Haraka 3.0.3 → 3.0.4

package/package.json

@@ -9,7 +9,7 @@
     "server",
     "email"
   ],
-  "version": "3.0.3",
+  "version": "3.0.4",
   "homepage": "http://haraka.github.io",
   "repository": {
     "type": "git",
@@ -17,68 +17,76 @@
   },
   "main": "haraka.js",
   "engines": {
-    "node": ">=16"
+    "node": ">=18"
   },
   "dependencies": {
-    "address-rfc2821": "^2.1.1",
-    "address-rfc2822": "^2.1.0",
-    "async": "^3.2.5",
+    "address-rfc2821": "^2.1.2",
+    "address-rfc2822": "^2.2.2",
+    "async": "^3.2.6",
     "daemon": "~1.1.0",
-    "ipaddr.js": "~2.1.0",
-    "node-gyp": "^10.0.1",
-    "nopt": "~7.2.0",
+    "haraka-config": "^1.4.0",
+    "haraka-constants": "^1.0.7",
+    "haraka-dsn": "^1.1.0",
+    "haraka-email-message": "^1.2.3",
+    "haraka-message-stream": "^1.2.2",
+    "haraka-net-utils": "^1.7.0",
+    "haraka-notes": "^1.1.0",
+    "haraka-plugin-redis": "^2.0.7",
+    "haraka-results": "^2.2.4",
+    "haraka-tld": "^1.2.1",
+    "haraka-utils": "^1.1.3",
+    "ipaddr.js": "~2.2.0",
+    "node-gyp": "^10.2.0",
+    "nopt": "^7.2.1",
     "npid": "~0.4.0",
-    "semver": "~7.6.0",
-    "sprintf-js": "~1.1.3",
-    "haraka-config": "^1.1.0",
-    "haraka-constants": "^1.0.6",
-    "haraka-dsn": "^1.0.4",
-    "haraka-email-message": "^1.2.0",
-    "haraka-message-stream": "^1.2.0",
-    "haraka-net-utils": "^1.5.3",
-    "haraka-notes": "^1.0.6",
-    "haraka-plugin-attachment": "^1.0.7",
-    "haraka-plugin-spf": "1.2.4",
-    "haraka-plugin-redis": "^2.0.6",
-    "haraka-results": "^2.2.3",
-    "haraka-tld": "^1.2.0",
-    "haraka-utils": "^1.0.3",
-    "openssl-wrapper": "^0.3.4",
-    "sockaddr": "^1.0.1"
+    "redis": "~4.7.0",
+    "semver": "^7.6.3",
+    "sockaddr": "^1.0.1",
+    "sprintf-js": "~1.1.3"
   },
   "optionalDependencies": {
-    "haraka-plugin-access": "^1.1.5",
-    "haraka-plugin-aliases": "^1.0.1",
-    "haraka-plugin-asn": "^2.0.2",
+    "haraka-plugin-access": "^1.1.6",
+    "haraka-plugin-aliases": "^1.0.2",
+    "haraka-plugin-asn": "^2.0.3",
+    "haraka-plugin-attachment": "^1.1.2",
     "haraka-plugin-auth-ldap": "^1.1.0",
+    "haraka-plugin-avg": "^1.1.0",
+    "haraka-plugin-bounce": "1.0.2",
+    "haraka-plugin-clamd": "1.0.1",
     "haraka-plugin-dcc": "^1.0.2",
+    "haraka-plugin-dkim": "^1.0.4",
+    "haraka-plugin-dns-list": "^1.2.0",
     "haraka-plugin-elasticsearch": "^8.0.2",
+    "haraka-plugin-esets": "^1.0.0",
     "haraka-plugin-fcrdns": "^1.1.0",
+    "haraka-plugin-geoip": "^1.1.0",
     "haraka-plugin-graph": "^1.0.5",
-    "haraka-plugin-geoip": "^1.0.17",
-    "haraka-plugin-headers": "^1.0.3",
