diff --git a/protocol.go b/protocol.go
index 1b6304c..6465b29 100644
--- a/protocol.go
+++ b/protocol.go
@@ -298,6 +298,11 @@ func (session *session) handleQUIT(cmd command) {
 
 func (session *session) handleAUTH(cmd command) {
 
+	if session.server.Authenticator == nil  {
+		session.reply(502, "AUTH not supported.")
+		return
+	}
+
 	if session.peer.HeloName == "" {
 		session.reply(502, "Please introduce yourself first.")
 		return
diff --git a/smtpd_test.go b/smtpd_test.go
index 4998052..76fb440 100644
--- a/smtpd_test.go
+++ b/smtpd_test.go
@@ -278,6 +278,46 @@ func TestAuthRejection(t *testing.T) {
 
 }
 
+func TestAuthNotSupported(t *testing.T) {
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("Listen failed: %v", err)
+	}
+
+	defer ln.Close()
+
+	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
+	if err != nil {
+		t.Fatalf("Cert load failed: %v", err)
+	}
+
+	server := &smtpd.Server{
+		TLSConfig: &tls.Config{
+			Certificates: []tls.Certificate{cert},
+		},
+		ForceTLS: true,
+	}
+
+	go func() {
+		server.Serve(ln)
+	}()
+
+	c, err := smtp.Dial(ln.Addr().String())
+	if err != nil {
+		t.Fatalf("Dial failed: %v", err)
+	}
+
+	if err := c.StartTLS(&tls.Config{InsecureSkipVerify: true}); err != nil {
+		t.Fatalf("STARTTLS failed: %v", err)
+	}
+
+	if err := c.Auth(smtp.PlainAuth("foo", "foo", "bar", "127.0.0.1")); err == nil {
+		t.Fatal("Auth worked despite no authenticator")
+	}
+
+}
+
 func TestConnectionCheck(t *testing.T) {
 
 	ln, err := net.Listen("tcp", "127.0.0.1:0")