Haraka 3.0.2 → 3.0.4

package/package.json

@@ -9,7 +9,7 @@
     "server",
     "email"
   ],
-  "version": "3.0.2",
+  "version": "3.0.4",
   "homepage": "http://haraka.github.io",
   "repository": {
     "type": "git",
@@ -17,68 +17,76 @@
   },
   "main": "haraka.js",
   "engines": {
-    "node": ">=16"
+    "node": ">=18"
   },
   "dependencies": {
-    "address-rfc2821": "^2.0.1",
-    "address-rfc2822": "^2.1.0",
-    "async": "^3.2.4",
+    "address-rfc2821": "^2.1.2",
+    "address-rfc2822": "^2.2.2",
+    "async": "^3.2.6",
     "daemon": "~1.1.0",
-    "ipaddr.js": "~2.1.0",
-    "node-gyp": "^9.4.0",
-    "nopt": "~7.2.0",
+    "haraka-config": "^1.4.0",
+    "haraka-constants": "^1.0.7",
+    "haraka-dsn": "^1.1.0",
+    "haraka-email-message": "^1.2.3",
+    "haraka-message-stream": "^1.2.2",
+    "haraka-net-utils": "^1.7.0",
+    "haraka-notes": "^1.1.0",
+    "haraka-plugin-redis": "^2.0.7",
+    "haraka-results": "^2.2.4",
+    "haraka-tld": "^1.2.1",
+    "haraka-utils": "^1.1.3",
+    "ipaddr.js": "~2.2.0",
+    "node-gyp": "^10.2.0",
+    "nopt": "^7.2.1",
     "npid": "~0.4.0",
-    "semver": "~7.5.2",
-    "sprintf-js": "~1.1.2",
-    "haraka-config": "^1.1.0",
-    "haraka-constants": "^1.0.6",
-    "haraka-dsn": "^1.0.4",
-    "haraka-email-message": "^1.2.0",
-    "haraka-message-stream": "^1.2.0",
-    "haraka-net-utils": "^1.5.0",
-    "haraka-notes": "^1.0.6",
-    "haraka-plugin-attachment": "^1.0.7",
-    "haraka-plugin-spf": "1.2.0",
-    "haraka-plugin-redis": "^2.0.5",
-    "haraka-results": "^2.2.3",
-    "haraka-tld": "^1.1.1",
-    "haraka-utils": "^1.0.3",
-    "openssl-wrapper": "^0.3.4",
-    "sockaddr": "^1.0.1"
+    "redis": "~4.7.0",
+    "semver": "^7.6.3",
+    "sockaddr": "^1.0.1",
+    "sprintf-js": "~1.1.3"
   },
   "optionalDependencies": {
-    "haraka-plugin-access": "^1.1.5",
-    "haraka-plugin-aliases": "^1.0.1",
-    "haraka-plugin-asn": "^2.0.1",
-    "haraka-plugin-auth-ldap": "^1.0.2",
-    "haraka-plugin-dcc": "^1.0.1",
-    "haraka-plugin-elasticsearch": "^1.0.6",
+    "haraka-plugin-access": "^1.1.6",
+    "haraka-plugin-aliases": "^1.0.2",
+    "haraka-plugin-asn": "^2.0.3",
+    "haraka-plugin-attachment": "^1.1.2",
+    "haraka-plugin-auth-ldap": "^1.1.0",
+    "haraka-plugin-avg": "^1.1.0",
+    "haraka-plugin-bounce": "1.0.2",
+    "haraka-plugin-clamd": "1.0.1",
+    "haraka-plugin-dcc": "^1.0.2",
+    "haraka-plugin-dkim": "^1.0.4",
+    "haraka-plugin-dns-list": "^1.2.0",
+    "haraka-plugin-elasticsearch": "^8.0.2",
+    "haraka-plugin-esets": "^1.0.0",
     "haraka-plugin-fcrdns": "^1.1.0",
+    "haraka-plugin-geoip": "^1.1.0",
     "haraka-plugin-graph": "^1.0.5",
-    "haraka-plugin-geoip": "^1.0.17",
-    "haraka-plugin-headers": "^1.0.3",
-    "haraka-plugin-karma": "^2.1.0",
