Haraka 3.0.5 → 3.1.0

package/docs/plugins/early_talker.md

@@ -1,22 +0,0 @@
-early\_talker
-============
-
-Early talkers are violators of the SMTP specification, which require that
-clients must wait for certain responses before sending the next command.
-
-This plugin introduces a configurable delay before the connection banner
-and after the DATA command for Haraka to detect if it talks early.
-
-If an early talker is detected at connection or DATA, then a DENY is
-returned with the message 'You talk too soon'.
-
-Configuration
--------------
-
-The config file early\_talker.ini has two options:
-
-- pause: the delay in seconds before each SMTP command. Default is no pause.
-
-- reject: whether or not to reject for early talkers. Default is true;
-
-- [ip_whitelist]: list of IP addresses and/or subnets to whitelist

package/docs/plugins/mail_from.is_resolvable.md

@@ -1,29 +0,0 @@
-mail\_from.is\_resolvable
-=======================
-
-This plugin checks that the domain used in MAIL FROM is resolvable to an MX
-record.
-
-Configuration
--------------
-
-This plugin uses the INI-style file format and accepts the following options:
-
-* timeout
-
-  Default: 30
-  
-  Maximum limit in seconds for queries to complete.  If the timeout is
-  reached a TEMPFAIL is returned to the client.
-
-* allow\_mx\_ip=[0|1]
-
-  Allow MX records that return IP addresses instead of hostnames.
-  This is not allowed as per the RFC, but some MTAs allow it.
-
-* reject\_no\_mx=[0|1]
-
-  Return DENY and reject the command if no MX record is found.  Otherwise a
-  DENYSOFT (TEMPFAIL) is returned and the client will retry later.
-  
-  DNS errors always return DENYSOFT, so this should be safe to enable.

package/plugins/early_talker.js

@@ -1,155 +0,0 @@
-// This plugin checks for clients that talk before we sent a response
-
-const { isIPv6 } = require('node:net');
-
-const ipaddr = require('ipaddr.js');
-
-exports.register = function () {
-    this.load_config();
-    this.register_hook('connect_init', 'early_talker');
-    this.register_hook('data',         'early_talker');
-}
-
-exports.load_config = function () {
-
-    this.cfg = this.config.get('early_talker.ini', {
-        booleans: [
-            '+main.reject'
-        ]
-    },
-    () => {
-        this.load_config();
-    });
-
-    // Generate a white list of IP addresses
-    this.whitelist = this.load_ip_list(Object.keys(this.cfg.ip_whitelist));
-
-    if (this.cfg.main?.pause) {
-        this.pause = this.cfg.main.pause * 1000;
-        return;
-    }
-
-    // config/early_talker.pause is in milliseconds
-    this.pause = this.config.get('early_talker.pause', () => {
-        this.load_config();
-    });
-}
-
-exports.early_talker = function (next, connection) {
-    const plugin = this;
-    if (!plugin.pause) return next();
-    if (!plugin.should_check(connection)) return next();
-
-    function check () {
-        if (!connection) return next();
-        if (!connection.early_talker) {
-            connection.results.add(plugin, {pass: 'early'});
-            return next();
-        }
-        connection.results.add(plugin, {fail: 'early'});
-        if (!plugin.cfg.main.reject) return next();
-        return next(DENYDISCONNECT, "You talk too soon");
-    }
-
-    let { pause } = plugin;
-    if (plugin.hook === 'connect_init') {
-        const elapsed = (Date.now() - connection.start_time);
-        if (elapsed > plugin.pause) {
-            // Something else already waited
-            return check();
-        }
-        pause = plugin.pause - elapsed;
-    }
-
-    setTimeout(() => { check(); }, pause);
-}
-
-
-/**
- * Check if an ip is whitelisted
- *
- * @param  {String} ip       The remote IP to verify
- * @return {Boolean}         True if is whitelisted
- */
-exports.ip_in_list = function (ip) {
-
-    if (!this.whitelist) return false;
-
-    const ipobj = ipaddr.parse(ip);
-
-    for (const element of this.whitelist) {
-        try {
-            if (ipobj.match(element)) {
-                return true;
-            }
-        }
-        catch (ignore) {
-        }
-    }
-    return false;
-}
-
-
-/**
- * Convert config ip to ipaddr objects
- *
- * @param  {Array} list A list of IP addresses / subnets
- * @return {Array}      The converted array
- */
-exports.load_ip_list = list => {
-    const whitelist = [];
-
-    for (const element of list) {
-        try {
-            let addr = element;
-            if (addr.match(/\/\d+$/)) {
-                addr = ipaddr.parseCIDR(addr);
-            }
-            else {
-                addr = ipaddr.parseCIDR(addr + ((isIPv6(addr)) ? '/128' : '/32'));
-            }
-
-            whitelist.push(addr);
-        }
-        catch (ignore) {
-        }
-    }
-    return whitelist;
-}
-
-exports.should_check = function (connection) {
-    // Skip delays for privileged senders
-
-    if (connection.notes.auth_user) {
-        connection.results.add(this, { skip: 'authed'});
-        return false;
-    }
-
-    if (connection.relaying) {
-        connection.results.add(this, { skip: 'relay'});
-        return false;
-    }
-
-    if (this.ip_in_list(connection.remote.ip)) {
-        connection.results.add(this, { skip: 'whitelist' });
-        return false;
-    }
-
-    const karma = connection.results.get('karma');
-    if (karma && karma.good > 0) {
-        connection.results.add(this, { skip: '+karma' });
-        return false;
-    }
-
-    if (connection.remote.is_local) {
-        connection.results.add(this, { skip: 'local_ip'});
-        return false;
-    }
-
-    if (connection.remote.is_private) {
-        connection.results.add(this, { skip: 'private_ip'});
-        return false;
-    }
-
-    return true;
-}

