Haraka 3.0.1 → 3.0.3

package/docs/plugins/auth/flat_file.md

@@ -1,47 +1,40 @@
-auth/flat\_file
-==============
+# auth/flat\_file
 
-The `auth/flat_file` plugin allows you to create a file containing username
-and password combinations, and have relaying users authenticate from that
-file.
+The `auth/flat_file` plugin allows you to create a file containing username and password combinations, and have relaying users authenticate from that file.
 
-Note that passwords are stored in clear-text, so this may not be a great idea
-for large scale systems. However the plugin would be a good start for someone
-looking to implement authentication using some other form of auth.
+Note that passwords are stored in clear-text, so this may not be a great idea for large scale systems. However the plugin would be a good start for someone looking to implement authentication using some other form of auth.
 
-**Security** - it is recommended to switch to [auth-encfile][url-authencflat]
-to protect your user credentials.
+**Security** - it is recommended to switch to [auth-encfile][url-authencflat] to protect your user credentials.
 
-**IMPORANT NOTE** - this plugin requires that STARTTLS be used via the tls plugin 
-before it will advertise AUTH capabilities by the EHLO command.  This is to 
-improve security out-of-the-box.   Localhost and any IP in RFC1918 ranges 
-are automatically exempt from this rule.
+**IMPORANT NOTE** - this plugin requires that STARTTLS be used via the tls plugin before it will advertise AUTH capabilities by the EHLO command.  Localhost and IPs in RFC1918 ranges 
+are exempt from this rule.
 
-Configuration
--------------
+## Configuration
 
-Configuration is stored in `config/auth_flat_file.ini` and uses the INI
-style formatting. 
+Configuration is stored in `config/auth_flat_file.ini`.
 
-Authentication methods are listed in the `[core]` section under `methods`
-parameter. Lists of authentification methods are comma separated. Currently
-supported methods are: `CRAM-MD5`, `PLAIN` and `LOGIN`. The `PLAIN` 
-and `LOGIN` methods are not secure. That is why TLS is required before AUTH is
-offered.
+* [core]methods
 
-Example:
+Authentication methods are listed in the `[core]methods` parameter. Authentification methods are comma separated. Currently supported methods are: `CRAM-MD5`, `PLAIN` and `LOGIN`. The `PLAIN` and `LOGIN` methods are insecure and require TLS to be enabled.
+
+* [core]constrain_sender: (default: true). For outbound messages (due to successful AUTH), constrain the envelope sender (MAIL FROM) to the same domain as the authenticated user. This setting, combined with `rate_rcpt_sender` in the [limit](https://github.com/haraka/haraka-plugin-limit) plugin can dramatically reduce the amount of backscatter and spam sent when an email account is compromised.
 
-    [core]
-    methods=PLAIN,LOGIN,CRAM-MD5
+Example:
 
+```ini
+[core]
+methods=PLAIN,LOGIN,CRAM-MD5
+constrain_sender=true
+```
 
 Users are stored in the `[users]` section.
 
 Example:
 
-    [users]
-    user1=password1
-    user@domain.com=password2
-
+```ini
+[users]
+user1=password1
+user@domain.com=password2
+```
 
 [url-authencflat]: https://github.com/AuspeXeu/haraka-plugin-auth-enc-file

package/docs/plugins/clamd.md

@@ -133,7 +133,7 @@ meeting following criteria.
   via regexp by enclosing the pattern in //.
 
   To negate a match (e.g. reject if it matches), prefix the match with !.
-  Negative matches are always tested fist.
+  Negative matches are always tested first.
 
   Example:
 

package/docs/plugins/queue/rabbitmq_amqplib.md

@@ -36,5 +36,12 @@ Configuration
 		durable = true
 		autoDelete = false
 
+        ; Optional queue arguments
+		; More information about x-arguments can be found at https://www.rabbitmq.com/queues.html#optional-arguments
+        [queue_args]
+        x-dead-letter-exchange =
+        x-dead-letter-routing-key = emails_dlq
+        x-overflow = reject-publish
+        x-queue-type = quorum
     
  More information about RabbitMQ can be found at https://www.rabbitmq.com/

package/docs/plugins/queue/smtp_forward.md

@@ -1,27 +1,18 @@
-queue/smtp\_forward
+# queue/smtp\_forward
 ==================
 
-This plugin delivers to another mail server. This is a common setup when you
-want to have a mail server with a solid pedigree of outbound delivery to
-other hosts, and inbound delivery to users.
+This plugin delivers to another mail server. This is a common setup when you want to have a mail server with a solid pedigree of outbound delivery to other hosts, and inbound delivery to users.
 