-    "haraka-plugin-limit": "^1.1.0",
+    "haraka-plugin-greylist": "^1.0.0",
+    "haraka-plugin-headers": "^1.0.4",
+    "haraka-plugin-helo.checks": "^1.0.0",
+    "haraka-plugin-karma": "^2.1.5",
+    "haraka-plugin-known-senders": "^1.1.0",
+    "haraka-plugin-limit": "^1.2.5",
+    "haraka-plugin-messagesniffer": "^1.0.0",
     "haraka-plugin-p0f": "^1.0.9",
-    "haraka-plugin-qmail-deliverable": "^1.2.1",
-    "haraka-plugin-known-senders": "^1.0.8",
-    "haraka-plugin-rcpt-ldap": "^1.0.0",
-    "haraka-plugin-recipient-routes": "^1.0.4",
-    "haraka-plugin-rspamd": "^1.2.0",
-    "haraka-plugin-syslog": "^1.0.3",
-    "haraka-plugin-uribl": "^1.0.6",
-    "haraka-plugin-watch": "^2.0.2",
+    "haraka-plugin-qmail-deliverable": "^1.2.3",
+    "haraka-plugin-rcpt-ldap": "^1.1.0",
+    "haraka-plugin-recipient-routes": "^1.2.0",
+    "haraka-plugin-rspamd": "^1.3.1",
+    "haraka-plugin-spamassassin": "^1.0.0",
+    "haraka-plugin-spf": "1.2.7",
+    "haraka-plugin-syslog": "^1.0.6",
+    "haraka-plugin-uribl": "^1.0.8",
+    "haraka-plugin-watch": "^2.0.4",
     "ocsp": "~1.2.0",
-    "redis": "^4.5.1",
-    "tmp": "~0.2.1"
+    "tmp": "~0.2.3"
   },
   "devDependencies": {
-    "nodeunit-x": "^0.16.0",
-    "haraka-test-fixtures": "^1.3.0",
+    "@haraka/eslint-config": "^1.1.5",
+    "haraka-test-fixtures": "^1.3.7",
+    "mocha": "^10.7.3",
     "mock-require": "^3.0.3",
-    "eslint": "^8.42.0",
-    "eslint-plugin-haraka": "^1.0.15",
-    "nodemailer": "^6.9.3"
+    "nodemailer": "^6.9.14"
   },
   "bugs": {
     "mail": "haraka.mail@gmail.com",
@@ -86,13 +94,16 @@
   },
   "bin": {
     "haraka": "./bin/haraka",
-    "dkimverify": "./bin/dkimverify",
     "haraka_grep": "./bin/haraka_grep"
   },
   "scripts": {
-    "test": "node run_tests",
-    "lint": "npx eslint *.js outbound plugins plugins/*/*.js tests tests/*/*.js tests/*/*/*.js bin/haraka bin/dkimverify",
-    "lintfix": "npx eslint --fix *.js outbound plugins plugins/*/*.js tests tests/*/*.js tests/*/*/*.js bin/haraka bin/dkimverify",
-    "versions": "npx dependency-version-checker check"
+    "format": "npm run prettier:fix && npm run lint:fix",
+    "lint": "npx eslint@^8 *.js outbound plugins plugins/*/*.js test test/*/*.js test/*/*/*.js bin/haraka",
+    "lint:fix": "npx eslint@^8 --fix *.js outbound plugins plugins/*/*.js test test/*/*.js test/*/*/*.js bin/haraka",
+    "prettier": "npx prettier . --check",
+    "prettier:fix": "npx prettier . --write --log-level=warn",
+    "test": "npx mocha --exit --timeout=4000 test test/outbound test/plugins/auth test/plugins/queue test/plugins",
+    "versions": "npx dependency-version-checker check",
+    "versions:fix": "npx dependency-version-checker update && npm run prettier:fix"
   }
 }

