Haraka 2.8.28 → 3.0.1

package/plugins/dkim_sign.js

@@ -6,7 +6,7 @@ const async      = require('async');
 const crypto     = require('crypto');
 const fs         = require('fs');
 const path       = require('path');
-const Stream     = require('stream').Stream;
+const { Stream }     = require('stream');
 
 const utils      = require('haraka-utils');
 
@@ -106,22 +106,26 @@ class DKIMSignStream extends Stream {
         */
 
         const headers = [];
-        for (let i=0; i < this.headers_to_sign.length; i++) {
-            let head = this.header.get(this.headers_to_sign[i]);
+        for (const element of this.headers_to_sign) {
+            let head = this.header.get(element);
             if (head) {
                 head = head.replace(/\r?\n/gm, '');
                 head = head.replace(/\s+/gm, ' ');
                 head = head.replace(/\s+$/gm, '');
-                this.signer.update(`${this.headers_to_sign[i]}:${head}\r\n`);
-                headers.push(this.headers_to_sign[i]);
+                this.signer.update(`${element}:${head}\r\n`);
+                headers.push(element);
             }
         }
 
         // Create DKIM header
-        let dkim_header = `v=1;a=rsa-sha256;bh=${bodyhash};c=relaxed/simple;d=${this.domain_name};h=${headers.join(':')};s=${this.selector};b=`;
+        let dkim_header = `v=1; a=rsa-sha256; c=relaxed/simple; d=${this.domain_name}; s=${this.selector}; h=${headers.join(':')}; bh=${bodyhash}; b=`;
         this.signer.update(`dkim-signature:${dkim_header}`);
         const signature = this.signer.sign(this.private_key, 'base64');
-        dkim_header += signature;
+        dkim_header = `v=1; a=rsa-sha256; c=relaxed/simple;\r\n\td=${this.domain_name}; s=${this.selector};\r\n\th=${headers.join(':')};\r\n\tbh=${bodyhash};\r\n\tb=`;
+        dkim_header += signature.substring(0,74);
+        for (let i=74; i<signature.length; i+=76) {
+            dkim_header += `\r\n\t${signature.substring(i, i+76)}`;
+        }
 
         if (this.end_callback) this.end_callback(null, dkim_header);
         this.end_callback = null;
@@ -139,28 +143,25 @@ class DKIMSignStream extends Stream {
 exports.DKIMSignStream = DKIMSignStream;
 
 exports.register = function () {
-    const plugin = this;
-    plugin.load_dkim_sign_ini();
-    plugin.load_dkim_default_key();
+    this.load_dkim_sign_ini();
+    this.load_dkim_default_key();
 }
 
 exports.load_dkim_sign_ini = function () {
-    const plugin = this;
-    plugin.cfg = plugin.config.get('dkim_sign.ini', {
+    this.cfg = this.config.get('dkim_sign.ini', {
         booleans: [
             '-disabled',
         ]
     },
-    () => { plugin.load_dkim_sign_ini(); }
+    () => { this.load_dkim_sign_ini(); }
     );
 
-    plugin.cfg.headers_to_sign = plugin.get_headers_to_sign();
+    this.cfg.headers_to_sign = this.get_headers_to_sign();
 }
 
 exports.load_dkim_default_key = function () {
-    const plugin = this;
-    plugin.private_key = plugin.config.get('dkim.private.key', 'data', () => {
-        plugin.load_dkim_default_key();
+    this.private_key = this.config.get('dkim.private.key', 'data', () => {
+        this.load_dkim_default_key();
     }).join('\n');
 }
 
@@ -169,37 +170,35 @@ exports.load_key = function (file) {
 }
 
 exports.hook_queue_outbound = exports.hook_pre_send_trans_email = function (next, connection) {
-    const plugin = this;
-    if (plugin.cfg.main.disabled) return next();
+    if (this.cfg.main.disabled) return next();
+    if (!connection?.transaction) return next();
 
-    if (connection.transaction.notes.dkim_signed) {
-        connection.logdebug(plugin, 'already signed');
+    if (connection.transaction.notes?.dkim_signed) {
+        connection.logdebug(this, 'already signed');
         return next();
     }
 
     exports.get_sign_properties(connection, (err, props) => {
+        if (!connection?.transaction) return next();
         // props: selector, domain, & private_key
-        if (err) connection.logerror(plugin, `${err.message}`);
+        if (err) connection.logerror(this, `${err.message}`);
 
