Haraka 3.0.2 → 3.0.4

package/plugins/dkim_sign.js

@@ -1,395 +0,0 @@
-// dkim_signer
-// Implements DKIM core as per www.dkimcore.org
-
-const addrparser = require('address-rfc2822');
-const async      = require('async');
-const crypto     = require('crypto');
-const fs         = require('fs');
-const path       = require('path');
-const { Stream }     = require('stream');
-
-const utils      = require('haraka-utils');
-
-class DKIMSignStream extends Stream {
-    constructor (props, header, done) {
-        super();
-
-        this.selector = props.selector;
-
-        // fix issue #2668 renaming reserved kw/property of 'domain' to 'domain_name'
-        this.domain_name = props.domain;
-        this.private_key = props.private_key;
-        this.headers_to_sign = props.headers;
-        this.header = header;
-        this.end_callback = done;
-        this.writable = true;
-        this.found_eoh = false;
-        this.buffer = { ar: [], len: 0 };
-        this.hash = crypto.createHash('SHA256');
-        this.line_buffer = { ar: [], len: 0 };
-        this.signer = crypto.createSign('RSA-SHA256');
-        this.body_found = false;
-    }
-
-    write (buf) {
-        /*
-        ** BODY (simple canonicalization)
-        */
-
-        // Merge in any partial data from last iteration
-        if (this.buffer.ar.length) {
-            this.buffer.ar.push(buf);
-            this.buffer.len += buf.length;
-            const nb = Buffer.concat(this.buffer.ar, this.buffer.len);
-            buf = nb;
-            this.buffer = { ar: [], len: 0 };
-        }
-        // Process input buffer into lines
-        let offset = 0;
-        while ((offset = utils.indexOfLF(buf)) !== -1) {
-            const line = buf.slice(0, offset+1);
-            if (buf.length > offset) {
-                buf = buf.slice(offset+1);
-            }
-            // Look for CRLF
-            if (line.length === 2 && line[0] === 0x0d && line[1] === 0x0a) {
-                // Look for end of headers marker
-                if (!this.found_eoh) {
-                    this.found_eoh = true;
-                }
-                else {
-                    // Store any empty lines so that we can discard
-                    // any trailing CRLFs at the end of the message
-                    this.line_buffer.ar.push(line);
-                    this.line_buffer.len += line.length;
-                }
-            }
-            else {
-                if (!this.found_eoh) continue; // Skip headers
-                if (this.line_buffer.ar.length) {
-                    // We need to process the buffered CRLFs
-                    const lb = Buffer.concat(this.line_buffer.ar, this.line_buffer.len);
-                    this.line_buffer = { ar: [], len: 0 };
-                    this.hash.update(lb);
-                }
-                this.hash.update(line);
-                this.body_found = true;
-            }
-        }
-        if (buf.length) {
-            // We have partial data...
-            this.buffer.ar.push(buf);
-            this.buffer.len += buf.length;
-        }
-    }
-
-    end (buf) {
-        this.writable = false;
-
-        // Add trailing CRLF if we have data left over
-        if (this.buffer.ar.length) {
-            this.buffer.ar.push(Buffer.from("\r\n"));
-            this.buffer.len += 2;
-            const le = Buffer.concat(this.buffer.ar, this.buffer.len);
-            this.hash.update(le);
-            this.buffer = { ar: [], len: 0 };
-        }
-
-        if (!this.body_found) {
-            this.hash.update(Buffer.from("\r\n"));
-        }
-
-        const bodyhash = this.hash.digest('base64');
-
-        /*
-        ** HEADERS (relaxed canonicaliztion)
-        */
-
-        const headers = [];
-        for (const element of this.headers_to_sign) {
-            let head = this.header.get(element);
-            if (head) {
-                head = head.replace(/\r?\n/gm, '');
-                head = head.replace(/\s+/gm, ' ');
-                head = head.replace(/\s+$/gm, '');
-                this.signer.update(`${element}:${head}\r\n`);
-                headers.push(element);
-            }
-        }
-
-        // Create DKIM header
-        let dkim_header = `v=1; a=rsa-sha256; c=relaxed/simple; d=${this.domain_name}; s=${this.selector}; h=${headers.join(':')}; bh=${bodyhash}; b=`;