package/plugins/.eslintrc.yaml

@@ -1,10 +1,4 @@
 
 globals:
   server: true
-  OK: true
-  CONT: true
-  DENY: true
-  DENYSOFT: true
-  DENYDISCONNECT: true
-  DENYSOFTDISCONNECT: true
   NEXT_HOOK: true

package/plugins/auth/auth_base.js

@@ -4,8 +4,11 @@
 
 // Note: You can disable setting `connection.notes.auth_passwd` by `plugin.blankout_password = true`
 
-const crypto = require('crypto');
-const utils = require('haraka-utils');
+const crypto = require('node:crypto');
+
+const tlds   = require('haraka-tld')
+const utils  = require('haraka-utils');
+
 const AUTH_COMMAND = 'AUTH';
 const AUTH_METHOD_CRAM_MD5 = 'CRAM-MD5';
 const AUTH_METHOD_PLAIN = 'PLAIN';
@@ -15,7 +18,7 @@ const LOGIN_STRING2 = 'UGFzc3dvcmQ6'; //Password: base64 coded
 
 exports.hook_capabilities = (next, connection) => {
     // Don't offer AUTH capabilities unless session is encrypted
-    if (!connection.tls.enabled) { return next(); }
+    if (!connection.tls.enabled) return next();
 
     const methods = [ 'PLAIN', 'LOGIN', 'CRAM-MD5' ];
     connection.capabilities.push(`AUTH ${methods.join(' ')}`);
@@ -47,9 +50,7 @@ exports.hook_unrecognized_command = function (next, connection, params) {
 
 exports.check_plain_passwd = function (connection, user, passwd, cb) {
     function callback (plain_pw) {
-        if (plain_pw === null  ) return cb(false);
-        if (plain_pw !== passwd) return cb(false);
-        cb(true);
+        cb(plain_pw === null ? false : plain_pw === passwd);
     }
     if (this.get_plain_passwd.length == 2) {
         this.get_plain_passwd(user, callback);
@@ -71,7 +72,7 @@ exports.check_cram_md5_passwd = function (connection, user, passwd, cb) {
 
         if (hmac.digest('hex') === passwd) return cb(true);
 
-        return cb(false);
+        cb(false);
     }
     if (this.get_plain_passwd.length == 2) {
         this.get_plain_passwd(user, callback);
@@ -117,7 +118,7 @@ exports.check_user = function (next, connection, credentials, method) {
                 connection.auth_results(`auth=pass (${method.toLowerCase()})`);
                 connection.notes.auth_user = credentials[0];
                 if (!plugin.blankout_password) connection.notes.auth_passwd = credentials[1];
-                return next(OK);
+                next(OK);
             });
             return;
         }
@@ -125,9 +126,7 @@ exports.check_user = function (next, connection, credentials, method) {
         if (!connection.notes.auth_fails) connection.notes.auth_fails = 0;
 
         connection.notes.auth_fails++;
-        connection.results.add({name: 'auth'}, {
-            fail:`${plugin.name}/${method}`,
-        });
+        connection.results.add({name: 'auth'}, { fail:`${plugin.name}/${method}` });
 
         let delay = Math.pow(2, connection.notes.auth_fails - 1);
         if (plugin.timeout && delay >= plugin.timeout) {
@@ -230,7 +229,7 @@ exports.auth_cram_md5 = function (next, connection, params) {
         return this.check_user(next, connection, credentials, AUTH_METHOD_CRAM_MD5);
     }
 
-    const ticket = `<${this.hexi(Math.floor(Math.random() * 1000000))}. ${this.hexi(Date.now())}@${connection.local.host}>`;
+    const ticket = `<${this.hexi(Math.floor(Math.random() * 1000000))}.${this.hexi(Date.now())}@${connection.local.host}>`;
 
     connection.loginfo(this, `ticket: ${ticket}`);
     connection.respond(334, utils.base64(ticket), () => {
@@ -240,3 +239,22 @@ exports.auth_cram_md5 = function (next, connection, params) {
 }
 
 exports.hexi = number => String(Math.abs(parseInt(number)).toString(16))
+
+exports.constrain_sender = function (next, connection, params) {
+    if (this?.cfg?.main?.constrain_sender === false) return next()
+
+    const au = connection.results.get('auth')?.user
+    if (!au) return next()
+
+    const ad = /@/.test(au) ? au.split('@').pop() : null
+    const ed = params[0].host
+
+    if (!ad || !ed) return next()
+
+    const auth_od = tlds.get_organizational_domain(ad)
+    const envelope_od = tlds.get_organizational_domain(ed)
+
+    if (auth_od === envelope_od) return next()
+
+    next(DENY, `Envelope domain '${envelope_od}' doesn't match AUTH domain '${auth_od}'`)
+}

package/plugins/auth/auth_proxy.js

@@ -1,7 +1,9 @@
 // Proxy AUTH requests selectively by domain
 
-const sock  = require('./line_socket');
+const net = require('node:net')
+
 const utils = require('haraka-utils');
+const net_utils = require('haraka-net-utils')
 
 const smtp_regexp = /^(\d{3})([ -])(.*)/;
 