-        if (!plugin.has_key_data(connection, props)) {
-            connection.logerror(`missing key data for ${props.selector}.${props.domain}`)
-            return next();
-        }
+        if (!this.has_key_data(connection, props)) return next();
 
-        connection.logdebug(plugin, `domain: ${props.domain}`);
+        connection.logdebug(this, `domain: ${props.domain}`);
 
         const txn = connection.transaction;
-        props.headers = plugin.cfg.headers_to_sign;
+        props.headers = this.cfg.headers_to_sign;
 
         txn.message_stream.pipe(
             new DKIMSignStream(props, txn.header, (err2, dkim_header) => {
                 if (err2) {
-                    txn.results.add(plugin, {err: err2.message});
+                    txn.results.add(this, {err: err2.message});
                     return next(err2);
                 }
 
-                connection.loginfo(plugin, `signed for ${props.domain}`);
-                txn.results.add(plugin, {pass: dkim_header});
+                connection.loginfo(this, `signed for ${props.domain}`);
+                txn.results.add(this, {pass: dkim_header});
                 txn.add_header('DKIM-Signature', dkim_header);
 
                 connection.transaction.notes.dkim_signed = true;
@@ -210,34 +209,36 @@ exports.hook_queue_outbound = exports.hook_pre_send_trans_email = function (next
 }
 
 exports.get_sign_properties = function (connection, done) {
-    const plugin = this;
+    if (!connection.transaction) return;
 
-    const domain = plugin.get_sender_domain(connection);
+    const domain = this.get_sender_domain(connection);
 
     if (!domain) {
-        connection.transaction.results.add(plugin, {msg: 'sending domain not detected', emit: true });
+        connection.transaction.results.add(this, {msg: 'sending domain not detected', emit: true });
     }
 
     const props = { domain }
 
-    plugin.get_key_dir(connection, props, (err, keydir) => {
+    this.get_key_dir(connection, props, (err, keydir) => {
         if (err) {
             console.error(`err: ${err}`);
-            connection.logerror(plugin, err);
+            connection.logerror(this, err);
             return done(new Error(`Error getting DKIM key_dir for ${domain}: ${err}`), props)
         }
 
+        if (!connection.transaction) return done(null, props);
+
         // a directory for ${domain} exists
         if (keydir) {
             props.domain = path.basename(keydir);  // keydir might be apex (vs sub)domain
-            props.private_key = plugin.load_key(path.join('dkim', props.domain, 'private'));
-            props.selector = plugin.load_key(path.join('dkim', props.domain, 'selector')).trim();
+            props.private_key = this.load_key(path.join('dkim', props.domain, 'private'));
+            props.selector = this.load_key(path.join('dkim', props.domain, 'selector')).trim();
 
             if (!props.selector) {
-                connection.transaction.results.add(plugin, {err: `missing selector for domain ${domain}`});
+                connection.transaction.results.add(this, {err: `missing selector for domain ${domain}`});
             }
             if (!props.private_key) {
-                connection.transaction.results.add(plugin, {err: `missing dkim private_key for domain ${domain}`});
+                connection.transaction.results.add(this, {err: `missing dkim private_key for domain ${domain}`});
             }
 
             if (props.selector && props.private_key ) {  // AND has correct files
@@ -246,13 +247,13 @@ exports.get_sign_properties = function (connection, done) {
         }
 
         // try [default / single domain] configuration
-        if (plugin.cfg.main.domain && plugin.cfg.main.selector && plugin.private_key) {
+        if (this.cfg.main.domain && this.cfg.main.selector && this.private_key) {
 
-            connection.transaction.results.add(plugin, {msg: 'using default key', emit: true });
+            connection.transaction.results.add(this, {msg: 'using default key', emit: true });
 
-            props.domain      = plugin.cfg.main.domain;
-            props.private_key = plugin.private_key;
-            props.selector    = plugin.cfg.main.selector;
+            props.domain      = this.cfg.main.domain;
+            props.private_key = this.private_key;
+            props.selector    = this.cfg.main.selector;
 
             return done(null, props)
         }
@@ -263,7 +264,6 @@ exports.get_sign_properties = function (connection, done) {
 }
 
 exports.get_key_dir = function (connection, props, done) {
-    const plugin = this;
 
     if (!props.domain) return done();
 