-In comparison to `queue/smtp_proxy`, this plugin waits until queue time to
-attempt the ongoing connection. This can be a benefit in reducing connections
-to your inbound mail server when you have content filtering (such as
-spamassassin) enabled. A possible downside is that it also delays recipient
-validation that the ongoing mail server may provide until queue time.
+In comparison to `queue/smtp_proxy`, this plugin waits until queue time to attempt the ongoing connection. This can be a benefit in reducing connections to your inbound mail server when you have content filtering (such as spamassassin) enabled. A possible downside is that it also delays recipient validation that the ongoing mail server may provide until queue time.
 
-Configuration
+## Configuration
 -------------
 
-* smtp\_forward.ini
-
-  Configuration is stored in this file in the following keys:
+Configuration is stored in smtp\_forward.ini in the following keys:
 
   * enable\_outbound=[true]
 
-    SMTP forward outbound messages (set to false to enable Haraka's separate
-    Outbound mail routing (MX based delivery)).
+    SMTP forward outbound messages (set to false to enable Haraka's separate Outbound mail routing (MX based delivery)).
 
   * host=HOST
 
@@ -33,14 +24,11 @@ Configuration
 
   * connect\_timeout=SECONDS
 
-    The maximum amount of time to wait when creating a new connection
-    to the host.  Default: 30 seconds.
+    The maximum amount of time to wait when creating a new connection to the host.  Default: 30 seconds.
 
   * timeout=SECONDS
 
-    The amount of seconds to let a backend connection live idle in the
-    connection pool.  This should always be less than the global plugin
-    timeout, which should in turn be less than the connection timeout.
+    The amount of seconds to let a backend connection live idle in the connection pool.  This should always be less than the global plugin timeout, which should in turn be less than the connection timeout.
 
   * max\_connections=NUMBER
 
@@ -48,12 +36,9 @@ Configuration
 
   * enable\_tls=[true]
 
-    Enable TLS with the forward host (if supported). TLS uses options
-    from the tls plugin. If key and cert are provided in the the outbound section of the tls plugin,
-    that certificate will be used as a TLS Client Certificate.
+    Enable TLS with the forward host (if supported). TLS uses options from the tls plugin. If key and cert are provided in the the outbound section of the tls plugin, that certificate will be used as a TLS Client Certificate.
 
-    This option controls the use of TLS via `STARTTLS`. This plugin does not work with
-    SMTP over TLS.
+    This option controls the use of TLS via `STARTTLS`. This plugin does not work with SMTP over TLS.
 
   * auth\_type=[plain\|login]
 
@@ -69,9 +54,7 @@ Configuration
 
   * queue
 
-    Which queue plugin to use. Default: undefined. The default bahavior is to
-    use smtp_forward for inbound connections and outbound for relaying
-    connections. This option is used for complex mail routes.
+    Which queue plugin to use. Default: undefined. The default bahavior is to use smtp_forward for inbound connections and outbound for relaying connections. This option is used for complex mail routes.
 
   * check_sender=false
 
@@ -86,18 +69,13 @@ Configuration
 
 # Per-Domain Configuration
 
-More specific forward routes for domains can be defined. The domain is
-chosen based on the value of the `domain_selector` config variable.
+More specific forward routes for domains can be defined. The domain is chosen based on the value of the `domain_selector` config variable.
 
-When `domain_selector` is set to `rcpt_to` (the default), more specific
-routes are only honored for SMTP connections with a single recipient or SMTP
-connections where every recipient host is identical.
+When `domain_selector` is set to `rcpt_to` (the default), more specific routes are only honored for SMTP connections with a single recipient or SMTP connections where every recipient host is identical.
 
-When `domain_selector` is set to `mail_from`, the domain of the MAIL FROM
-address is used.
+When `domain_selector` is set to `mail_from`, the domain of the MAIL FROM address is used.
 