@@ -16,7 +18,6 @@ exports.load_tls_ini = function () {
     });
 }
 
-
 exports.hook_capabilities = (next, connection) => {
     if (connection.tls.enabled) {
         const methods = [ 'PLAIN', 'LOGIN' ];
@@ -54,7 +55,8 @@ exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
     }
 
     const self = this;
-    const host = hosts.shift();
+    let [ host, port ] = hosts.shift().split(':'); /* eslint prefer-const: 0 */
+    if (!port) port = 25
     let methods = [];
     let auth_complete = false;
     let auth_success = false;
@@ -62,27 +64,27 @@ exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
     let response = [];
     let secure = false;
 
-    const hostport = host.split(/:/);
-    const socket = sock.connect(((hostport[1]) ? hostport[1] : 25), hostport[0]);
-    connection.logdebug(self, `attempting connection to host=${hostport[0]} port=${(hostport[1]) ? hostport[1] : 25}`);
+    const socket = net.connect({ host, port });
+    net_utils.add_line_processor(socket)
+    connection.logdebug(this, `attempting connection to host=${host} port=${port}`);
     socket.setTimeout(30 * 1000);
     socket.on('connect', () => { });
     socket.on('close', () => {
         if (!auth_complete) {
             // Try next host
-            return self.try_auth_proxy(connection, hosts, user, passwd, cb);
+            return this.try_auth_proxy(connection, hosts, user, passwd, cb);
         }
-        connection.loginfo(self, `AUTH user="${user}" host="${host}" success=${auth_success}`);
-        return cb(auth_success);
+        connection.loginfo(this, `AUTH user="${user}" host="${host}" success=${auth_success}`);
+        cb(auth_success);
     });
     socket.on('timeout', () => {
-        connection.logerror(self, "connection timed out");
+        connection.logerror(this, "connection timed out");
         socket.end();
         // Try next host
-        return self.try_auth_proxy(connection, hosts, user, passwd, cb);
+        this.try_auth_proxy(connection, hosts, user, passwd, cb);
     });
     socket.on('error', err => {
-        connection.logerror(self, `connection failed to host ${host}: ${err}`);
+        connection.logerror(this, `connection failed to host ${host}: ${err}`);
         socket.end();
     });
     socket.send_command = function (cmd, data) {

package/plugins/auth/auth_vpopmaild.js

@@ -1,28 +1,39 @@
 // Auth against vpopmaild
 
-const net    = require('net');
+const net = require('node:net');
 
 exports.register = function () {
     this.inherits('auth/auth_base');
-    this.load_vpop_ini();
+    this.blankout_password=true
+
+    this.load_vpopmaild_ini();
+
+    if (this.cfg.main.constrain_sender) {
+        this.register_hook('mail', 'constrain_sender')
+    }
 }
 
-exports.load_vpop_ini = function () {
-    this.cfg = this.config.get('auth_vpopmaild.ini', () => {
-        this.load_vpop_ini();
+exports.load_vpopmaild_ini = function () {
+    this.cfg = this.config.get('auth_vpopmaild.ini', {
+        booleans: [
+            '+main.constrain_sender',
+        ]
+    },
+    () => {
+        this.load_vpopmaild_ini();
     });
 }
 
 exports.hook_capabilities = function (next, connection) {
-    if (!connection.tls.enabled) { return next(); }
+    if (!connection.tls.enabled) return next();
 
     const methods = [ 'PLAIN', 'LOGIN' ];
-    if (this.cfg.main.sysadmin) { methods.push('CRAM-MD5'); }
+    if (this.cfg.main.sysadmin) methods.push('CRAM-MD5');
 
     connection.capabilities.push(`AUTH ${methods.join(' ')}`);
     connection.notes.allowed_auth_methods = methods;
 
-    return next();
+    next();
 }
 
 exports.check_plain_passwd = function (connection, user, passwd, cb) {
@@ -49,11 +60,12 @@ exports.check_plain_passwd = function (connection, user, passwd, cb) {
             }
             socket.end();             // disconnect
         }
-    });
+    })
+
     socket.on('end', () => {
         connection.loginfo(this, `AUTH user="${user}" success=${auth_success}`);
-        return cb(auth_success);
-    });
+        cb(auth_success);
+    })
 }
 
 exports.get_sock_opts = function (user) {
@@ -66,13 +78,11 @@ exports.get_sock_opts = function (user) {
 
     const domain = (user.split('@'))[1];
     let sect = this.cfg.main;
-    if (domain && this.cfg[domain]) {
-        sect = this.cfg[domain];
-    }
+    if (domain && this.cfg[domain]) sect = this.cfg[domain];
 