-    "haraka-plugin-karma": "^2.1.2",
-    "haraka-plugin-limit": "^1.1.1",
+    "haraka-plugin-greylist": "^1.0.0",
+    "haraka-plugin-headers": "^1.0.4",
+    "haraka-plugin-helo.checks": "^1.0.0",
+    "haraka-plugin-karma": "^2.1.5",
+    "haraka-plugin-known-senders": "^1.1.0",
+    "haraka-plugin-limit": "^1.2.5",
+    "haraka-plugin-messagesniffer": "^1.0.0",
     "haraka-plugin-p0f": "^1.0.9",
-    "haraka-plugin-qmail-deliverable": "^1.2.1",
-    "haraka-plugin-known-senders": "^1.0.9",
+    "haraka-plugin-qmail-deliverable": "^1.2.3",
     "haraka-plugin-rcpt-ldap": "^1.1.0",
     "haraka-plugin-recipient-routes": "^1.2.0",
     "haraka-plugin-rspamd": "^1.3.1",
-    "haraka-plugin-syslog": "^1.0.5",
+    "haraka-plugin-spamassassin": "^1.0.0",
+    "haraka-plugin-spf": "1.2.7",
+    "haraka-plugin-syslog": "^1.0.6",
     "haraka-plugin-uribl": "^1.0.8",
-    "haraka-plugin-watch": "^2.0.2",
+    "haraka-plugin-watch": "^2.0.4",
     "ocsp": "~1.2.0",
-    "redis": "~4.6.11",
-    "tmp": "~0.2.1"
+    "tmp": "~0.2.3"
   },
   "devDependencies": {
-    "nodeunit-x": "^0.16.0",
-    "haraka-test-fixtures": "^1.3.3",
+    "@haraka/eslint-config": "^1.1.5",
+    "haraka-test-fixtures": "^1.3.7",
+    "mocha": "^10.7.3",
     "mock-require": "^3.0.3",
-    "eslint": "^8.56.0",
-    "eslint-plugin-haraka": "^1.0.15",
-    "nodemailer": "^6.9.9"
+    "nodemailer": "^6.9.14"
   },
   "bugs": {
     "mail": "haraka.mail@gmail.com",
@@ -86,13 +94,16 @@
   },
   "bin": {
     "haraka": "./bin/haraka",
-    "dkimverify": "./bin/dkimverify",
     "haraka_grep": "./bin/haraka_grep"
   },
   "scripts": {
-    "test": "node run_tests",
-    "lint": "npx eslint *.js outbound plugins plugins/*/*.js tests tests/*/*.js tests/*/*/*.js bin/haraka bin/dkimverify",
-    "lintfix": "npx eslint --fix *.js outbound plugins plugins/*/*.js tests tests/*/*.js tests/*/*/*.js bin/haraka bin/dkimverify",
-    "versions": "npx dependency-version-checker check"
+    "format": "npm run prettier:fix && npm run lint:fix",
+    "lint": "npx eslint@^8 *.js outbound plugins plugins/*/*.js test test/*/*.js test/*/*/*.js bin/haraka",
+    "lint:fix": "npx eslint@^8 --fix *.js outbound plugins plugins/*/*.js test test/*/*.js test/*/*/*.js bin/haraka",
+    "prettier": "npx prettier . --check",
+    "prettier:fix": "npx prettier . --write --log-level=warn",
+    "test": "npx mocha --exit --timeout=4000 test test/outbound test/plugins/auth test/plugins/queue test/plugins",
+    "versions": "npx dependency-version-checker check",
+    "versions:fix": "npx dependency-version-checker update && npm run prettier:fix"
   }
 }