-        this.signer.update(`dkim-signature:${dkim_header}`);
-        const signature = this.signer.sign(this.private_key, 'base64');
-        dkim_header = `v=1; a=rsa-sha256; c=relaxed/simple;\r\n\td=${this.domain_name}; s=${this.selector};\r\n\th=${headers.join(':')};\r\n\tbh=${bodyhash};\r\n\tb=`;
-        dkim_header += signature.substring(0,74);
-        for (let i=74; i<signature.length; i+=76) {
-            dkim_header += `\r\n\t${signature.substring(i, i+76)}`;
-        }
-
-        if (this.end_callback) this.end_callback(null, dkim_header);
-        this.end_callback = null;
-    }
-
-    destroy () {
-        this.writable = false;
-        // Stream destroyed before the callback ran
-        if (this.end_callback) {
-            this.end_callback(new Error('Stream destroyed'));
-        }
-    }
-}
-
-exports.DKIMSignStream = DKIMSignStream;
-
-exports.register = function () {
-    this.load_dkim_sign_ini();
-    this.load_dkim_default_key();
-}
-
-exports.load_dkim_sign_ini = function () {
-    this.cfg = this.config.get('dkim_sign.ini', {
-        booleans: [
-            '-disabled',
-        ]
-    },
-    () => { this.load_dkim_sign_ini(); }
-    );
-
-    this.cfg.headers_to_sign = this.get_headers_to_sign();
-}
-
-exports.load_dkim_default_key = function () {
-    this.private_key = this.config.get('dkim.private.key', 'data', () => {
-        this.load_dkim_default_key();
-    }).join('\n');
-}
-
-exports.load_key = function (file) {
-    return this.config.get(file, 'data').join('\n');
-}
-
-exports.hook_queue_outbound = exports.hook_pre_send_trans_email = function (next, connection) {
-    if (this.cfg.main.disabled) return next();
-    if (!connection?.transaction) return next();
-
-    if (connection.transaction.notes?.dkim_signed) {
-        connection.logdebug(this, 'already signed');
-        return next();
-    }
-
-    exports.get_sign_properties(connection, (err, props) => {
-        if (!connection?.transaction) return next();
-        // props: selector, domain, & private_key
-        if (err) connection.logerror(this, `${err.message}`);
-
-        if (!this.has_key_data(connection, props)) return next();
-
-        connection.logdebug(this, `domain: ${props.domain}`);
-
-        const txn = connection.transaction;
-        props.headers = this.cfg.headers_to_sign;
-
-        txn.message_stream.pipe(
-            new DKIMSignStream(props, txn.header, (err2, dkim_header) => {
-                if (err2) {
-                    txn.results.add(this, {err: err2.message});
-                    return next(err2);
-                }
-
-                connection.loginfo(this, `signed for ${props.domain}`);
-                txn.results.add(this, {pass: dkim_header});
-                txn.add_header('DKIM-Signature', dkim_header);
-
-                connection.transaction.notes.dkim_signed = true;
-                next();
-            })
-        );
-    });
-}
-
-exports.get_sign_properties = function (connection, done) {
-    if (!connection.transaction) return;
-
-    const domain = this.get_sender_domain(connection);
-
-    if (!domain) {
-        connection.transaction.results.add(this, {msg: 'sending domain not detected', emit: true });
-    }
-
-    const props = { domain }
-
-    this.get_key_dir(connection, props, (err, keydir) => {
-        if (err) {
-            console.error(`err: ${err}`);
-            connection.logerror(this, err);
-            return done(new Error(`Error getting DKIM key_dir for ${domain}: ${err}`), props)
-        }
-
-        if (!connection.transaction) return done(null, props);
-
-        // a directory for ${domain} exists
-        if (keydir) {
-            props.domain = path.basename(keydir);  // keydir might be apex (vs sub)domain
-            props.private_key = this.load_key(path.join('dkim', props.domain, 'private'));
-            props.selector = this.load_key(path.join('dkim', props.domain, 'selector')).trim();
-
-            if (!props.selector) {
-                connection.transaction.results.add(this, {err: `missing selector for domain ${domain}`});
-            }
-            if (!props.private_key) {
-                connection.transaction.results.add(this, {err: `missing dkim private_key for domain ${domain}`});