package/plugins/mail_from.is_resolvable.js

@@ -1,132 +0,0 @@
-'use strict';
-
-// Check MAIL FROM domain is resolvable to an MX
-const net = require('node:net');
-
-const net_utils = require('haraka-net-utils');
-
-exports.register = function () {
-    this.load_ini();
-}
-
-exports.load_ini = function () {
-    this.cfg = this.config.get('mail_from.is_resolvable.ini', {
-        booleans: [
-            '-main.allow_mx_ip',
-            '+reject.no_mx',
-        ],
-    }, () => {
-        this.load_ini();
-    });
-
-    // compat. Sunset 4.0
-    if (this.cfg.main.reject_no_mx) {
-        this.cfg.reject.no_mx = this.cfg.main.reject_no_mx
-    }
-
-    if (isNaN(this.cfg.main.timeout)) {
-        this.cfg.main.timeout = 29;
-    }
-
-    if (this.timeout) {
-        if (this.timeout <= this.cfg.main.timeout) {
-            this.cfg.main.timeout = this.timeout - 1;
-            this.logwarn(`reducing plugin timeout to ${this.cfg.main.timeout}s`);
-        }
-    }
-
-    this.re_bogus_ip = new RegExp(this.cfg.main.re_bogus_ip ||
-            '^(?:0\\.0\\.0\\.0|255\\.255\\.255\\.255|127\\.)' );
-}
-
-exports.hook_mail = function (next, connection, params) {
-    const plugin    = this;
-    const mail_from = params[0];
-    const txn       = connection?.transaction;
-    if (!txn) return next();
-    const { results } = txn;
-
-    // ignore MAIL FROM without an @
-    if (!mail_from.host) {
-        results.add(plugin, {skip: 'null host'});
-        return next();
-    }
-
-    let called_next  = 0;
-    const domain     = mail_from.host;
-    const timeout_id = setTimeout(() => {
-        connection.logdebug(plugin, `DNS timeout resolving MX for ${domain}`);
-        called_next++;
-        if (txn) results.add(plugin, {err: `timeout(${domain})`});
-        next(DENYSOFT, 'Temporary resolver error (timeout)');
-    }, this.cfg.main.timeout * 1000);
-
-    function mxDone (code, reply) {
-        if (called_next) return;
-        clearTimeout(timeout_id);
-        called_next++;
-        next(...arguments);
-    }
-
-    function mxErr (err) {
-        if (!connection.transaction) return;
-        results.add(plugin, {err: `${domain}:${err.message}`});
-        mxDone(DENYSOFT, `Temp. resolver error (${err.code})`);
-    }
-
-    connection.logdebug(plugin, `resolving MX for domain ${domain}`)
-
-    net_utils
-        .get_mx(domain)
-        .then((exchanges) => {
-            if (!txn) return;
-
-            connection.logdebug(plugin, `${domain}: MX => ${JSON.stringify(exchanges)}`)
-
-            if (!exchanges || !exchanges.length) {
-                results.add(this, {fail: 'has_fwd_dns'});
-                return mxDone(
-                    ((this.cfg.reject.no_mx) ? DENY : DENYSOFT),
-                    'No MX for your FROM address'
-                );
-            }
-
-            if (this.cfg.main.allow_mx_ip) {
-                for (const mx of exchanges) {
-                    if (net.isIPv4(mx.exchange) && !this.re_bogus_ip.test(mx.exchange)) {
-                        txn.results.add(this, {pass: 'implicit_mx', emit: true});
-                        return mxDone()
-                    }
-                    if (net.isIPv6(mx.exchange) && !net_utils.ipv6_bogus(mx.exchange)) {
-                        txn.results.add(this, {pass: 'implicit_mx', emit: true});
-                        return mxDone()
-                    }
-                }
-            }
-
-            // filter out the implicit MX and resolve the MX hostnames
-            net_utils
-                .resolve_mx_hosts(exchanges.filter(a => !net.isIP(a.exchange)))
-                .then(resolved => {
-                    connection.logdebug(plugin, `resolved MX => ${JSON.stringify(resolved)}`);
-
-                    for (const mx of resolved) {
-                        if (net.isIPv4(mx.exchange) && !this.re_bogus_ip.test(mx.exchange)) {
-                            txn.results.add(this, {pass: 'has_fwd_dns', emit: true});
-                            return mxDone()
-                        }
-                        if (net.isIPv6(mx.exchange) && !net_utils.ipv6_bogus(mx.exchange)) {
-                            txn.results.add(this, {pass: 'has_fwd_dns', emit: true});
-                            return mxDone()
-                        }
-                    }
-
-                    mxDone(
-                        ((this.cfg.main.reject_no_mx) ? DENY : DENYSOFT),
-                        'No valid MX for your FROM address'
-                    );
-                })
-                .catch(mxErr)
-        })
-        .catch(mxErr)
-}