@@ -285,13 +285,12 @@ exports.get_key_dir = function (connection, props, done) {
         });
     },
     (err, results) => {
-        connection.logdebug(plugin, results);
+        connection.logdebug(this, results);
         done(err, results);
     });
 }
 
 exports.has_key_data = function (conn, props) {
-    const plugin = this;
 
     let missing = undefined;
 
@@ -308,22 +307,21 @@ exports.has_key_data = function (conn, props) {
 
     if (missing) {
         if (props.domain) {
-            conn.lognotice(plugin, `skipped: no ${missing} for ${props.domain}`);
+            conn.lognotice(this, `skipped: no ${missing} for ${props.domain}`);
         }
         else {
-            conn.lognotice(plugin, `skipped: no ${missing}`);
+            conn.lognotice(this, `skipped: no ${missing}`);
         }
         return false;
     }
 
-    conn.logprotocol(plugin, `using selector: ${props.selector} at domain ${props.domain}`);
+    conn.logprotocol(this, `using selector: ${props.selector} at domain ${props.domain}`);
     return true;
 }
 
 exports.get_headers_to_sign = function (cfg) {
-    const plugin = this;
 
-    if (!cfg) cfg = plugin.cfg;
+    if (!cfg) cfg = this.cfg;
     if (!cfg.main.headers_to_sign) return [ 'from' ];
 
     const headers = cfg.main.headers_to_sign
@@ -338,20 +336,16 @@ exports.get_headers_to_sign = function (cfg) {
 }
 
 exports.get_sender_domain = function (connection) {
-    const plugin = this;
-    if (!connection.transaction) {
-        connection.logerror(plugin, 'no transaction!')
-        return;
-    }
 
-    const txn = connection.transaction;
+    const txn = connection?.transaction;
+    if (!txn) return;
 
     // fallback: use Envelope FROM when header parsing fails
     let domain;
     if (txn.mail_from.host) {
         try { domain = txn.mail_from.host.toLowerCase(); }
         catch (e) {
-            connection.logerror(plugin, e);
+            connection.logerror(this, e);
         }
     }
 
@@ -371,7 +365,7 @@ exports.get_sender_domain = function (connection) {
         addrs = addrparser.parse(from_hdr);
     }
     catch (e) {
-        connection.logerror(plugin, `address-rfc2822 failed to parse From header: ${from_hdr}`)
+        connection.logerror(this, `address-rfc2822 failed to parse From header: ${from_hdr}`)
         return domain;
     }
     if (!addrs || ! addrs.length) return domain;
@@ -394,7 +388,7 @@ exports.get_sender_domain = function (connection) {
             domain = (addrparser.parse(sender))[0].host().toLowerCase();
         }
         catch (e) {
-            connection.logerror(plugin, e);
+            connection.logerror(this, e);
         }
     }
     return domain;

package/plugins/dkim_verify.js

@@ -1,7 +1,7 @@
 
 const dkim = require('./dkim');
 
-const DKIMVerifyStream = dkim.DKIMVerifyStream;
+const { DKIMVerifyStream } = dkim;
 
 const plugin = exports;
 
@@ -26,32 +26,33 @@ exports.load_config = function () {
 }
 
 exports.hook_data_post = function (next, connection) {
-    const self = this;
-    const txn = connection.transaction;
+    const txn = connection?.transaction;
+    if (!txn) return next();
+
     const verifier = new DKIMVerifyStream(this.cfg, (err, result, results) => {
         if (err) {
-            txn.results.add(self, { err });
+            txn.results.add(this, { err });
             return next();
         }
         if (!results || results.length === 0) {
-            txn.results.add(self, { skip: 'no/bad dkim signature' });
+            txn.results.add(this, { skip: 'no/bad dkim signature' });
             return next(CONT, 'no/bad signature')
         }
         results.forEach((res) => {
             let res_err = '';
             if (res.error) res_err = ` (${res.error})`;
             connection.auth_results(`dkim=${res.result}${res_err} header.i=${res.identity} header.d=${res.domain} header.s=${res.selector}`);
-            connection.loginfo(self, `identity="${res.identity}" domain="${res.domain}" selector="${res.selector}" result=${res.result} ${res_err}`);
+            connection.loginfo(this, `identity="${res.identity}" domain="${res.domain}" selector="${res.selector}" result=${res.result} ${res_err}`);
 