-            }
-
-            if (props.selector && props.private_key ) {  // AND has correct files
-                return done(null, props);
-            }
-        }
-
-        // try [default / single domain] configuration
-        if (this.cfg.main.domain && this.cfg.main.selector && this.private_key) {
-
-            connection.transaction.results.add(this, {msg: 'using default key', emit: true });
-
-            props.domain      = this.cfg.main.domain;
-            props.private_key = this.private_key;
-            props.selector    = this.cfg.main.selector;
-
-            return done(null, props)
-        }
-
-        console.error(`no valid DKIM properties found`)
-        done(null, props);
-    })
-}
-
-exports.get_key_dir = function (connection, props, done) {
-
-    if (!props.domain) return done();
-
-    // split the domain name into labels
-    const labels     = props.domain.split('.');
-    const haraka_dir = process.env.HARAKA || '';
-
-    // list possible matches (ex: mail.example.com, example.com, com)
-    const dom_hier = [];
-    for (let i=0; i<labels.length; i++) {
-        const dom = labels.slice(i).join('.');
-        dom_hier[i] = path.resolve(haraka_dir, 'config', 'dkim', dom);
-    }
-
-    async.detectSeries(dom_hier, (filePath, iterDone) => {
-        fs.stat(filePath, (err, stats) => {
-            if (err) return iterDone(null, false);
-            iterDone(null, stats.isDirectory());
-        });
-    },
-    (err, results) => {
-        connection.logdebug(this, results);
-        done(err, results);
-    });
-}
-
-exports.has_key_data = function (conn, props) {
-
-    let missing = undefined;
-
-    // Make sure we have all the relevant configuration
-    if (!props.private_key) {
-        missing = 'private key';
-    }
-    else if (!props.selector) {
-        missing = 'selector';
-    }
-    else if (!props.domain) {
-        missing = 'domain';
-    }
-
-    if (missing) {
-        if (props.domain) {
-            conn.lognotice(this, `skipped: no ${missing} for ${props.domain}`);
-        }
-        else {
-            conn.lognotice(this, `skipped: no ${missing}`);
-        }
-        return false;
-    }
-
-    conn.logprotocol(this, `using selector: ${props.selector} at domain ${props.domain}`);
-    return true;
-}
-
-exports.get_headers_to_sign = function (cfg) {
-
-    if (!cfg) cfg = this.cfg;
-    if (!cfg.main.headers_to_sign) return [ 'from' ];
-
-    const headers = cfg.main.headers_to_sign
-        .toLowerCase()
-        .replace(/\s+/g,'')
-        .split(/[,;:]/);
-
-    // From MUST be present
-    if (!headers.includes('from')) headers.push('from');
-
-    return headers;
-}
-
-exports.get_sender_domain = function (connection) {
-
-    const txn = connection?.transaction;
-    if (!txn) return;
-
-    // fallback: use Envelope FROM when header parsing fails
-    let domain;
-    if (txn.mail_from.host) {
-        try { domain = txn.mail_from.host.toLowerCase(); }
-        catch (e) {
-            connection.logerror(this, e);
-        }
-    }
-
-    // In case of forwarding, only use the Envelope
-    if (txn.notes.forward) return domain;
-    if (!txn.header) return domain;
-
-    // the DKIM signing key should be aligned with the domain in the From
-    // header (see DMARC). Try to parse the domain from there.
-    const from_hdr = txn.header.get_decoded('From');
-    if (!from_hdr) return domain;
-
-    // The From header can contain multiple addresses and should be
-    // parsed as described in RFC 2822 3.6.2.
-    let addrs;
-    try {
-        addrs = addrparser.parse(from_hdr);
-    }
-    catch (e) {
-        connection.logerror(this, `address-rfc2822 failed to parse From header: ${from_hdr}`)
-        return domain;
-    }
-    if (!addrs || ! addrs.length) return domain;
-
-    // If From has a single address, we're done
-    if (addrs.length === 1 && addrs[0].host) {
-        let fromHost = addrs[0].host();
-        if (fromHost) {
-            // don't attempt to lower a null or undefined value #1575
-            fromHost = fromHost.toLowerCase();
-        }
-        return fromHost;
-    }
-
-    // If From has multiple-addresses, we must parse and
-    // use the domain in the Sender header.