-enable\_outbound can be set or unset on a per-domain level to enable or disable
-forwarding for specific domains.
+enable\_outbound can be set or unset on a per-domain level to enable or disable forwarding for specific domains.
 
     # default SMTP host
     host=1.2.3.4
@@ -122,4 +100,4 @@ forwarding for specific domains.
 
 # Split host forward routing
 
-When an incoming email transaction has multiple recipients with different forward routes,  recipients to subsequent forward routes are deferred. Example: an incoming email transaction has recipients user@example1.com, user@example2.com, and user@example3.com. The first two recipients will be accepted (they share the same forward destination) and the latter will be deferred. It will arrive in a future delivery attempt by the remote.
+When an incoming email transaction has multiple recipients with different forward routes, recipients to subsequent forward routes are deferred. Example: an incoming email transaction has recipients user@example1.com, user@example2.com, and user@example3.com. The first two recipients will be accepted (they share the same forward destination) and the latter will be deferred. It will arrive in a future delivery attempt by the remote.

package/docs/plugins/queue/smtp_proxy.md

@@ -1,4 +1,4 @@
-queue/smtp\_proxy
+# queue/smtp\_proxy
 ================
 
 This plugin delivers to another mail server. This is a common setup when you
@@ -12,14 +12,12 @@ particular one important facility to some setups is recipient filtering.
 However be aware that other than connect and HELO-time filtering, you will
 have as many connections to your ongoing SMTP server as you have to Haraka.
 
-Configuration
+## Configuration
 -------------
 
-* smtp\_proxy.ini
-  
-  Configuration is stored in this file in the following keys:
+Configuration is stored in smtp\_proxy.ini in the following keys:
 
-    * enable\_outbound=[true]
+  * enable\_outbound=[true]
 
     SMTP proxy outbound messages (set to false to enable Haraka's
     separate Outbound mail routing (MX based delivery)).
@@ -27,9 +25,9 @@ Configuration
   * host=HOST
     
     The host to connect to.
-    
+
   * port=PORT
-    
+
     The port to connect to.
 
   * connect\_timeout=SECONDS
@@ -38,17 +36,17 @@ Configuration
     to the host.  Default if unspecified is 30 seconds.
 
   * timeout=SECONDS
-    
+
     The amount of seconds to let a backend connection live idle in the
     proxy pool.  This should always be less than the global plugin timeout,
     which should in turn be less than the connection timeout.
 
   * max\_connections=NUMBER
-    
+
     Maximum number of connections to create at any given time.
 
   * enable\_tls=[true|yes|1]
- 
+
     Enable TLS with the forward host (if supported). TLS uses options from
     the tls plugin.
 

package/docs/plugins/relay.md

@@ -8,7 +8,7 @@ This **relay** plugin provides Haraka with options for managing relay permission
 
 ## Authentication
 
-One way to enable relaying is [authentication](http://haraka.github.io/manual.html) via the auth plugins. Successful authentication enables relaying during _that_ SMTP connection. To securely offer SMTP AUTH, the [tls](http://haraka.github.io/manual/plugins/tls.html) plugin and at least one auth plugin must be enabled and properly configured. When that requirement is met, the AUTH SMTP extension will be advertised to SMTP clients.
+One way to enable relaying is authentication via the [auth plugins](http://haraka.github.io/plugins). Successful authentication enables relaying during _that_ SMTP connection. To securely offer SMTP AUTH, the [tls](http://haraka.github.io/plugins/tls) plugin and at least one auth plugin must be enabled and properly configured. When that requirement is met, the AUTH SMTP extension will be advertised to SMTP clients.
 
     % nc mail.example.com 587
     220 mail.example.com ESMTP Haraka 2.4.0 ready
@@ -118,7 +118,7 @@ Example:
     [domains]
     test.com = { "action": "accept" }
 
-I think of *accept* as the equivalent of qmail's *rcpthosts*, or a misplaced Haraka `rcpt_to.*` plugin. The *accept* mechanism is another way to tell Haraka that a particular domain is one we accept mail for. The difference between this and the [rcpt_to.in_host_list](http://haraka.github.io/manual/plugins/rcpt_to.in_host_list.html) plugin is that this one also enables relaying.
+Think of *accept* as the equivalent of qmail's *rcpthosts*, or a misplaced Haraka `rcpt_to.*` plugin. The *accept* mechanism is another way to tell Haraka that a particular domain is one we accept mail for. The difference between this and the [rcpt_to.in_host_list](http://haraka.github.io/plugins/rcpt_to.in_host_list) plugin is that this one also enables relaying.
 