             // save to ResultStore
             const rs_obj = JSON.parse(JSON.stringify(res));
             if      (res.result === 'pass') { rs_obj.pass = res.domain; }
             else if (res.result === 'fail') { rs_obj.fail = res.domain + res_err; }
             else                            { rs_obj.err  = res.domain + res_err; }
-            txn.results.add(self, rs_obj);
+            txn.results.add(this, rs_obj);
         });
 
-        connection.logdebug(self, JSON.stringify(results));
+        connection.logdebug(this, JSON.stringify(results));
         // Store results for other plugins
         txn.notes.dkim_results = results;
         next();

package/plugins/dns_list_base.js

@@ -10,7 +10,6 @@ exports.redis_host = '127.0.0.1:6379';
 let redis_client;
 
 exports.lookup = function (lookup, zone, cb) {
-    const self = this;
 
     if (!lookup || !zone) {
         return setImmediate(() => cb(new Error('missing data')));
@@ -33,26 +32,32 @@ exports.lookup = function (lookup, zone, cb) {
 
     // Build the query, adding the root dot if missing
     let query = [lookup, zone].join('.');
-    if (query[query.length - 1] !== '.') {
+    if (!query.endsWith('.')) {
         query += '.';
     }
     this.logdebug(`looking up: ${query}`);
     // IS: IPv6 compatible (maybe; only if BL return IPv4 answers)
     dns.resolve(query, 'A', (err, a) => {
-        self.stats_incr_zone(err, zone, start);  // Statistics
+        this.stats_incr_zone(err, zone, start);  // Statistics
 
         // Check for a result of 127.0.0.1 or outside 127/8
         // This should *never* happen on a proper DNS list
-        if (a && ((!self.lookback_is_rejected && a.includes('127.0.0.1')) ||
+        if (a && ((!this.lookback_is_rejected && a.includes('127.0.0.1')) ||
                 a.find((rec) => { return rec.split('.')[0] !== '127' }))
         ) {
-            self.disable_zone(zone, a);
+            this.disable_zone(zone, a);
+            return cb(err, null);  // Return a null A record
+        }
+
+        // <https://www.spamhaus.org/news/article/807/using-our-public-mirrors-check-your-return-codes-now>
+        if (a?.includes('127.255.255.')) {
+            this.disable_zone(zone, a);
             return cb(err, null);  // Return a null A record
         }
 
         if (err) {
             if (err.code === dns.TIMEOUT) {         // list timed out
-                self.disable_zone(zone, err.code); // disable it
+                this.disable_zone(zone, err.code); // disable it
             }
             if (err.code === dns.NOTFOUND) {  // unlisted
                 return cb(null, a);          // not an error for a DNSBL
@@ -63,38 +68,37 @@ exports.lookup = function (lookup, zone, cb) {
 }
 
 exports.stats_incr_zone = function (err, zone, start) {
-    const plugin = this;
-    if (!plugin.enable_stats) return;
+    if (!this.enable_stats) return;
 
     const rkey = `dns-list-stat:${zone}`;
     const elapsed = new Date().getTime() - start;
-    redis_client.hincrby(rkey, 'TOTAL', 1);
+    redis_client.hIncrBy(rkey, 'TOTAL', 1);
     const foo = (err) ? err.code : 'LISTED';
-    redis_client.hincrby(rkey, foo, 1);
-    redis_client.hget(rkey, 'AVG_RT', (err2, rt) => {
-        if (err2) return;
+    redis_client.hIncrBy(rkey, foo, 1);
+    redis_client.hGet(rkey, 'AVG_RT').then(rt => {
         const avg = parseInt(rt) ? (parseInt(elapsed) + parseInt(rt))/2
             : parseInt(elapsed);
-        redis_client.hset(rkey, 'AVG_RT', avg);
+        redis_client.hSet(rkey, 'AVG_RT', avg);
     });
 }
 
 exports.init_redis = function () {
-    const plugin = this;
     if (redis_client) { return; }
 
     const redis = require('redis');
-    const host_port = plugin.redis_host.split(':');
+    const host_port = this.redis_host.split(':');
     const host = host_port[0] || '127.0.0.1';
     const port = parseInt(host_port[1], 10) || 6379;
 