package/plugins/.eslintrc.yaml

@@ -1,10 +1,4 @@
 
 globals:
   server: true
-  OK: true
-  CONT: true
-  DENY: true
-  DENYSOFT: true
-  DENYDISCONNECT: true
-  DENYSOFTDISCONNECT: true
   NEXT_HOOK: true

package/plugins/auth/auth_base.js

@@ -4,7 +4,7 @@
 
 // Note: You can disable setting `connection.notes.auth_passwd` by `plugin.blankout_password = true`
 
-const crypto = require('crypto');
+const crypto = require('node:crypto');
 
 const tlds   = require('haraka-tld')
 const utils  = require('haraka-utils');
@@ -241,10 +241,12 @@ exports.auth_cram_md5 = function (next, connection, params) {
 exports.hexi = number => String(Math.abs(parseInt(number)).toString(16))
 
 exports.constrain_sender = function (next, connection, params) {
+    if (this?.cfg?.main?.constrain_sender === false) return next()
+
     const au = connection.results.get('auth')?.user
     if (!au) return next()
 
-    const ad = /@/.test(au) ? au.split('@').pop() : au
+    const ad = /@/.test(au) ? au.split('@').pop() : null
     const ed = params[0].host
 
     if (!ad || !ed) return next()

package/plugins/auth/auth_proxy.js

@@ -1,7 +1,9 @@
 // Proxy AUTH requests selectively by domain
 
-const sock  = require('./line_socket');
+const net = require('node:net')
+
 const utils = require('haraka-utils');
+const net_utils = require('haraka-net-utils')
 
 const smtp_regexp = /^(\d{3})([ -])(.*)/;
 
@@ -16,7 +18,6 @@ exports.load_tls_ini = function () {
     });
 }
 
-
 exports.hook_capabilities = (next, connection) => {
     if (connection.tls.enabled) {
         const methods = [ 'PLAIN', 'LOGIN' ];
@@ -54,7 +55,8 @@ exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
     }
 
     const self = this;
-    const host = hosts.shift();
+    let [ host, port ] = hosts.shift().split(':'); /* eslint prefer-const: 0 */
+    if (!port) port = 25
     let methods = [];
     let auth_complete = false;
     let auth_success = false;
@@ -62,27 +64,27 @@ exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
     let response = [];
     let secure = false;
 
-    const hostport = host.split(/:/);
-    const socket = sock.connect(((hostport[1]) ? hostport[1] : 25), hostport[0]);
-    connection.logdebug(self, `attempting connection to host=${hostport[0]} port=${(hostport[1]) ? hostport[1] : 25}`);
+    const socket = net.connect({ host, port });
+    net_utils.add_line_processor(socket)
+    connection.logdebug(this, `attempting connection to host=${host} port=${port}`);
     socket.setTimeout(30 * 1000);
     socket.on('connect', () => { });
     socket.on('close', () => {
         if (!auth_complete) {
             // Try next host
-            return self.try_auth_proxy(connection, hosts, user, passwd, cb);
+            return this.try_auth_proxy(connection, hosts, user, passwd, cb);
         }
-        connection.loginfo(self, `AUTH user="${user}" host="${host}" success=${auth_success}`);
-        return cb(auth_success);
+        connection.loginfo(this, `AUTH user="${user}" host="${host}" success=${auth_success}`);
+        cb(auth_success);
     });
     socket.on('timeout', () => {
-        connection.logerror(self, "connection timed out");
+        connection.logerror(this, "connection timed out");
         socket.end();
         // Try next host
-        return self.try_auth_proxy(connection, hosts, user, passwd, cb);
+        this.try_auth_proxy(connection, hosts, user, passwd, cb);
     });
     socket.on('error', err => {
-        connection.logerror(self, `connection failed to host ${host}: ${err}`);
+        connection.logerror(this, `connection failed to host ${host}: ${err}`);
         socket.end();
     });
     socket.send_command = function (cmd, data) {

package/plugins/auth/auth_vpopmaild.js

@@ -1,6 +1,6 @@
 // Auth against vpopmaild
 
-const net    = require('net');
+const net = require('node:net');
 
 exports.register = function () {
     this.inherits('auth/auth_base');

package/plugins/block_me.js

@@ -3,7 +3,7 @@
 // in the mail_from.blocklist file. You need to be running the
 // mail_from.blocklist plugin for this to work fully.
 
-const fs    = require('fs');
+const fs    = require('node:fs');
 const utils = require('haraka-utils');
 
 exports.hook_data = (next, connection) => {

package/plugins/data.signatures.js

@@ -3,9 +3,7 @@
 
 exports.hook_data = (next, connection) => {
     // enable mail body parsing
-    if (!connection?.transaction) return next();
-
-    connection.transaction.parse_body = true;
+    if (connection?.transaction) connection.transaction.parse_body = true;
     next();
 }
 
