized, but not
implemented. A command which is not recognized at all (and thus, all invalid
commands) should return 500. (4.2.4)

It is, actually, trivial to fix qmail-smtpd to return the right error number
(I have). I can't think of any valid reason why unknown commands give 502
replies instead of 500 in there.

-- Marc A. Pelletier

Err, no. You need not recognize a command that you do not implement at all.
It would be perfectly legal to respond with 500 to a SOML FROM command for
instance. (Indeed, 4.2.2 defines 500 as "Syntax error, *command not
recognized*" [emphasis mine]). If you want just the one error, then it
should be 500 not 502.

Replying 502 is, quite clearly, intended to mean "I know what you're trying to
do, but I don't implement that". Responding 502 to a command which is not
valid breaks that.

4.5.1 gives the (very short) list of commands which an SMTP implementation
must recognize. Anything not in that list is fair game to a 500.
Again, you *can* return 500 to a command that exists but you don't recognize
yourself.
Permitted, but not needed. In fact, RFC 2821 says you should do the opposite.

And while we are picking nits, the well intentionned behavior of qmail-smtpd
of breaking the connection when it receives a bare CR or LF is also forbidden
(4.5.2 states: "The mail data may contain any of the 128 ASCII characters.
All characters are to be delivered to the recipient's mailbox, including
spaces, vertical and horizontal tabs, and other control characters.")

Remember that the fact that your client MUST NOT send bare CR or LF [2.3.7]
doesn't mean that you are allowed to drop the connection because it does.
Indeed, [3.9] forbids closing the connection unless you have accepted a QUIT
command or have to forcibly close with with a 421 whose message text is fixed
[4.2] and which means the service must shut down (nothing about errors in
protocol there).

Keep the golden rule of interoperability in mind. "Be exacting in what you
provide, and lenient in what you accept."

That said, I don't beleive it is entirely unreasonable to refuse messages
containing bare CR or LF to coerce broken implementations to be fixed. It
should be refused with an appropriate reply code, tough, and not shut the
connection down. Perhaps 554 might be appropriate.

-- Marc A. Pelletier

Bill Gates does that a lot. But he makes up for it by simulating "code
fatness". ;) (just being funny)
Isn't "unimplemented" meant for those situations where an RFC is written
later than older codde to which it applies?

AA> If I strictly adhere to the RFC, I have to code handlers
AA> for all SMTP commands, even those I don't implement.

If you strictly adhere to the RFC, you have to code handlers for all SMTP
commands _that you recognise_, even those that you don't implement. You are
not required to recognise all possible SMTP commands, however.

AA> [...] if I already respond 502 to any command I don't
AA> implement [...]

You are actually talking about responding 502 to any command that you don't
_recognise_, which the RFC says one ought not to do.