-    const sender = txn.header.get_decoded('Sender');
-    if (sender) {
-        try {
-            domain = (addrparser.parse(sender))[0].host().toLowerCase();
-        }
-        catch (e) {
-            connection.logerror(this, e);
-        }
-    }
-    return domain;
-}

package/plugins/dkim_verify.js

@@ -1,62 +0,0 @@
-
-const dkim = require('./dkim');
-
-const { DKIMVerifyStream } = dkim;
-
-const plugin = exports;
-
-dkim.DKIMObject.prototype.debug = str => {
-    plugin.logdebug(str);
-}
-
-DKIMVerifyStream.prototype.debug = str => {
-    plugin.logdebug(str);
-}
-
-exports.register = function () {
-    this.load_config()
-}
-
-exports.load_config = function () {
-    const cfg = this.config.get('dkim_verify.ini', {}, () => this.load_config())
-
-    this.cfg = Object.assign({}, cfg.main, {
-        timeout: plugin.timeout ? plugin.timeout - 1 : 0
-    })
-}
-
-exports.hook_data_post = function (next, connection) {
-    const txn = connection?.transaction;
-    if (!txn) return next();
-
-    const verifier = new DKIMVerifyStream(this.cfg, (err, result, results) => {
-        if (err) {
-            txn.results.add(this, { err });
-            return next();
-        }
-        if (!results || results.length === 0) {
-            txn.results.add(this, { skip: 'no/bad dkim signature' });
-            return next(CONT, 'no/bad signature')
-        }
-        results.forEach((res) => {
-            let res_err = '';
-            if (res.error) res_err = ` (${res.error})`;
-            connection.auth_results(`dkim=${res.result}${res_err} header.i=${res.identity} header.d=${res.domain} header.s=${res.selector}`);
-            connection.loginfo(this, `identity="${res.identity}" domain="${res.domain}" selector="${res.selector}" result=${res.result} ${res_err}`);
-
-            // save to ResultStore
-            const rs_obj = JSON.parse(JSON.stringify(res));
-            if      (res.result === 'pass') { rs_obj.pass = res.domain; }
-            else if (res.result === 'fail') { rs_obj.fail = res.domain + res_err; }
-            else                            { rs_obj.err  = res.domain + res_err; }
-            txn.results.add(this, rs_obj);
-        });
-
-        connection.logdebug(this, JSON.stringify(results));
-        // Store results for other plugins
-        txn.notes.dkim_results = results;
-        next();
-    })
-
-    txn.message_stream.pipe(verifier, { line_endings: '\r\n' });
-}

package/plugins/dns_list_base.js

@@ -1,221 +0,0 @@
-// DNS list module
-const dns         = require('dns');
-const net         = require('net');
-const net_utils   = require('haraka-net-utils');
-const async       = require('async');
-
-exports.enable_stats = false;
-exports.disable_allowed = false;
-exports.redis_host = '127.0.0.1:6379';
-let redis_client;
-
-exports.lookup = function (lookup, zone, cb) {
-
-    if (!lookup || !zone) {
-        return setImmediate(() => cb(new Error('missing data')));
-    }
-
-    if (this.enable_stats) { this.init_redis(); }
-
-    // Reverse lookup if IPv4 address
-    if (net.isIPv4(lookup)) {
-        lookup = lookup.split('.').reverse().join('.');
-    }
-    else if (net.isIPv6(lookup)) {
-        lookup = net_utils.ipv6_reverse(lookup);
-    }
-
-    let start;
-    if (this.enable_stats) {
-        start = new Date().getTime();
-    }
-
-    // Build the query, adding the root dot if missing
-    let query = [lookup, zone].join('.');
-    if (!query.endsWith('.')) {
-        query += '.';
-    }
-    this.logdebug(`looking up: ${query}`);
-    // IS: IPv6 compatible (maybe; only if BL return IPv4 answers)
-    dns.resolve(query, 'A', (err, a) => {
-        this.stats_incr_zone(err, zone, start);  // Statistics
-
-        // Check for a result of 127.0.0.1 or outside 127/8
-        // This should *never* happen on a proper DNS list
-        if (a && ((!this.lookback_is_rejected && a.includes('127.0.0.1')) ||
-                a.find((rec) => { return rec.split('.')[0] !== '127' }))
-        ) {
-            this.disable_zone(zone, a);
-            return cb(err, null);  // Return a null A record
-        }
-
-        // <https://www.spamhaus.org/news/article/807/using-our-public-mirrors-check-your-return-codes-now>
-        if (a?.includes('127.255.255.')) {
-            this.disable_zone(zone, a);
-            return cb(err, null);  // Return a null A record
-        }
-
-        if (err) {
-            if (err.code === dns.TIMEOUT) {         // list timed out
-                this.disable_zone(zone, err.code); // disable it
-            }
-            if (err.code === dns.NOTFOUND) {  // unlisted
-                return cb(null, a);          // not an error for a DNSBL
-            }
-        }
-        return cb(err, a);
-    });
-}
-
-exports.stats_incr_zone = function (err, zone, start) {
-    if (!this.enable_stats) return;
-
-    const rkey = `dns-list-stat:${zone}`;
-    const elapsed = new Date().getTime() - start;
-    redis_client.hIncrBy(rkey, 'TOTAL', 1);
-    const foo = (err) ? err.code : 'LISTED';
-    redis_client.hIncrBy(rkey, foo, 1);
-    redis_client.hGet(rkey, 'AVG_RT').then(rt => {
-        const avg = parseInt(rt) ? (parseInt(elapsed) + parseInt(rt))/2
-            : parseInt(elapsed);
-        redis_client.hSet(rkey, 'AVG_RT', avg);
-    });
-}
-
-exports.init_redis = function () {
-    if (redis_client) { return; }
-
-    const redis = require('redis');
-    const host_port = this.redis_host.split(':');
-    const host = host_port[0] || '127.0.0.1';
-    const port = parseInt(host_port[1], 10) || 6379;
-
-    redis_client = redis.createClient(port, host);
-    redis_client.connect().then(() => {
-        redis_client.on('error', err => {
-            this.logerror(`Redis error: ${err}`);
-            redis_client.quit();
-            redis_client = null; // should force a reconnect
-            // not sure if that's the right thing but better than nothing...