@@ -17,7 +15,7 @@ exports.hook_data_post = function (next, connection) {
     if (check_sigs(sigs, connection.transaction.body)) {
         return next(DENY, "Mail matches a known spam signature");
     }
-    return next();
+    next();
 }
 
 function check_sigs (sigs, body) {

package/plugins/early_talker.js

@@ -1,7 +1,8 @@
 // This plugin checks for clients that talk before we sent a response
 
+const { isIPv6 } = require('node:net');
+
 const ipaddr = require('ipaddr.js');
-const { isIPv6 } = require('net');
 
 exports.register = function () {
     this.load_config();

package/plugins/mail_from.is_resolvable.js

@@ -1,8 +1,7 @@
 'use strict';
 
 // Check MAIL FROM domain is resolvable to an MX
-const dns = require('dns');
-const net = require('net');
+const net = require('node:net');
 
 const net_utils = require('haraka-net-utils');
 
@@ -14,12 +13,17 @@ exports.load_ini = function () {
     this.cfg = this.config.get('mail_from.is_resolvable.ini', {
         booleans: [
             '-main.allow_mx_ip',
-            '+main.reject_no_mx',
+            '+reject.no_mx',
         ],
     }, () => {
         this.load_ini();
     });
 
+    // compat. Sunset 4.0
+    if (this.cfg.main.reject_no_mx) {
+        this.cfg.reject.no_mx = this.cfg.main.reject_no_mx
+    }
+
     if (isNaN(this.cfg.main.timeout)) {
         this.cfg.main.timeout = 29;
     }
@@ -40,163 +44,89 @@ exports.hook_mail = function (next, connection, params) {
     const mail_from = params[0];
     const txn       = connection?.transaction;
     if (!txn) return next();
-    const { results }   = txn;
+    const { results } = txn;
 
-    // Check for MAIL FROM without an @ first - ignore those here
+    // ignore MAIL FROM without an @
     if (!mail_from.host) {
         results.add(plugin, {skip: 'null host'});
         return next();
     }
 
     let called_next  = 0;
-    const domain       = mail_from.host;
-    const c            = plugin.cfg.main;
-    const timeout_id   = setTimeout(() => {
-        // DNS answer didn't return (UDP)
-        connection.loginfo(plugin, `timed out resolving MX for ${domain}`);
+    const domain     = mail_from.host;
+    const timeout_id = setTimeout(() => {
+        connection.logdebug(plugin, `DNS timeout resolving MX for ${domain}`);
         called_next++;
         if (txn) results.add(plugin, {err: `timeout(${domain})`});
         next(DENYSOFT, 'Temporary resolver error (timeout)');
-    }, c.timeout * 1000);
+    }, this.cfg.main.timeout * 1000);
 
     function mxDone (code, reply) {
         if (called_next) return;
         clearTimeout(timeout_id);
         called_next++;
-        next(code, reply);
+        next(...arguments);
     }
 
-    // IS: IPv6 compatible
-    net_utils.get_mx(domain, (err, addresses) => {
-        if (!txn) return;
-        if (err && plugin.mxErr(connection, domain, 'MX', err, mxDone)) return;
+    function mxErr (err) {
+        if (!connection.transaction) return;
+        results.add(plugin, {err: `${domain}:${err.message}`});
+        mxDone(DENYSOFT, `Temp. resolver error (${err.code})`);
+    }
 
-        if (!addresses || !addresses.length) {
-            // Check for implicit MX 0 record
-            return plugin.implicit_mx(connection, domain, mxDone);
-        }
+    connection.logdebug(plugin, `resolving MX for domain ${domain}`)
 
-        // Verify that the MX records resolve to valid addresses
-        let records = {};
-        let pending_queries = 0;
-        function check_results () {
-            if (pending_queries !== 0) return;
-
-            records = Object.keys(records);
-            if (records?.length) {
-                connection.logdebug(plugin, `${domain}: ${records}`);
-                results.add(plugin, {pass: 'has_fwd_dns'});
-                return mxDone();
-            }
-            results.add(plugin, {fail: 'has_fwd_dns'});
-            return mxDone(((c.reject_no_mx) ? DENY : DENYSOFT),
-                'MX without A/AAAA records');
-        }
+    net_utils
+        .get_mx(domain)
+        .then((exchanges) => {
+            if (!txn) return;
 