-    if (sect.port)     { this.sock_opts.port     = sect.port;     }
-    if (sect.host)     { this.sock_opts.host     = sect.host;     }
-    if (sect.sysadmin) { this.sock_opts.sysadmin = sect.sysadmin; }
+    if (sect.port)     this.sock_opts.port     = sect.port;
+    if (sect.host)     this.sock_opts.host     = sect.host;
+    if (sect.sysadmin) this.sock_opts.sysadmin = sect.sysadmin;
 
     this.logdebug(`sock: ${this.sock_opts.host}:${this.sock_opts.port}`);
     return this.sock_opts;
@@ -89,14 +99,14 @@ exports.get_vpopmaild_socket = function (user) {
     socket.on('timeout', () => {
         this.logerror("vpopmaild connection timed out");
         socket.end();
-    });
+    })
     socket.on('error', err => {
         this.logerror(`vpopmaild connection failed: ${err}`);
         socket.end();
-    });
+    })
     socket.on('connect', () => {
         this.logdebug('vpopmail connected');
-    });
+    })
     return socket;
 }
 

package/plugins/auth/flat_file.js

@@ -3,26 +3,32 @@
 exports.register = function () {
     this.inherits('auth/auth_base');
     this.load_flat_ini();
+
+    if (this.cfg.core.constrain_sender) {
+        this.register_hook('mail', 'constrain_sender')
+    }
 }
 
 exports.load_flat_ini = function () {
-    this.cfg = this.config.get('auth_flat_file.ini', () => {
+    this.cfg = this.config.get('auth_flat_file.ini', {
+        booleans: [
+            '+core.constrain_sender',
+        ]
+    },
+    () => {
         this.load_flat_ini();
     });
+
+    if (this.cfg.users === undefined) this.cfg.users = {}
 }
 
 exports.hook_capabilities = function (next, connection) {
-    // don't allow AUTH unless private IP or encrypted
     if (!connection.remote.is_private && !connection.tls.enabled) {
-        connection.logdebug(this,
-            "Auth disabled for insecure public connection");
+        connection.logdebug(this, "Auth disabled for insecure public connection");
         return next();
     }
 
-    let methods = null;
-    if (this.cfg.core?.methods ) {
-        methods = this.cfg.core.methods.split(',');
-    }
+    const methods = this.cfg.core?.methods ? this.cfg.core.methods.split(',') : null
     if (methods && methods.length > 0) {
         connection.capabilities.push(`AUTH ${methods.join(' ')}`);
         connection.notes.allowed_auth_methods = methods;
@@ -31,8 +37,7 @@ exports.hook_capabilities = function (next, connection) {
 }
 
 exports.get_plain_passwd = function (user, connection, cb) {
-    if (this.cfg.users[user]) {
-        return cb(this.cfg.users[user].toString());
-    }
-    return cb();
+    if (this.cfg.users[user]) return cb(this.cfg.users[user].toString());
+
+    cb();
 }

package/plugins/block_me.js

@@ -3,7 +3,7 @@
 // in the mail_from.blocklist file. You need to be running the
 // mail_from.blocklist plugin for this to work fully.
 
-const fs    = require('fs');
+const fs    = require('node:fs');
 const utils = require('haraka-utils');
 
 exports.hook_data = (next, connection) => {

package/plugins/data.signatures.js

@@ -3,9 +3,7 @@
 
 exports.hook_data = (next, connection) => {
     // enable mail body parsing
-    if (!connection?.transaction) return next();
-
-    connection.transaction.parse_body = true;
+    if (connection?.transaction) connection.transaction.parse_body = true;
     next();
 }
 
@@ -17,7 +15,7 @@ exports.hook_data_post = function (next, connection) {
     if (check_sigs(sigs, connection.transaction.body)) {
         return next(DENY, "Mail matches a known spam signature");
     }
-    return next();
+    next();
 }
 
 function check_sigs (sigs, body) {

package/plugins/early_talker.js

@@ -1,7 +1,8 @@
 // This plugin checks for clients that talk before we sent a response
 
+const { isIPv6 } = require('node:net');
+
 const ipaddr = require('ipaddr.js');
-const { isIPv6 } = require('net');
 
 exports.register = function () {
     this.load_config();