Haraka 3.0.1 → 3.0.3

package/plugins/clamd.js

@@ -269,6 +269,7 @@ exports.hook_data_post = function (next, connection) {
                 if (virus && plugin.rejectRE &&       // enabled
                     plugin.allRE.test(virus) &&       // has a reject option
                     !plugin.rejectRE.test(virus)) {   // reject=false set
+                    txn.add_header('X-Haraka-Virus', virus);
                     return next();
                 }
                 if (!plugin.cfg.reject.virus) { return next(); }

package/plugins/dns_list_base.js

@@ -126,7 +126,7 @@ exports.multi = function (lookup, zones, cb) {
             }
             cb(err, zone, a, true);
             done();
-        });
+        })
     }
     function zonesDone (err) {
         cb(err, null, null, false);
@@ -148,8 +148,8 @@ exports.first = function (lookup, zones, cb, cb_each) {
 
         // has pending queries OR this one is a positive result
         ran_cb = true;
-        return cb(err, zone, a);
-    });
+        cb(err, zone, a);
+    })
 }
 
 exports.check_zones = function (interval) {

package/plugins/helo.checks.js

@@ -11,7 +11,6 @@ const checks = [
     'bare_ip',            // HELO is bare IP (vs required Address Literal)
     'dynamic',            // HELO hostname looks dynamic (dsl|dialup|etc...)
     'big_company',        // Well known HELOs that must match rdns
-    'literal_mismatch',   // IP literal that doesn't match remote IP
     'valid_hostname',     // HELO hostname is a legal DNS name
     'rdns_match',         // HELO hostname matches rDNS
     'forward_dns',        // HELO hostname resolves to the connecting IP
@@ -31,7 +30,7 @@ exports.register = function () {
     this.register_hook('helo', 'init');
     this.register_hook('ehlo', 'init');
 
-    for (const c in checks) {
+    for (const c of checks) {
         if (!this.cfg.check[c]) continue; // disabled in config
         this.register_hook('helo', c);
         this.register_hook('ehlo', c);
@@ -41,6 +40,13 @@ exports.register = function () {
     this.register_hook('helo', 'emit_log');
     this.register_hook('ehlo', 'emit_log');
 
+    // IP literal that doesn't match remote IP
+    this.register_hook('helo', 'literal_mismatch');
+    this.register_hook('ehlo', 'literal_mismatch');
+
+    this.cfg.check.literal_mismatch = this.cfg.check.literal_mismatch ?? 2;
+    this.cfg.reject.literal_mismatch = this.cfg.reject.literal_mismatch ?? false;
+
     if (this.cfg.check.match_re) {
         const load_re_file = () => {
             const regex_list = utils.valid_regexes(this.config.get('helo.checks.regexps', 'list', load_re_file));
@@ -95,17 +101,19 @@ exports.load_helo_checks_ini = function () {
 }
 
 exports.init = function (next, connection, helo) {
-
-    const hc = connection.results.get('helo.checks');
-    if (!hc) {     // first HELO result
+    if (!connection.results.has('helo.checks', 'helo_host', helo)) {
         connection.results.add(this, {helo_host: helo});
-        return next();
     }
 
     next();
 }
 
 exports.should_skip = function (connection, test_name) {
+    if (connection.results.has('helo.checks', '_skip_hooks', test_name)) {
+        this.logdebug(connection, `SKIPPING: ${test_name}`);
+        return true;
+    }
+    connection.results.push(this, {_skip_hooks: test_name});
 
     if (this.cfg.skip.relaying && connection.relaying) {
         connection.results.add(this, {skip: `${test_name}(relay)`});
@@ -491,7 +499,7 @@ exports.get_a_records = async function (host) {
         err.code = dns.TIMEOUT;
         this.logerror(err);
         throw err;
-    }, (this.cfg.main.dns_timeout || 30) * 1000);
+    }, (this.cfg.main.dns_timeout || 28) * 1000);
 