     * continue (mails are subject to further checks)
 

package/outbound/hmail.js

@@ -103,7 +103,7 @@ class HMailItem extends events.EventEmitter {
 
             this._stream_bytes_from(this.path, {start: 4, end: todo_len + 3}, (err2, todo_bytes) => {
                 if (todo_bytes.length !== todo_len) {
-                    const wrongLength = `Didn't find right amount of data in todo!: ${err2}`;
+                    const wrongLength = `Didn't find right amount of data in todo!: ${err2} ${this.path}`;
                     this.logcrit(wrongLength);
                     fs.rename(this.path, path.join(queue_dir, `error.${this.filename}`), (err3) => {
                         if (err3) {
@@ -1062,7 +1062,7 @@ class HMailItem extends events.EventEmitter {
             "\r": '#10',
             "\n": '#13'
         };
-        const escape_pattern = new RegExp(`[${Object.keys(escaped_chars).join()}]`, 'g');
+        const escape_pattern = new RegExp(`[${Object.keys(escaped_chars).join('')}]`, 'g');
 
         bounce_msg_html_.forEach(line => {
             line = line.replace(/\{(\w+)\}/g, (i, word) => {

package/outbound/queue.js

@@ -103,6 +103,11 @@ exports.read_parts = file => {
         return false;
     }
 
+    if (file.startsWith('error.')) {
+        logger.logwarn(`[outbound] 'Skipping' error file in queue folder: ${file}`);
+        return false;
+    }
+
     const parts = _qfile.parts(file);
     if (!parts) {
         logger.logerror(`[outbound] Unrecognized file in queue folder: ${file}`);

package/outbound/tls.js

@@ -95,7 +95,7 @@ class OutboundTLS {
 
         logger.lognotice(this, `TLS connection failed. Marking ${host} as non-TLS for ${expiry} seconds`);
 
-        this.db.setex(dbkey, expiry, (new Date()).toISOString())
+        this.db.setEx(dbkey, expiry, (new Date()).toISOString())
             .then(cb)
             .catch(err => {
                 logger.logerror(this, `Redis returned error: ${err}`);