-        addresses.forEach(addr => {
-            // Handle MX records that are IP addresses
-            // This is invalid - but a lot of MTAs allow it.
-            if (net_utils.get_ipany_re('^\\[','\\]$','').test(addr.exchange)) {
-                connection.logwarn(plugin, `${domain}: invalid MX ${addr.exchange}`);
-                if (c.allow_mx_ip) {
-                    records[addr.exchange] = 1;
-                }
-                return;
+            connection.logdebug(plugin, `${domain}: MX => ${JSON.stringify(exchanges)}`)
+
+            if (!exchanges || !exchanges.length) {
+                results.add(this, {fail: 'has_fwd_dns'});
+                return mxDone(
+                    ((this.cfg.reject.no_mx) ? DENY : DENYSOFT),
+                    'No MX for your FROM address'
+                );
             }
-            pending_queries++;
-            net_utils.get_ips_by_host(addr.exchange, (err2, addresses2) => {
-                pending_queries--;
-                if (!txn) return;
-                if (err2 && err2.length === 2) {
-                    results.add(plugin, {msg: err2[0].message});
-                    connection.logdebug(plugin, `${domain}: MX ${addr.priority} ${addr.exchange} => ${err2[0].message}`);
-                    check_results();
-                    return;
-                }
-                connection.logdebug(plugin, `${domain}: MX ${addr.priority} ${addr.exchange} => ${addresses2}`);
-                for (const element of addresses2) {
-                    // Ignore anything obviously bogus
-                    if (net.isIPv4(element)){
-                        if (plugin.re_bogus_ip.test(element)) {
-                            connection.logdebug(plugin, `${addr.exchange}: discarding ${element}`);
-                            continue;
-                        }
+
+            if (this.cfg.main.allow_mx_ip) {
+                for (const mx of exchanges) {
+                    if (net.isIPv4(mx.exchange) && !this.re_bogus_ip.test(mx.exchange)) {
+                        txn.results.add(this, {pass: 'implicit_mx', emit: true});
+                        return mxDone()
                     }
-                    if (net.isIPv6(element)){
-                        if (net_utils.ipv6_bogus(element)) {
-                            connection.logdebug(plugin, `${addr.exchange}: discarding ${element}`);
-                            continue;
-                        }
+                    if (net.isIPv6(mx.exchange) && !net_utils.ipv6_bogus(mx.exchange)) {
+                        txn.results.add(this, {pass: 'implicit_mx', emit: true});
+                        return mxDone()
                     }
-                    records[element] = 1;
-                }
-                check_results();
-            });
-        });
-        // In case we don't run any queries
-        check_results();
-    });
-}
-
-exports.mxErr = function (connection, domain, type, err, mxDone) {
-
-    const txn = connection?.transaction;
-    if (!txn) return;
-
-    txn.results.add(this, {msg: `${domain}:${type}:${err.message}`});
-    connection.logdebug(this, `${domain}:${type} => ${err.message}`);
-    switch (err.code) {
-        case dns.NXDOMAIN:
-        case dns.NOTFOUND:
-        case dns.NODATA:
-            // Ignore
-            break;
-        default:
-            mxDone(DENYSOFT, `Temp. resolver error (${err.code})`);
-            return true;
-    }
-    return false;
-}
-
-// IS: IPv6 compatible
-exports.implicit_mx = function (connection, domain, mxDone) {
-    const txn = connection?.transaction;
-    if (!txn) return;
-
-    net_utils.get_ips_by_host(domain, (err, addresses) => {
-        if (!txn) return;
-        if (!addresses || !addresses.length) {
-            txn.results.add(this, {fail: 'has_fwd_dns'});
-            return mxDone(((this.cfg.main.reject_no_mx) ? DENY : DENYSOFT),
-                'No MX for your FROM address');
-        }
-
-        connection.logdebug(this, `${domain}: A/AAAA => ${addresses}`);
-        let records = {};
-        for (const addr of addresses) {
-            // Ignore anything obviously bogus
-            if (net.isIPv4(addr)) {
-                if (this.re_bogus_ip.test(addr)) {
-                    connection.logdebug(this, `${domain}: discarding ${addr}`);
-                    continue;
-                }
-            }
-            if (net.isIPv6(addr)) {
-                if (net_utils.ipv6_bogus(addr)) {
-                    connection.logdebug(this, `${domain}: discarding ${addr}`);
-                    continue;
                 }
             }
-            records[addr] = true;
-        }
 