     // fully qualify, to ignore any search options in /etc/resolv.conf
     if (!/\.$/.test(host)) host = `${host}.`;

package/plugins/queue/rabbitmq_amqplib.js

@@ -58,7 +58,7 @@ exports.init_amqp_connection = function () {
                     return conn.close();
                 }
                 ch.assertQueue(queueName,
-                    {durable, autoDelete},
+                    {durable, autoDelete, arguments: this.config.get("rabbitmq.ini").queue_args},
                     (err4, ok2) => {
                         if (err4) {
                             this.logerror(`Error asserting rabbitmq queue: ${err4}`);

package/plugins/queue/smtp_forward.js

@@ -26,10 +26,12 @@ exports.register = function () {
     this.register_hook('queue', 'queue_forward');
 
     if (this.cfg.main.enable_outbound) {
+        // deliver local message via smtp forward when relaying=true
         this.register_hook('queue_outbound', 'queue_forward');
     }
 
-    this.register_hook('get_mx', 'get_mx'); // for relaying outbound messages
+    // may specify more specific [per-domain] outbound routes
+    this.register_hook('get_mx', 'get_mx');
 }
 
 exports.load_smtp_forward_ini = function () {
@@ -75,7 +77,7 @@ exports.is_outbound_enabled = function (dom_cfg) {
     if ('enable_outbound' in dom_cfg) return dom_cfg.enable_outbound; // per-domain flag
 
     return this.cfg.main.enable_outbound; // follow the global configuration
-};
+}
 
 exports.check_sender = function (next, connection, params) {
     const txn = connection?.transaction;
@@ -99,7 +101,7 @@ exports.check_sender = function (next, connection, params) {
     }
 
     txn.results.add(this, {pass: 'mail_from'});
-    return next();
+    next();
 }
 
 exports.set_queue = function (connection, queue_wanted, domain) {
@@ -110,7 +112,6 @@ exports.set_queue = function (connection, queue_wanted, domain) {
     if (!queue_wanted) queue_wanted = dom_cfg.queue || this.cfg.main.queue;
     if (!queue_wanted) return true;
 
-
     let dst_host = dom_cfg.host || this.cfg.main.host;
     if (dst_host) dst_host = `smtp://${dst_host}`;
 
@@ -164,7 +165,7 @@ exports.check_recipient = function (next, connection, params) {
     // the MAIL FROM domain is not local and neither is the RCPT TO
     // Another RCPT plugin may vouch for this recipient.
     txn.results.add(this, {msg: 'rcpt!local'});
-    return next();
+    next();
 }
 
 exports.auth = function (cfg, connection, smtp_client) {
@@ -303,20 +304,24 @@ exports.queue_forward = function (next, connection) {
 
         smtp_client.on('bad_code', (code, msg) => {
             if (dead_sender() || !txn) return;
-            smtp_client.call_next(((code && code[0] === '5') ? DENY : DENYSOFT),
-                msg);
+            smtp_client.call_next(((code && code[0] === '5') ? DENY : DENYSOFT), msg);
             smtp_client.release();
         });
     });
 }
 
 exports.get_mx_next_hop = next_hop => {
-    const dest = url.parse(next_hop);
+    // queue.wants && queue.next_hop are mechanisms for fine-grained MX routing.
+    // Plugins can specify a queue to perform the delivery as well as a route. A
+    // plugin that uses this is qmail-deliverable, which can direct email delivery
+    // via smtp_forward, outbound (SMTP), and outbound (LMTP).
+    const dest = new url.URL(next_hop);
     const mx = {
         priority: 0,
-        port: dest.port || 25,
+        port: dest.port || (dest.protocol === 'lmtp:' ? 24 : 25),
         exchange: dest.hostname,
     }
+    if (dest.protocol === 'lmtp:') mx.using_lmtp = true;
     if (dest.auth) {
         mx.auth_type = 'plain';
         mx.auth_user = dest.auth.split(':')[0];
@@ -327,9 +332,11 @@ exports.get_mx_next_hop = next_hop => {
 
 exports.get_mx = function (next, hmail, domain) {
 
-    // hmail.todo not defined in tests.
-    if (hmail.todo.notes.next_hop) {
-        return next(OK, this.get_mx_next_hop(hmail.todo.notes.next_hop));
+    const qw = hmail.todo.notes.get('queue.wants')
+    if (qw && qw !== 'smtp_forward') return next()
+
+    if (qw === 'smtp_forward' && hmail.todo.notes.get('queue.next_hop')) {
+        return next(OK, this.get_mx_next_hop(hmail.todo.notes.get('queue.next_hop')));
     }
 
     const dom = this.cfg.main.domain_selector === 'mail_from' ? hmail.todo.mail_from.host.toLowerCase() : domain.toLowerCase();
@@ -341,8 +348,7 @@ exports.get_mx = function (next, hmail, domain) {
     }
 
     const mx_opts = [
-        'auth_type', 'auth_user', 'auth_pass', 'bind', 'bind_helo',
-        'using_lmtp'
+        'auth_type', 'auth_user', 'auth_pass', 'bind', 'bind_helo', 'using_lmtp'
     ]
 
     const mx = {
@@ -357,5 +363,5 @@ exports.get_mx = function (next, hmail, domain) {
         mx[o] = this.cfg[dom][o];
     })
 