package/plugins/relay.js

@@ -1,207 +0,0 @@
-// relay
-//
-// documentation via: haraka -h relay
-
-const net = require('node:net');
-
-const ipaddr = require('ipaddr.js');
-
-exports.register = function () {
-
-    this.load_relay_ini();             // plugin.cfg = { }
-
-    if (this.cfg.relay.acl) {
-        this.load_acls();             // plugin.acl_allow = [..]
-        this.register_hook('connect_init', 'acl');
-        this.register_hook('connect', 'pass_relaying');
-    }
-
-    if (this.cfg.relay.force_routing || this.cfg.relay.dest_domains) {
-        this.load_dest_domains();      // plugin.dest.domains = { }
-    }
-
-    if (this.cfg.relay.force_routing) {
-        this.register_hook('get_mx', 'force_routing');
-    }
-
-    if (this.cfg.relay.dest_domains) {
-        this.register_hook('rcpt', 'dest_domains');
-    }
-
-    if (this.cfg.relay.all) {
-        this.register_hook('rcpt', 'all');
-    }
-}
-
-exports.load_relay_ini = function () {
-    this.cfg = this.config.get('relay.ini', {
-        booleans: [
-            '+relay.acl',
-            '+relay.force_routing',
-            '-relay.all',
-            '-relay.dest_domains',
-        ],
-    }, () => {
-        this.load_relay_ini();
-    });
-}
-
-exports.load_dest_domains = function () {
-    this.dest = this.config.get(
-        'relay_dest_domains.ini',
-        'ini',
-        () => { this.load_dest_domains(); }
-    );
-}
-
-exports.load_acls = function () {
-    const file_name = 'relay_acl_allow';
-
-    // load with a self-referential callback
-    this.acl_allow = this.config.get(file_name, 'list', () => {
-        this.load_acls();
-    });
-
-    for (let i=0; i<this.acl_allow.length; i++) {
-        const cidr = this.acl_allow[i].split('/');
-        if (!net.isIP(cidr[0])) {
-            this.logerror(this, `invalid entry in ${file_name}: ${cidr[0]}`);
-        }
-        if (!cidr[1]) {
-            this.logerror(this, `appending missing CIDR suffix in: ${file_name}`);
-            this.acl_allow[i] = `${cidr[0]  }/32`;
-        }
-    }
-}
-
-exports.acl = function (next, connection) {
-    if (!this.cfg.relay.acl) { return next(); }
-
-    connection.logdebug(this, `checking ${connection.remote.ip} in relay_acl_allow`);
-
-    if (!this.is_acl_allowed(connection)) {
-        connection.results.add(this, {skip: 'acl(unlisted)'});
-        return next();
-    }
-
-    connection.results.add(this, {pass: 'acl'});
-    connection.relaying = true;
-    return next(OK);
-}
-
-exports.pass_relaying = (next, connection) => {
-    if (connection.relaying) return next(OK);
-
-    next();
-}
-
-exports.is_acl_allowed = function (connection) {
-    if (!this.acl_allow) { return false; }
-    if (!this.acl_allow.length) { return false; }
-
-    const { ip } = connection.remote;
-
-    for (const item of this.acl_allow) {
-        connection.logdebug(this, `checking if ${ip} is in ${item}`);
-        const cidr = item.split('/');
-        const c_net  = cidr[0];
-        const c_mask = cidr[1] || 32;
-
-        if (!net.isIP(c_net)) continue;  // bad config entry
-        if (net.isIPv4(ip) && net.isIPv6(c_net)) continue;
-        if (net.isIPv6(ip) && net.isIPv4(c_net)) continue;
-