-        })
-    })
-}
-
-exports.multi = function (lookup, zones, cb) {
-    if (!lookup) return cb();
-    if (!zones ) return cb();
-    if (typeof zones === 'string') zones = [ `${zones}` ];
-    const self = this;
-    const listed = [];
-
-    function redis_incr (zone) {
-        if (!self.enable_stats) return;
-
-        // Statistics: check hit overlap
-        for (const element of listed) {
-            const foo = (element === zone) ? 'TOTAL' : element;
-            redis_client.hIncrBy(`dns-list-overlap:${zone}`, foo, 1);
-        }
-    }
-
-    function zoneIter (zone, done) {
-        self.lookup(lookup, zone, (err, a) => {
-            if (a) {
-                listed.push(zone);
-                redis_incr(zone);
-            }
-            cb(err, zone, a, true);
-            done();
-        })
-    }
-    function zonesDone (err) {
-        cb(err, null, null, false);
-    }
-    async.each(zones, zoneIter, zonesDone);
-}
-
-// Return first positive or last result.
-exports.first = function (lookup, zones, cb, cb_each) {
-    if (!lookup || !zones) return cb();
-    if (typeof zones === 'string') zones = [ `${zones}` ];
-    let ran_cb = false;
-    this.multi(lookup, zones, (err, zone, a, pending) => {
-        if (zone && cb_each && typeof cb_each === 'function') {
-            cb_each(err, zone, a);
-        }
-        if (ran_cb) return;
-        if (pending && (err || !a)) return;
-
-        // has pending queries OR this one is a positive result
-        ran_cb = true;
-        cb(err, zone, a);
-    })
-}
-
-exports.check_zones = function (interval) {
-    this.disable_allowed = true;
-    if (interval) interval = parseInt(interval);
-    if ((this.zones?.length) ||
-        (this.disabled_zones?.length)) {
-        let zones = [];
-        if (this.zones?.length) zones = zones.concat(this.zones);
-        if (this.disabled_zones?.length) {
-            zones = zones.concat(this.disabled_zones);
-        }
-
-        // A DNS list should never return positive or an error for this lookup
-        // If it does, move it to the disabled list
-        this.multi('127.0.0.1', zones, (err, zone, a, pending) => {
-            if (!zone) return;
-
-            if ((!this.lookback_is_rejected && a) || (err && err.code === 'ETIMEOUT')) {
-                return this.disable_zone(zone, ((a) ? a : err.code));
-            }
-
-            // Try the test point
-            this.lookup('127.0.0.2', zone, (err2, a2) => {
-                if (!a2) {
-                    this.logwarn(`zone '${zone}' did not respond to test point (${err2})`);
-                    return this.disable_zone(zone, a2);
-                }
-                // Was this zone previously disabled?
-                if (!this.zones.includes(zone)) {
-                    this.loginfo(`re-enabling zone ${zone}`);
-                    this.zones.push(zone);
-                }
-            });
-        });
-    }
-    // Set a timer to re-test
-    if (interval && interval >= 5 && !this._interval) {
-        this.logdebug(`will re-test list zones every ${interval} minutes`);
-        this._interval = setInterval(() => {
-            this.check_zones();
-        }, (interval * 60) * 1000);
-    }
-}
-
-exports.shutdown = function () {
-    clearInterval(this._interval);
-    if (redis_client) redis_client.quit();
-}
-
-exports.disable_zone = function (zone, result) {
-    if (!zone) return false;
-    if (!this.zones) return false;
-    if (!this.zones.length) return false;
-    if (!this.disable_allowed) return false;
-
-    const idx = this.zones.indexOf(zone);
-    if (idx === -1) return false;  // not enabled
-
-    this.zones.splice(idx, 1);
-    if (!(this.disabled_zones?.length)) {
-        this.disabled_zones = [];
-    }
-    if (!this.disabled_zones.includes(zone)) {
-        this.disabled_zones.push(zone);
-    }
-    this.logwarn(`disabling zone '${zone}'${result ? `: ${result}` : ''}`);
-    return true;
-}