-    return next(OK, mx);
+    next(OK, mx);
 }

package/plugins/tls.js

@@ -75,7 +75,7 @@ exports.set_notls = function (connection) {
 
     this.lognotice(connection, `STARTTLS failed. Marking ${connection.remote.ip} as non-TLS host for ${expiry} seconds`);
 
-    server.notes.redis.setex(`no_tls|${connection.remote.ip}`, expiry, (new Date()).toISOString());
+    server.notes.redis.setEx(`no_tls|${connection.remote.ip}`, expiry, (new Date()).toISOString());
 }
 
 exports.upgrade_connection = function (next, connection, params) {

package/plugins.js

@@ -363,6 +363,7 @@ plugins.deprecated = {
     'rcpt_to.qmail_deliverable' : 'qmail-deliverable',
     'rdns.regexp'         : 'access',
     'relay_acl'           : 'relay',
+    'relay_all'           : 'relay',
     'relay_force_routing' : 'relay',
 }
 

package/tests/config/helo.checks.ini

@@ -0,0 +1,52 @@
+; disable checks or reject for each test if you are worried about strictness
+
+;dns_timeout=30
+
+[check]
+match_re=true
+bare_ip=true
+dynamic=true
+big_company=true
+; literal_mismatch:  1 = exact IP match, 2 = IP/24 match, 3 = /24 or RFC1918
+literal_mismatch=2
+valid_hostname=true
+forward_dns=true
+rdns_match=true
+; host_mismatch:  hostname differs between EHLO invocations
+host_mismatch=true
+proto_mismatch: host sent EHLO but then tries to sent HELO or vice-versa
+proto_mismatch=true
+
+[reject]
+host_mismatch=true
+proto_mismatch=true
+rdns_match=true
+dynamic=true
+bare_ip=true
+literal_mismatch=true
+valid_hostname=true
+forward_dns=true
+big_company=true
+
+[skip]
+private_ip=true
+relaying=true
+whitelist=true
+
+[bigco]
+msn.com=msn.com
+hotmail.com=hotmail.com
+yahoo.com=yahoo.com,yahoo.co.jp
+yahoo.co.jp=yahoo.com,yahoo.co.jp
+yahoo.co.uk=yahoo.co.uk
+excite.com=excite.com,excitenetwork.com
+mailexcite.com=excite.com,excitenetwork.com
+yahoo.co.jp=yahoo.com,yahoo.co.jp
+mailexcite.com=excite.com,excitenetwork.com
+aol.com=aol.com
+compuserve.com=compuserve.com,adelphia.net
+nortelnetworks.com=nortelnetworks.com,nortel.com
+earthlink.net=earthlink.net
+earthling.net=earthling.net
+google.com=google.com
+gmail.com=google.com,gmail.com