package/package.json

@@ -9,7 +9,7 @@
     "server",
     "email"
   ],
-  "version": "3.0.1",
+  "version": "3.0.3",
   "homepage": "http://haraka.github.io",
   "repository": {
     "type": "git",
@@ -20,28 +20,28 @@
     "node": ">=16"
   },
   "dependencies": {
-    "address-rfc2821": "^2.0.1",
+    "address-rfc2821": "^2.1.1",
     "address-rfc2822": "^2.1.0",
-    "async": "^3.2.4",
+    "async": "^3.2.5",
     "daemon": "~1.1.0",
-    "ipaddr.js": "~2.0.1",
-    "node-gyp": "^9.3.1",
-    "nopt": "~7.0.0",
+    "ipaddr.js": "~2.1.0",
+    "node-gyp": "^10.0.1",
+    "nopt": "~7.2.0",
     "npid": "~0.4.0",
-    "semver": "~7.3.8",
-    "sprintf-js": "~1.1.2",
+    "semver": "~7.6.0",
+    "sprintf-js": "~1.1.3",
     "haraka-config": "^1.1.0",
     "haraka-constants": "^1.0.6",
     "haraka-dsn": "^1.0.4",
     "haraka-email-message": "^1.2.0",
     "haraka-message-stream": "^1.2.0",
-    "haraka-net-utils": "^1.5.0",
+    "haraka-net-utils": "^1.5.3",
     "haraka-notes": "^1.0.6",
     "haraka-plugin-attachment": "^1.0.7",
-    "haraka-plugin-spf": "1.2.0",
-    "haraka-plugin-redis": "^2.0.5",
-    "haraka-results": "^2.2.2",
-    "haraka-tld": "^1.1.0",
+    "haraka-plugin-spf": "1.2.4",
+    "haraka-plugin-redis": "^2.0.6",
+    "haraka-results": "^2.2.3",
+    "haraka-tld": "^1.2.0",
     "haraka-utils": "^1.0.3",
     "openssl-wrapper": "^0.3.4",
     "sockaddr": "^1.0.1"
@@ -49,36 +49,36 @@
   "optionalDependencies": {
     "haraka-plugin-access": "^1.1.5",
     "haraka-plugin-aliases": "^1.0.1",
-    "haraka-plugin-asn": "^2.0.1",
-    "haraka-plugin-auth-ldap": "^1.0.2",
-    "haraka-plugin-dcc": "^1.0.1",
-    "haraka-plugin-elasticsearch": "^1.0.6",
+    "haraka-plugin-asn": "^2.0.2",
+    "haraka-plugin-auth-ldap": "^1.1.0",
+    "haraka-plugin-dcc": "^1.0.2",
+    "haraka-plugin-elasticsearch": "^8.0.2",
     "haraka-plugin-fcrdns": "^1.1.0",
     "haraka-plugin-graph": "^1.0.5",
     "haraka-plugin-geoip": "^1.0.17",
     "haraka-plugin-headers": "^1.0.3",
-    "haraka-plugin-karma": "^2.1.0",
-    "haraka-plugin-limit": "^1.1.0",
+    "haraka-plugin-karma": "^2.1.2",
+    "haraka-plugin-limit": "^1.1.1",
     "haraka-plugin-p0f": "^1.0.9",
-    "haraka-plugin-qmail-deliverable": "^1.1.1",
-    "haraka-plugin-known-senders": "^1.0.8",
-    "haraka-plugin-rcpt-ldap": "^1.0.0",
-    "haraka-plugin-recipient-routes": "^1.0.4",
-    "haraka-plugin-rspamd": "^1.2.0",
-    "haraka-plugin-syslog": "^1.0.3",
-    "haraka-plugin-uribl": "^1.0.6",
+    "haraka-plugin-qmail-deliverable": "^1.2.1",
+    "haraka-plugin-known-senders": "^1.0.9",
+    "haraka-plugin-rcpt-ldap": "^1.1.0",
+    "haraka-plugin-recipient-routes": "^1.2.0",
+    "haraka-plugin-rspamd": "^1.3.1",
+    "haraka-plugin-syslog": "^1.0.5",
+    "haraka-plugin-uribl": "^1.0.8",
     "haraka-plugin-watch": "^2.0.2",
     "ocsp": "~1.2.0",
-    "redis": "~4.5.1",
+    "redis": "~4.6.11",
     "tmp": "~0.2.1"
   },
   "devDependencies": {
-    "nodeunit-x": "^0.15.0",
-    "haraka-test-fixtures": "^1.2.1",
+    "nodeunit-x": "^0.16.0",
+    "haraka-test-fixtures": "^1.3.3",
     "mock-require": "^3.0.3",
-    "eslint": "^8.27.0",
+    "eslint": "^8.56.0",
     "eslint-plugin-haraka": "^1.0.15",
-    "nodemailer": "^6.7.7"
+    "nodemailer": "^6.9.9"
   },
   "bugs": {
     "mail": "haraka.mail@gmail.com",

package/plugins/auth/auth_base.js

@@ -5,7 +5,10 @@
 // Note: You can disable setting `connection.notes.auth_passwd` by `plugin.blankout_password = true`
 
 const crypto = require('crypto');
-const utils = require('haraka-utils');
+
+const tlds   = require('haraka-tld')
+const utils  = require('haraka-utils');
+
 const AUTH_COMMAND = 'AUTH';
 const AUTH_METHOD_CRAM_MD5 = 'CRAM-MD5';
 const AUTH_METHOD_PLAIN = 'PLAIN';
@@ -15,7 +18,7 @@ const LOGIN_STRING2 = 'UGFzc3dvcmQ6'; //Password: base64 coded
 
 exports.hook_capabilities = (next, connection) => {
     // Don't offer AUTH capabilities unless session is encrypted
-    if (!connection.tls.enabled) { return next(); }
+    if (!connection.tls.enabled) return next();
 
     const methods = [ 'PLAIN', 'LOGIN', 'CRAM-MD5' ];
     connection.capabilities.push(`AUTH ${methods.join(' ')}`);
@@ -47,9 +50,7 @@ exports.hook_unrecognized_command = function (next, connection, params) {
 