     redis_client = redis.createClient(port, host);
-    redis_client.on('error', err => {
-        plugin.logerror(`Redis error: ${err}`);
-        redis_client.quit();
-        redis_client = null; // should force a reconnect
-        // not sure if that's the right thing but better than nothing...
-    });
+    redis_client.connect().then(() => {
+        redis_client.on('error', err => {
+            this.logerror(`Redis error: ${err}`);
+            redis_client.quit();
+            redis_client = null; // should force a reconnect
+            // not sure if that's the right thing but better than nothing...
+        })
+    })
 }
 
 exports.multi = function (lookup, zones, cb) {
@@ -108,9 +112,9 @@ exports.multi = function (lookup, zones, cb) {
         if (!self.enable_stats) return;
 
         // Statistics: check hit overlap
-        for (let i=0; i < listed.length; i++) {
-            const foo = (listed[i] === zone) ? 'TOTAL' : listed[i];
-            redis_client.hincrby(`dns-list-overlap:${zone}`, foo, 1);
+        for (const element of listed) {
+            const foo = (element === zone) ? 'TOTAL' : element;
+            redis_client.hIncrBy(`dns-list-overlap:${zone}`, foo, 1);
         }
     }
 
@@ -149,14 +153,13 @@ exports.first = function (lookup, zones, cb, cb_each) {
 }
 
 exports.check_zones = function (interval) {
-    const self = this;
     this.disable_allowed = true;
     if (interval) interval = parseInt(interval);
-    if ((this.zones && this.zones.length) ||
-        (this.disabled_zones && this.disabled_zones.length)) {
+    if ((this.zones?.length) ||
+        (this.disabled_zones?.length)) {
         let zones = [];
-        if (this.zones && this.zones.length) zones = zones.concat(this.zones);
-        if (this.disabled_zones && this.disabled_zones.length) {
+        if (this.zones?.length) zones = zones.concat(this.zones);
+        if (this.disabled_zones?.length) {
             zones = zones.concat(this.disabled_zones);
         }
 
@@ -165,20 +168,20 @@ exports.check_zones = function (interval) {
         this.multi('127.0.0.1', zones, (err, zone, a, pending) => {
             if (!zone) return;
 
-            if ((!self.lookback_is_rejected && a) || (err && err.code === 'ETIMEOUT')) {
-                return self.disable_zone(zone, ((a) ? a : err.code));
+            if ((!this.lookback_is_rejected && a) || (err && err.code === 'ETIMEOUT')) {
+                return this.disable_zone(zone, ((a) ? a : err.code));
             }
 
             // Try the test point
-            self.lookup('127.0.0.2', zone, (err2, a2) => {
+            this.lookup('127.0.0.2', zone, (err2, a2) => {
                 if (!a2) {
-                    self.logwarn(`zone '${zone}' did not respond to test point (${err2})`);
-                    return self.disable_zone(zone, a2);
+                    this.logwarn(`zone '${zone}' did not respond to test point (${err2})`);
+                    return this.disable_zone(zone, a2);
                 }
                 // Was this zone previously disabled?
-                if (!self.zones.includes(zone)) {
-                    self.loginfo(`re-enabling zone ${zone}`);
-                    self.zones.push(zone);
+                if (!this.zones.includes(zone)) {
+                    this.loginfo(`re-enabling zone ${zone}`);
+                    this.zones.push(zone);
                 }
             });
         });
@@ -187,16 +190,14 @@ exports.check_zones = function (interval) {
     if (interval && interval >= 5 && !this._interval) {
         this.logdebug(`will re-test list zones every ${interval} minutes`);
         this._interval = setInterval(() => {
-            self.check_zones();
+            this.check_zones();
         }, (interval * 60) * 1000);
     }
 }
 
 exports.shutdown = function () {
     clearInterval(this._interval);
-    if (redis_client) {
-        redis_client.quit();
-    }
+    if (redis_client) redis_client.quit();
 }
 
 exports.disable_zone = function (zone, result) {
@@ -209,7 +210,7 @@ exports.disable_zone = function (zone, result) {
     if (idx === -1) return false;  // not enabled
 
     this.zones.splice(idx, 1);
-    if (!(this.disabled_zones && this.disabled_zones.length)) {
+    if (!(this.disabled_zones?.length)) {
         this.disabled_zones = [];
     }
     if (!this.disabled_zones.includes(zone)) {