@blamejs/core 0.9.49 → 0.10.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +952 -908
- package/index.js +25 -0
- package/lib/_test/crypto-fixtures.js +67 -0
- package/lib/agent-event-bus.js +52 -6
- package/lib/agent-idempotency.js +169 -16
- package/lib/agent-orchestrator.js +263 -9
- package/lib/agent-posture-chain.js +163 -5
- package/lib/agent-saga.js +146 -16
- package/lib/agent-snapshot.js +349 -19
- package/lib/agent-stream.js +34 -2
- package/lib/agent-tenant.js +179 -23
- package/lib/agent-trace.js +84 -21
- package/lib/auth/aal.js +8 -1
- package/lib/auth/ciba.js +6 -1
- package/lib/auth/dpop.js +7 -2
- package/lib/auth/fal.js +17 -8
- package/lib/auth/jwt-external.js +128 -4
- package/lib/auth/oauth.js +232 -10
- package/lib/auth/oid4vci.js +67 -7
- package/lib/auth/openid-federation.js +71 -25
- package/lib/auth/passkey.js +140 -6
- package/lib/auth/sd-jwt-vc.js +78 -5
- package/lib/circuit-breaker.js +10 -2
- package/lib/cli.js +13 -0
- package/lib/compliance.js +176 -8
- package/lib/crypto-field.js +114 -14
- package/lib/crypto.js +216 -20
- package/lib/db.js +1 -0
- package/lib/guard-graphql.js +37 -0
- package/lib/guard-jmap.js +321 -0
- package/lib/guard-managesieve-command.js +566 -0
- package/lib/guard-pop3-command.js +317 -0
- package/lib/guard-regex.js +138 -1
- package/lib/guard-smtp-command.js +58 -3
- package/lib/guard-xml.js +39 -1
- package/lib/mail-agent.js +20 -7
- package/lib/mail-arc-sign.js +12 -8
- package/lib/mail-auth.js +323 -34
- package/lib/mail-crypto-pgp.js +934 -0
- package/lib/mail-crypto-smime.js +340 -0
- package/lib/mail-crypto.js +108 -0
- package/lib/mail-dav.js +1224 -0
- package/lib/mail-deploy.js +492 -0
- package/lib/mail-dkim.js +431 -26
- package/lib/mail-journal.js +435 -0
- package/lib/mail-scan.js +502 -0
- package/lib/mail-server-imap.js +64 -26
- package/lib/mail-server-jmap.js +488 -0
- package/lib/mail-server-managesieve.js +853 -0
- package/lib/mail-server-mx.js +40 -30
- package/lib/mail-server-pop3.js +836 -0
- package/lib/mail-server-rate-limit.js +13 -0
- package/lib/mail-server-submission.js +70 -24
- package/lib/mail-server-tls.js +445 -0
- package/lib/mail-sieve.js +557 -0
- package/lib/mail-spam-score.js +284 -0
- package/lib/mail.js +99 -0
- package/lib/metrics.js +80 -3
- package/lib/middleware/dpop.js +58 -3
- package/lib/middleware/idempotency-key.js +255 -42
- package/lib/middleware/protected-resource-metadata.js +114 -2
- package/lib/network-dns-resolver.js +33 -0
- package/lib/network-tls.js +46 -0
- package/lib/otel-export.js +13 -4
- package/lib/outbox.js +62 -12
- package/lib/pqc-agent.js +13 -5
- package/lib/retry.js +23 -9
- package/lib/router.js +23 -1
- package/lib/safe-ical.js +634 -0
- package/lib/safe-icap.js +502 -0
- package/lib/safe-mime.js +15 -0
- package/lib/safe-sieve.js +684 -0
- package/lib/safe-smtp.js +57 -0
- package/lib/safe-url.js +37 -0
- package/lib/safe-vcard.js +473 -0
- package/lib/self-update-standalone-verifier.js +32 -3
- package/lib/self-update.js +153 -33
- package/lib/vendor/MANIFEST.json +161 -156
- package/lib/vendor-data.js +127 -9
- package/lib/vex.js +324 -59
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/lib/mail-server-mx.js
CHANGED
|
@@ -116,7 +116,6 @@
|
|
|
116
116
|
*/
|
|
117
117
|
|
|
118
118
|
var net = require("node:net");
|
|
119
|
-
var nodeTls = require("node:tls");
|
|
120
119
|
var lazyRequire = require("./lazy-require");
|
|
121
120
|
var C = require("./constants");
|
|
122
121
|
var bCrypto = require("./crypto");
|
|
@@ -128,6 +127,7 @@ var validateOpts = require("./validate-opts");
|
|
|
128
127
|
var guardSmtpCommand = require("./guard-smtp-command");
|
|
129
128
|