 exports.check_plain_passwd = function (connection, user, passwd, cb) {
     function callback (plain_pw) {
-        if (plain_pw === null  ) return cb(false);
-        if (plain_pw !== passwd) return cb(false);
-        cb(true);
+        cb(plain_pw === null ? false : plain_pw === passwd);
     }
     if (this.get_plain_passwd.length == 2) {
         this.get_plain_passwd(user, callback);
@@ -71,7 +72,7 @@ exports.check_cram_md5_passwd = function (connection, user, passwd, cb) {
 
         if (hmac.digest('hex') === passwd) return cb(true);
 
-        return cb(false);
+        cb(false);
     }
     if (this.get_plain_passwd.length == 2) {
         this.get_plain_passwd(user, callback);
@@ -117,7 +118,7 @@ exports.check_user = function (next, connection, credentials, method) {
                 connection.auth_results(`auth=pass (${method.toLowerCase()})`);
                 connection.notes.auth_user = credentials[0];
                 if (!plugin.blankout_password) connection.notes.auth_passwd = credentials[1];
-                return next(OK);
+                next(OK);
             });
             return;
         }
@@ -125,9 +126,7 @@ exports.check_user = function (next, connection, credentials, method) {
         if (!connection.notes.auth_fails) connection.notes.auth_fails = 0;
 
         connection.notes.auth_fails++;
-        connection.results.add({name: 'auth'}, {
-            fail:`${plugin.name}/${method}`,
-        });
+        connection.results.add({name: 'auth'}, { fail:`${plugin.name}/${method}` });
 
         let delay = Math.pow(2, connection.notes.auth_fails - 1);
         if (plugin.timeout && delay >= plugin.timeout) {
@@ -230,7 +229,7 @@ exports.auth_cram_md5 = function (next, connection, params) {
         return this.check_user(next, connection, credentials, AUTH_METHOD_CRAM_MD5);
     }
 
-    const ticket = `<${this.hexi(Math.floor(Math.random() * 1000000))}. ${this.hexi(Date.now())}@${connection.local.host}>`;
+    const ticket = `<${this.hexi(Math.floor(Math.random() * 1000000))}.${this.hexi(Date.now())}@${connection.local.host}>`;
 
     connection.loginfo(this, `ticket: ${ticket}`);
     connection.respond(334, utils.base64(ticket), () => {
@@ -240,3 +239,20 @@ exports.auth_cram_md5 = function (next, connection, params) {
 }
 
 exports.hexi = number => String(Math.abs(parseInt(number)).toString(16))
+
+exports.constrain_sender = function (next, connection, params) {
+    const au = connection.results.get('auth')?.user
+    if (!au) return next()
+
+    const ad = /@/.test(au) ? au.split('@').pop() : au
+    const ed = params[0].host
+
+    if (!ad || !ed) return next()
+
+    const auth_od = tlds.get_organizational_domain(ad)
+    const envelope_od = tlds.get_organizational_domain(ed)
+
+    if (auth_od === envelope_od) return next()
+
+    next(DENY, `Envelope domain '${envelope_od}' doesn't match AUTH domain '${auth_od}'`)
+}

package/plugins/auth/auth_vpopmaild.js

@@ -4,25 +4,36 @@ const net    = require('net');
 
 exports.register = function () {
     this.inherits('auth/auth_base');
-    this.load_vpop_ini();
+    this.blankout_password=true
+
+    this.load_vpopmaild_ini();
+
+    if (this.cfg.main.constrain_sender) {
+        this.register_hook('mail', 'constrain_sender')
+    }
 }
 
-exports.load_vpop_ini = function () {
-    this.cfg = this.config.get('auth_vpopmaild.ini', () => {
-        this.load_vpop_ini();
+exports.load_vpopmaild_ini = function () {
+    this.cfg = this.config.get('auth_vpopmaild.ini', {
+        booleans: [
+            '+main.constrain_sender',
+        ]
+    },
+    () => {
+        this.load_vpopmaild_ini();
     });
 }
 
 exports.hook_capabilities = function (next, connection) {
-    if (!connection.tls.enabled) { return next(); }
+    if (!connection.tls.enabled) return next();
 
     const methods = [ 'PLAIN', 'LOGIN' ];
-    if (this.cfg.main.sysadmin) { methods.push('CRAM-MD5'); }
+    if (this.cfg.main.sysadmin) methods.push('CRAM-MD5');
 
     connection.capabilities.push(`AUTH ${methods.join(' ')}`);
     connection.notes.allowed_auth_methods = methods;
 