-        records = Object.keys(records);
-        if (records?.length) {
-            txn.results.add(this, {pass: 'implicit_mx'});
-            return mxDone();
-        }
+            // filter out the implicit MX and resolve the MX hostnames
+            net_utils
+                .resolve_mx_hosts(exchanges.filter(a => !net.isIP(a.exchange)))
+                .then(resolved => {
+                    connection.logdebug(plugin, `resolved MX => ${JSON.stringify(resolved)}`);
 
-        txn.results.add(this, {fail: `implicit_mx(${domain})`});
-        return mxDone();
-    });
+                    for (const mx of resolved) {
+                        if (net.isIPv4(mx.exchange) && !this.re_bogus_ip.test(mx.exchange)) {
+                            txn.results.add(this, {pass: 'has_fwd_dns', emit: true});
+                            return mxDone()
+                        }
+                        if (net.isIPv6(mx.exchange) && !net_utils.ipv6_bogus(mx.exchange)) {
+                            txn.results.add(this, {pass: 'has_fwd_dns', emit: true});
+                            return mxDone()
+                        }
+                    }
+
+                    mxDone(
+                        ((this.cfg.main.reject_no_mx) ? DENY : DENYSOFT),
+                        'No valid MX for your FROM address'
+                    );
+                })
+                .catch(mxErr)
+        })
+        .catch(mxErr)
 }

package/plugins/queue/deliver.js

@@ -1,13 +1,12 @@
-// This plugin is now entirely redundant. The core will queue outbound mails
+// This plugin is entirely redundant. The core will queue outbound mails
 // automatically just like this. It is kept here for backwards compatibility
 // purposes only.
 
 const outbound = require('./outbound');
 
 exports.hook_queue_outbound = (next, connection) => {
-    if (!connection?.relaying) {
-        return next(); // we're not relaying so don't deliver outbound
-    }
+    // if not relaying, don't deliver outbound
+    if (!connection?.relaying) return next();
 
-    outbound.send_email(connection?.transaction, next);
+    outbound.send_trans_email(connection?.transaction, next);
 }

package/plugins/queue/lmtp.js

@@ -19,29 +19,26 @@ exports.hook_get_mx = function (next, hmail, domain) {
 
     if (!hmail.todo.notes.using_lmtp) return next();
 
-    const mx = { using_lmtp: true, priority: 0, exchange: '127.0.0.1' };
-
     const section = this.cfg[domain] || this.cfg.main;
-    if (section.path) {
-        Object.assign(mx, { path: section.path });
-        return next(OK, mx);
-    }
 
-    Object.assign(mx, {
-        exchange: section.host || '127.0.0.1',
-        port: section.port || 24,
-    });
+    const mx = {
+        using_lmtp: true,
+        priority: 0,
+        exchange: section.host ?? '127.0.0.1',
+        port: section.port ?? 24,
+    };
+
+    if (section.path) mx.path = section.path;
 
-    return next(OK, mx);
+    next(OK, mx);
 }
 
 exports.hook_queue = (next, connection) => {
     const txn = connection?.transaction;
     if (!txn) return next();
 
-    const q_wants = txn.notes.get('queue.wants');
-    if (q_wants && q_wants !== 'lmtp') return next();
+    if (txn.notes.get('queue.wants') !== 'lmtp') return next();
 
     txn.notes.using_lmtp = true;
-    outbound.send_email(txn, next);
+    outbound.send_trans_email(txn, next);
 }

package/plugins/queue/qmail-queue.js

@@ -1,7 +1,7 @@
 // Queue to qmail-queue
 
-const childproc = require('child_process');
-const fs        = require('fs');
+const childproc = require('node:child_process');
+const fs        = require('node:fs');
 
 exports.register = function () {
 

package/plugins/queue/quarantine.js

@@ -1,7 +1,7 @@
 // quarantine
 
-const fs   = require('fs');
-const path = require('path');
+const fs   = require('node:fs');
+const path = require('node:path');
 
 exports.register = function () {