Haraka 3.1.0 → 3.1.2

package/plugins/auth/auth_proxy.js

@@ -2,163 +2,161 @@
 
 const net = require('node:net')
 
-const utils = require('haraka-utils');
+const utils = require('haraka-utils')
 const net_utils = require('haraka-net-utils')
 
-const smtp_regexp = /^(\d{3})([ -])(.*)/;
+const tls_socket = require('./tls_socket')
+
+const smtp_regexp = /^(\d{3})([ -])(.*)/
 
 exports.register = function () {
-    this.inherits('auth/auth_base');
-    this.load_tls_ini();
+    this.inherits('auth/auth_base')
+    this.load_tls_ini()
 }
 
 exports.load_tls_ini = function () {
     this.tls_cfg = this.config.get('tls.ini', () => {
-        this.load_tls_ini();
-    });
+        this.load_tls_ini()
+    })
 }
 
 exports.hook_capabilities = (next, connection) => {
     if (connection.tls.enabled) {
-        const methods = [ 'PLAIN', 'LOGIN' ];
-        connection.capabilities.push(`AUTH ${methods.join(' ')}`);
-        connection.notes.allowed_auth_methods = methods;
+        const methods = ['PLAIN', 'LOGIN']
+        connection.capabilities.push(`AUTH ${methods.join(' ')}`)
+        connection.notes.allowed_auth_methods = methods
     }
-    next();
+    next()
 }
 
 exports.check_plain_passwd = function (connection, user, passwd, cb) {
-    let domain = /@([^@]+)$/.exec(user);
+    let domain = /@([^@]+)$/.exec(user)
     if (domain) {
-        domain = domain[1].toLowerCase();
-    }
-    else {
+        domain = domain[1].toLowerCase()
+    } else {
         // AUTH user not in user@domain.com format
-        connection.logerror(this, `AUTH user="${user}" error="not in required format"`);
-        return cb(false);
+        connection.logerror(this, `AUTH user="${user}" error="not in required format"`)
+        return cb(false)
     }
 
     // Check if domain exists in configuration file
-    const config = this.config.get('auth_proxy.ini');
+    const config = this.config.get('auth_proxy.ini')
     if (!config.domains[domain]) {
-        connection.logerror(this, `AUTH user="${user}" error="domain '${domain}' is not defined"`);
-        return cb(false);
+        connection.logerror(this, `AUTH user="${user}" error="domain '${domain}' is not defined"`)
+        return cb(false)
     }
 
-    this.try_auth_proxy(connection, config.domains[domain].split(/[,; ]/), user, passwd, cb);
+    this.try_auth_proxy(connection, config.domains[domain].split(/[,; ]/), user, passwd, cb)
 }
 
 exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
-    if (!hosts || (hosts && !hosts.length)) return cb(false);
+    if (!hosts || (hosts && !hosts.length)) return cb(false)
     if (typeof hosts !== 'object') {
-        hosts = [ hosts ];
+        hosts = [hosts]
     }
 
-    const self = this;
-    let [ host, port ] = hosts.shift().split(':'); /* eslint prefer-const: 0 */
+    const self = this
+    let [host, port] = hosts.shift().split(':') /* eslint prefer-const: 0 */
     if (!port) port = 25
-    let methods = [];
-    let auth_complete = false;
-    let auth_success = false;
-    let command = 'connect';
-    let response = [];
-    let secure = false;
-
-    const socket = net.connect({ host, port });
+    let methods = []
+    let auth_complete = false
+    let auth_success = false
+    let command = 'connect'
+    let response = []
+    let secure = false
+
+    const socket = tls_socket.connect({ host, port })
     net_utils.add_line_processor(socket)
-    connection.logdebug(this, `attempting connection to host=${host} port=${port}`);
-    socket.setTimeout(30 * 1000);
-    socket.on('connect', () => { });
+    connection.logdebug(this, `attempting connection to host=${host} port=${port}`)
+    socket.setTimeout(30 * 1000)
+    socket.on('connect', () => {})
     socket.on('close', () => {
         if (!auth_complete) {
             // Try next host
-            return this.try_auth_proxy(connection, hosts, user, passwd, cb);
+            return this.try_auth_proxy(connection, hosts, user, passwd, cb)
         }
-        connection.loginfo(this, `AUTH user="${user}" host="${host}" success=${auth_success}`);
-        cb(auth_success);
-    });
+        connection.loginfo(this, `AUTH user="${user}" host="${host}" success=${auth_success}`)
+        cb(auth_success)
+    })
     socket.on('timeout', () => {
-        connection.logerror(this, "connection timed out");
-        socket.end();
+        connection.logerror(this, 'connection timed out')
+        socket.end()
         // Try next host
-        this.try_auth_proxy(connection, hosts, user, passwd, cb);
-    });
-    socket.on('error', err => {
-        connection.logerror(this, `connection failed to host ${host}: ${err}`);
-        socket.end();
-    });
+        this.try_auth_proxy(connection, hosts, user, passwd, cb)
+    })
+    socket.on('error', (err) => {
+        connection.logerror(this, `connection failed to host ${host}: ${err}`)
+        socket.end()
+    })
     socket.send_command = function (cmd, data) {
-        let line = cmd + (data ? (` ${data}`) : '');
+        let line = cmd + (data ? ` ${data}` : '')
         if (cmd === 'dot') {
-            line = '.';
+            line = '.'
         }
-        connection.logprotocol(self, `C: ${line}`);
-        command = cmd.toLowerCase();
-        this.write(`${line}\r\n`);
+        connection.logprotocol(self, `C: ${line}`)
+        command = cmd.toLowerCase()
+        this.write(`${line}\r\n`)
         // Clear response buffer from previous command
-        response = [];
-    };
+        response = []
+    }
     socket.on('line', function (line) {
-        connection.logprotocol(self, `S: ${line}`);
-        const matches = smtp_regexp.exec(line);
+        connection.logprotocol(self, `S: ${line}`)
+        const matches = smtp_regexp.exec(line)
         if (!matches) {
-            connection.logerror(self, `unrecognised response: ${line}`);
-            socket.end();
-            return;
+            connection.logerror(self, `unrecognised response: ${line}`)
+            socket.end()
+            return
         }
 