-    return next();
+    next();
 }
 
 exports.check_plain_passwd = function (connection, user, passwd, cb) {
@@ -49,11 +60,12 @@ exports.check_plain_passwd = function (connection, user, passwd, cb) {
             }
             socket.end();             // disconnect
         }
-    });
+    })
+
     socket.on('end', () => {
         connection.loginfo(this, `AUTH user="${user}" success=${auth_success}`);
-        return cb(auth_success);
-    });
+        cb(auth_success);
+    })
 }
 
 exports.get_sock_opts = function (user) {
@@ -66,13 +78,11 @@ exports.get_sock_opts = function (user) {
 
     const domain = (user.split('@'))[1];
     let sect = this.cfg.main;
-    if (domain && this.cfg[domain]) {
-        sect = this.cfg[domain];
-    }
+    if (domain && this.cfg[domain]) sect = this.cfg[domain];
 
-    if (sect.port)     { this.sock_opts.port     = sect.port;     }
-    if (sect.host)     { this.sock_opts.host     = sect.host;     }
-    if (sect.sysadmin) { this.sock_opts.sysadmin = sect.sysadmin; }
+    if (sect.port)     this.sock_opts.port     = sect.port;
+    if (sect.host)     this.sock_opts.host     = sect.host;
+    if (sect.sysadmin) this.sock_opts.sysadmin = sect.sysadmin;
 
     this.logdebug(`sock: ${this.sock_opts.host}:${this.sock_opts.port}`);
     return this.sock_opts;
@@ -89,14 +99,14 @@ exports.get_vpopmaild_socket = function (user) {
     socket.on('timeout', () => {
         this.logerror("vpopmaild connection timed out");
         socket.end();
-    });
+    })
     socket.on('error', err => {
         this.logerror(`vpopmaild connection failed: ${err}`);
         socket.end();
-    });
+    })
     socket.on('connect', () => {
         this.logdebug('vpopmail connected');
-    });
+    })
     return socket;
 }
 

package/plugins/auth/flat_file.js

@@ -3,26 +3,32 @@
 exports.register = function () {
     this.inherits('auth/auth_base');
     this.load_flat_ini();
+
+    if (this.cfg.core.constrain_sender) {
+        this.register_hook('mail', 'constrain_sender')
+    }
 }
 
 exports.load_flat_ini = function () {
-    this.cfg = this.config.get('auth_flat_file.ini', () => {
+    this.cfg = this.config.get('auth_flat_file.ini', {
+        booleans: [
+            '+core.constrain_sender',
+        ]
+    },
+    () => {
         this.load_flat_ini();
     });
+
+    if (this.cfg.users === undefined) this.cfg.users = {}
 }
 
 exports.hook_capabilities = function (next, connection) {
-    // don't allow AUTH unless private IP or encrypted
     if (!connection.remote.is_private && !connection.tls.enabled) {
-        connection.logdebug(this,
-            "Auth disabled for insecure public connection");
+        connection.logdebug(this, "Auth disabled for insecure public connection");
         return next();
     }
 
-    let methods = null;
-    if (this.cfg.core?.methods ) {
-        methods = this.cfg.core.methods.split(',');
-    }
+    const methods = this.cfg.core?.methods ? this.cfg.core.methods.split(',') : null
     if (methods && methods.length > 0) {
         connection.capabilities.push(`AUTH ${methods.join(' ')}`);
         connection.notes.allowed_auth_methods = methods;
@@ -31,8 +37,7 @@ exports.hook_capabilities = function (next, connection) {
 }
 
 exports.get_plain_passwd = function (user, connection, cb) {
-    if (this.cfg.users[user]) {
-        return cb(this.cfg.users[user].toString());
-    }
-    return cb();
+    if (this.cfg.users[user]) return cb(this.cfg.users[user].toString());
+
+    cb();
 }