var guardDomain = require("./guard-domain");
|
|
130
129
|
var mailServerRateLimit = require("./mail-server-rate-limit");
|
|
130
|
+
var mailServerTls = require("./mail-server-tls");
|
|
131
131
|
var { defineClass } = require("./framework-error");
|
|
132
132
|
|
|
133
133
|
var audit = lazyRequire(function () { return require("./audit"); });
|
|
@@ -210,7 +210,10 @@ function create(opts) {
|
|
|
210
210
|
MailServerMxError, "mail-server-mx/bad-opts");
|
|
211
211
|
if (!opts.tlsContext) {
|
|
212
212
|
throw new MailServerMxError("mail-server-mx/no-tls-context",
|
|
213
|
-
"mail.server.mx.create: tlsContext is required (no implicit plaintext mode)"
|
|
213
|
+
"mail.server.mx.create: tlsContext is required (no implicit plaintext mode). " +
|
|
214
|
+
"Use b.mail.server.tls.context({ certFile, keyFile, watch: true }) to load + " +
|
|
215
|
+
"auto-reload a cert/key pair from disk, or pass a node:tls.createSecureContext " +
|
|
216
|
+
"output directly. Cert provisioning lives in b.acme (RFC 8555 + RFC 9773 ARI).");
|
|
214
217
|
}
|
|
215
218
|
numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
|
|
216
219
|
["maxLineBytes", "maxMessageBytes", "maxRcptsPerMessage", "idleTimeoutMs"],
|
|
@@ -554,39 +557,46 @@ function create(opts) {
|
|
|
554
557
|
return;
|
|
555
558
|
}
|
|
556
559
|
_writeReply(socket, REPLY_220_READY, "2.0.0 Ready to start TLS");
|
|
557
|
-
//
|
|
558
|
-
//
|
|
559
|
-
// collector
|
|
560
|
-
//
|
|
561
|
-
//
|
|
560
|
+
// CVE-2021-38371 (Exim) / CVE-2021-33515 (Dovecot) STARTTLS-
|
|
561
|
+
// injection defense: clear the pre-handshake command buffer +
|
|
562
|
+
// body collector AND strip the plain-socket "data" listener
|
|
563
|
+
// before wrapping in TLSSocket so bytes the peer pipelined
|
|
564
|
+
// (RFC 2920) pre-handshake cannot reach the post-TLS state
|
|
565
|
+
// machine. Listener-removal + idle-timeout re-arm live in the
|
|
566
|
+
// shared upgradeSocket helper (b.mail.server.tls.upgradeSocket).
|
|
562
567
|
lineBuffer = "";
|
|
563
568
|
bodyCollector = null;
|
|
564
569
|
inDataBody = false;
|
|
565
|
-
|
|
566
|
-
|
|
570
|
+
mailServerTls.upgradeSocket({
|
|
571
|
+
plainSocket: socket,
|
|
567
572
|
secureContext: opts.tlsContext,
|
|
568
|
-
|
|
569
|
-
|
|
570
|
-
|
|
571
|
-
|
|
572
|
-
|
|
573
|
-
|
|
574
|
-
|
|
575
|
-
|
|
576
|
-
|
|
577
|
-
|
|
578
|
-
|
|
579
|
-
|
|
580
|
-
|
|
581
|
-
|
|
582
|
-
|
|
583
|
-
|
|
584
|
-
|
|
585
|
-
|
|
586
|
-
|
|
587
|
-
"
|
|
573
|
+
idleTimeoutMs: idleTimeoutMs,
|
|
574
|
+
onSecure: function (_tlsSocket) {
|
|
575
|
+
state.tls = true;
|
|
576
|
+
// After the handshake, the state machine restarts at EHLO
|
|
577
|
+
// (per RFC 3207 §4.2 — client MUST re-issue EHLO).
|
|
578
|
+
state.stage = "ehlo";
|
|
579
|
+
state.helo = null;
|
|
580
|
+
},
|
|
581
|
+
onData: function (tlsSocket, chunk) {
|
|
582
|
+
try { _ingestBytes(state, tlsSocket, chunk); }
|
|
583
|
+
catch (err) {
|
|
584
|
+
_emit("mail.server.mx.handler_threw",
|
|
585
|
+
{ connectionId: state.id, error: (err && err.message) || String(err) },
|
|
586
|
+
"failure");
|
|
587
|
+
_closeConnection(tlsSocket);
|
|
588
|
+
}
|
|
589
|
+
},
|
|
590
|
+
onError: function (err) {
|
|
591
|
+
_emit("mail.server.mx.tls_handshake_failed",
|
|
592
|
+
{ connectionId: state.id, code: (err && err.code) || "unknown",
|
|
593
|
+
message: err && err.message }, "failure");
|
|
594
|
+
_closeConnection(socket);
|
|
595
|
+
},
|
|
596
|
+
onTimeout: function (tlsSocket) {
|
|
597
|
+
_writeReply(tlsSocket, REPLY_421_SERVICE_NOT_AVAIL, "4.4.2 Idle timeout");
|
|
588
598
|
_closeConnection(tlsSocket);
|
|
589
|
-
}
|
|
599
|
+
},
|
|
590
600
|
});
|
|
591
601
|
}
|
|
592
602
|
|