-        if (ipaddr.parse(ip).match(ipaddr.parse(c_net), c_mask)) {
-            connection.logdebug(this, `checking if ${ip} is in ${item}: yes`);
-            return true;
-        }
-    }
-    return false;
-}
-
-exports.dest_domains = function (next, connection, params) {
-    if (!this.cfg.relay.dest_domains) { return next(); }
-    const { relaying, transaction } = connection ?? {}
-    if (!transaction) return next();
-
-    // Skip this if the host is already allowed to relay
-    if (relaying) {
-        transaction.results.add(this, {skip: 'relay_dest_domain(relay)'});
-        return next();
-    }
-
-    if (!this.dest) {
-        transaction.results.add(this, {err: 'relay_dest_domain(no config!)'});
-        return next();
-    }
-
-    if (!this.dest.domains) {
-        transaction.results.add(this, {skip: 'relay_dest_domain(config)'});
-        return next();
-    }
-
-    const dest_domain = params[0].host;
-    connection.logdebug(this, `dest_domain = ${dest_domain}`);
-
-    const dst_cfg = this.dest.domains[dest_domain];
-    if (!dst_cfg) {
-        transaction.results.add(this, {fail: 'relay_dest_domain'});
-        return next(DENY, "You are not allowed to relay");
-    }
-
-    const { action } = JSON.parse(dst_cfg);
-    connection.logdebug(this, `found config for ${dest_domain}: ${action}`);
-
-    switch (action) {
-        case "accept":
-            // why enable relaying here? Returning next(OK) will allow the
-            // address to be considered 'local'. What advantage does relaying
-            // bring?
-            connection.relaying = true;
-            transaction.results.add(this, {pass: 'relay_dest_domain'});
-            return next(OK);
-        case "continue":
-            // why oh why? Only reason I can think of is to enable outbound.
-            connection.relaying = true;
-            transaction.results.add(this, {pass: 'relay_dest_domain'});
-            return next(CONT);  // same as next()
-        case "deny":
-            transaction.results.add(this, {fail: 'relay_dest_domain'});
-            return next(DENY, "You are not allowed to relay");
-    }
-
-    transaction.results.add(this, {fail: 'relay_dest_domain'});
-    next(DENY, "Mail for that recipient is not accepted here.");
-}
-
-exports.force_routing = function (next, hmail, domain) {
-    if (!this.cfg.relay.force_routing) { return next(); }
-    if (!this.dest) { return next(); }
-    if (!this.dest.domains) { return next(); }
-    let route = this.dest.domains[domain];
-
-    if (!route) {
-        route = this.dest.domains.any;
-        if (!route) {
-            this.logdebug(this, `using normal MX lookup for: ${domain}`);
-            return next();
-        }
-    }
-
-    const { nexthop } = JSON.parse(route);
-    if (!nexthop) {
-        this.logdebug(this, `using normal MX lookup for: ${domain}`);
-        return next();
-    }
-
-    this.logdebug(this, `using ${nexthop} for: ${domain}`);
-    next(OK, nexthop);
-}
-
-exports.all = function (next, connection, params) {
-    if (!this.cfg.relay.all) { return next(); }
-
-    connection.loginfo(this, `confirming recipient ${params[0]}`);
-    connection.relaying = true;
-    next(OK);
-}