package/tests/plugins/dns_list_base.js

@@ -69,7 +69,7 @@ exports.multi = {
     setUp : _set_up,
     'Spamcop' (test) {
         test.expect(4);
-        function cb (err, zone, a, pending) {
+        this.plugin.multi('127.0.0.2', 'bl.spamcop.net', (err, zone, a, pending) => {
             test.equal(null, err);
             if (pending) {
                 test.ok((Array.isArray(a) && a.length > 0));
@@ -78,12 +78,11 @@ exports.multi = {
             else {
                 test.done();
             }
-        }
-        this.plugin.multi('127.0.0.2', 'bl.spamcop.net', cb);
+        })
     },
     'CBL' (test) {
         test.expect(4);
-        function cb (err, zone, a, pending) {
+        this.plugin.multi('127.0.0.2', 'xbl.spamhaus.org', (err, zone, a, pending) => {
             test.equal(null, err);
             if (pending) {
                 test.ok((Array.isArray(a) && a.length > 0));
@@ -92,12 +91,12 @@ exports.multi = {
             else {
                 test.done();
             }
-        }
-        this.plugin.multi('127.0.0.2', 'xbl.spamhaus.org', cb);
+        })
     },
     'Spamcop + CBL' (test) {
         test.expect(12);
-        function cb (err, zone, a, pending) {
+        const dnsbls = ['bl.spamcop.net','xbl.spamhaus.org'];
+        this.plugin.multi('127.0.0.2', dnsbls, (err, zone, a, pending) => {
             test.equal(null, err);
             if (pending) {
                 test.ok(zone);
@@ -110,15 +109,20 @@ exports.multi = {
                 test.equal(false, pending);
                 test.done();
             }
-        }
-        const dnsbls = ['bl.spamcop.net','xbl.spamhaus.org'];
-        this.plugin.multi('127.0.0.2', dnsbls, cb);
+        })
     },
     'Spamcop + CBL + negative result' (test) {
         test.expect(12);
-        function cb (err, zone, a, pending) {
+        const dnsbls = [ 'bl.spamcop.net','xbl.spamhaus.org' ];
+        this.plugin.multi('127.0.0.1', dnsbls, (err, zone, a, pending) => {
             test.equal(null, err);
-            test.equal(null, a);
+            if (a && a[0] && a[0] === '127.255.255.254') {
+                test.deepEqual(['127.255.255.254'], a)
+                console.warn(`ERROR: DNSBLs don't work with PUBLIC DNS!`)
+            }
+            else {
+                test.equal(null, a)
+            }
             if (pending) {
                 test.equal(true, pending);
                 test.ok(zone);
@@ -128,14 +132,19 @@ exports.multi = {
                 test.equal(null, zone);
                 test.done();
             }
-        }
-        const dnsbls = ['bl.spamcop.net','xbl.spamhaus.org'];
-        this.plugin.multi('127.0.0.1', dnsbls, cb);
+        })
     },
     'IPv6 addresses supported' (test) {
         test.expect(12);
-        function cb (err, zone, a, pending) {
-            test.equal(null, a);
+        const dnsbls = ['bl.spamcop.net','xbl.spamhaus.org'];
+        this.plugin.multi('::1', dnsbls, (err, zone, a, pending) => {
+            if (a && a[0] && a[0] === '127.255.255.254') {
+                test.deepEqual(['127.255.255.254'], a)
+                console.warn(`ERROR: DNSBLs don't work with PUBLIC DNS!`)
+            }
+            else {
+                test.equal(null, a);
+            }
             if (pending) {
                 test.deepEqual(null, err);
                 test.equal(true, pending);
@@ -147,9 +156,7 @@ exports.multi = {
                 test.equal(null, zone);
                 test.done();
             }
-        }
-        const dnsbls = ['bl.spamcop.net','xbl.spamhaus.org'];
-        this.plugin.multi('::1', dnsbls, cb);
+        })
     }
 }
 
@@ -157,25 +164,28 @@ exports.first = {
     setUp : _set_up,
     'positive result' (test) {
         test.expect(3);
-        function cb (err, zone, a) {
+        const dnsbls = [ 'xbl.spamhaus.org', 'bl.spamcop.net' ];
+        this.plugin.first('127.0.0.2', dnsbls, (err, zone, a) => {
             test.equal(null, err);
             test.ok(zone);
             test.ok((Array.isArray(a) && a.length > 0));
             test.done();
-        }
-        const dnsbls = [ 'xbl.spamhaus.org', 'bl.spamcop.net' ];
-        this.plugin.first('127.0.0.2', dnsbls , cb);
+        })
     },
     'negative result' (test) {
-        test.expect(3);
-        function cb (err, zone, a) {
+        test.expect(2);
+        const dnsbls = [ 'xbl.spamhaus.org', 'bl.spamcop.net' ];
+        this.plugin.first('127.0.0.1', dnsbls, (err, zone, a) => {
             test.equal(null, err);
-            test.equal(null, zone);
-            test.equal(null, a);
+            if (a && a[0] && a[0] === '127.255.255.254') {
+                test.deepEqual(['127.255.255.254'], a)
+                console.warn(`ERROR: DNSBLs don't work with PUBLIC DNS!`)
+            }
+            else {
+                test.equal(null, a);
+            }
             test.done();
-        }
-        const dnsbls = [ 'xbl.spamhaus.org', 'bl.spamcop.net' ];
-        this.plugin.first('127.0.0.1', dnsbls, cb);
+        })
     },
     'each_cb' (test) {
         test.expect(7);