package/test/plugins/early_talker.js

@@ -1,104 +0,0 @@
-'use strict';
-const assert = require('node:assert')
-
-const fixtures     = require('haraka-test-fixtures');
-
-const _set_up = (done) => {
-    this.plugin = new fixtures.plugin('early_talker');
-    this.plugin.cfg = { main: { reject: true } };
-
-    this.connection = fixtures.connection.createConnection();
-    done();
-}
-
-describe('early_talker', () => {
-    beforeEach(_set_up)
-
-    it('no config', (done) => {
-        this.plugin.early_talker((rc, msg) => {
-            assert.equal(rc, undefined);
-            assert.equal(msg, undefined);
-            done();
-        }, this.connection);
-    })
-
-    it('relaying', (done) => {
-        this.plugin.pause = 1;
-        this.connection.relaying = true;
-        this.plugin.early_talker((rc, msg) => {
-            assert.equal(rc, undefined);
-            assert.equal(msg, undefined);
-            done();
-        }, this.connection);
-    })
-
-    it('is an early talker', (done) => {
-        const before = Date.now();
-        this.plugin.pause = 1001;
-        this.connection.early_talker = true;
-        this.plugin.early_talker((rc, msg) => {
-            assert.ok(Date.now() >= before + 1000);
-            assert.equal(rc, DENYDISCONNECT);
-            assert.equal(msg, 'You talk too soon');
-            done();
-        }, this.connection);
-    })
-
-    it('is an early talker, reject=false', (done) => {
-        const before = Date.now();
-        this.plugin.pause = 1001;
-        this.plugin.cfg.main.reject = false;
-        this.connection.early_talker = true;
-        this.plugin.early_talker((rc, msg) => {
-            assert.ok(Date.now() >= before + 1000);
-            assert.equal(undefined, rc);
-            assert.equal(undefined, msg);
-            assert.ok(this.connection.results.has('early_talker', 'fail', 'early'));
-            done();
-        }, this.connection);
-    })
-
-    it('relay whitelisted ip', (done) => {
-        this.plugin.pause = 1000;
-        this.plugin.whitelist = this.plugin.load_ip_list(['127.0.0.1']);
-        this.connection.remote.ip = '127.0.0.1';
-        this.connection.early_talker = true;
-        this.plugin.early_talker((rc, msg) => {
-            assert.equal(undefined, rc);
-            assert.equal(undefined, msg);
-            assert.ok(this.connection.results.has('early_talker', 'skip', 'whitelist'));
-            done();
-        }, this.connection);
-    })
-
-    it('relay whitelisted subnet', (done) => {
-        this.plugin.pause = 1000;
-        this.plugin.whitelist = this.plugin.load_ip_list(['127.0.0.0/16']);
-        this.connection.remote.ip = '127.0.0.88';
-        this.connection.early_talker = true;
-        this.plugin.early_talker((rc, msg) => {
-            assert.equal(undefined, rc);
-            assert.equal(undefined, msg);
-            assert.ok(this.connection.results.has('early_talker', 'skip', 'whitelist'));
-            done();
-        }, this.connection);
-    })
-
-    it('relay good senders', (done) => {
-        this.plugin.pause = 1000;
-        this.connection.results.add('karma', {good: 10});
-        this.connection.early_talker = true;
-        this.plugin.early_talker((rc, msg) => {
-            assert.equal(undefined, rc);
-            assert.equal(undefined, msg);
-            assert.ok(this.connection.results.has('early_talker', 'skip', '+karma'));
-            done();
-        }, this.connection);
-    })
-
-    it('test loading ip list', () => {
-        const whitelist = this.plugin.load_ip_list(['123.123.123.123', '127.0.0.0/16']);
-        assert.equal(whitelist[0][1], 32);
-        assert.equal(whitelist[1][1], 16);
-    })
-})

package/test/plugins/mail_from.is_resolvable.js

@@ -1,35 +0,0 @@
-'use strict';
-const assert = require('node:assert')
-const dns = require('node:dns');
-
-const fixtures  = require('haraka-test-fixtures');
-const Address   = require('address-rfc2821').Address
-
-const _set_up = (done) => {
-
-    this.plugin = new fixtures.plugin('mail_from.is_resolvable');
-    this.plugin.register();
-
-    this.connection = fixtures.connection.createConnection();
-    this.connection.init_transaction()
-
-    done();
-}
-
-describe('mail_from.is_resolvable', () => {
-    beforeEach(_set_up)
-
-    describe('hook_mail', () => {
-        it('any.com, no err code', (done) => {
-            const txn = this.connection.transaction;
-            this.plugin.hook_mail((code, msg) => {
-                // console.log()
-                assert.deepEqual(txn.results.get('mail_from.is_resolvable').pass, ['has_fwd_dns']);
-                done();
-            },
-            this.connection, 
-            [new Address('<test@any.com>')]
-            )
-        })
-    })
-})