-        const code = matches[1];
-        const cont = matches[2];
-        const rest = matches[3];
-        response.push(rest);
-        if (cont !== ' ') return;
+        const code = matches[1]
+        const cont = matches[2]
+        const rest = matches[3]
+        response.push(rest)
+        if (cont !== ' ') return
 
-        let key;
-        let cert;
+        let key
+        let cert
 
-        connection.logdebug(self, `command state: ${command}`);
+        connection.logdebug(self, `command state: ${command}`)
         if (command === 'ehlo') {
             if (code.startsWith('5')) {
                 // EHLO command rejected; abort
-                socket.send_command('QUIT');
-                return;
+                socket.send_command('QUIT')
+                return
             }
             // Parse CAPABILITIES
             for (const i in response) {
                 if (/^STARTTLS/.test(response[i])) {
-                    if (secure) continue;    // silly remote, we've already upgraded
+                    if (secure) continue // silly remote, we've already upgraded
                     // Use TLS opportunistically if we found the key and certificate
-                    key = self.config.get(self.tls_cfg.main.key || 'tls_key.pem', 'binary');
-                    cert = self.config.get(self.tls_cfg.main.cert || 'tls_cert.pem', 'binary');
+                    key = self.config.get(self.tls_cfg.main.key || 'tls_key.pem', 'binary')
+                    cert = self.config.get(self.tls_cfg.main.cert || 'tls_cert.pem', 'binary')
                     if (key && cert) {
                         this.on('secure', () => {
-                            if (secure) return;
-                            secure = true;
-                            socket.send_command('EHLO', connection.local.host);
-                        });
-                        socket.send_command('STARTTLS');
-                        return;
+                            if (secure) return
+                            secure = true
+                            socket.send_command('EHLO', connection.local.host)
+                        })
+                        socket.send_command('STARTTLS')
+                        return
                     }
-                }
-                else if (/^AUTH /.test(response[i])) {
+                } else if (/^AUTH /.test(response[i])) {
                     // Parse supported AUTH methods
-                    const parse = /^AUTH (.+)$/.exec(response[i]);
-                    methods = parse[1].split(/\s+/);
-                    connection.logdebug(self, `found supported AUTH methods: ${methods}`);
+                    const parse = /^AUTH (.+)$/.exec(response[i])
+                    methods = parse[1].split(/\s+/)
+                    connection.logdebug(self, `found supported AUTH methods: ${methods}`)
                     // Prefer PLAIN as it's easiest
                     if (methods.includes('PLAIN')) {
-                        socket.send_command('AUTH',`PLAIN ${utils.base64(`\0${user}\0${passwd}`)}`);
-                        return;
-                    }
-                    else if (methods.includes('LOGIN')) {
-                        socket.send_command('AUTH','LOGIN');
-                        return;
-                    }
-                    else {
+                        socket.send_command('AUTH', `PLAIN ${utils.base64(`\0${user}\0${passwd}`)}`)
+                        return
+                    } else if (methods.includes('LOGIN')) {
+                        socket.send_command('AUTH', 'LOGIN')
+                        return
+                    } else {
                         // No compatible methods; abort...
-                        connection.logdebug(self, 'no compatible AUTH methods');
-                        socket.send_command('QUIT');
-                        return;
+                        connection.logdebug(self, 'no compatible AUTH methods')
+                        socket.send_command('QUIT')
+                        return
                     }
                 }
             }
@@ -167,60 +165,57 @@ exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
             // Handle LOGIN
             if (code.startsWith('3') && response[0] === 'VXNlcm5hbWU6') {
                 // Write to the socket directly to keep the state at 'auth'
-                this.write(`${utils.base64(user)}\r\n`);
-                response = [];
-                return;
-            }
-            else if (code.startsWith('3') && response[0] === 'UGFzc3dvcmQ6') {
-                this.write(`${utils.base64(passwd)}\r\n`);
-                response = [];
-                return;
+                this.write(`${utils.base64(user)}\r\n`)
+                response = []
+                return
+            } else if (code.startsWith('3') && response[0] === 'UGFzc3dvcmQ6') {
+                this.write(`${utils.base64(passwd)}\r\n`)
+                response = []
+                return
             }
             if (code.startsWith('5')) {
                 // Initial attempt failed; strip domain and retry.
                 const u = /^([^@]+)@.+$/.exec(user)
                 if (u) {
-                    user = u[1];
+                    user = u[1]
                     if (methods.includes('PLAIN')) {
-                        socket.send_command('AUTH', `PLAIN ${utils.base64(`\0${user}\0${passwd}`)}`);
+                        socket.send_command('AUTH', `PLAIN ${utils.base64(`\0${user}\0${passwd}`)}`)
+                    } else if (methods.includes('LOGIN')) {
+                        socket.send_command('AUTH', 'LOGIN')
                     }
-                    else if (methods.includes('LOGIN')) {
-                        socket.send_command('AUTH', 'LOGIN');
-                    }
-                    return;
-                }
-                else {
+                    return
+                } else {
                     // Don't attempt any other hosts
-                    auth_complete = true;
+                    auth_complete = true
                 }
             }
         }
         if (/^[345]/.test(code)) {
             // Got an unhandled error
-            connection.logdebug(self, `error: ${line}`);
-            socket.send_command('QUIT');
-            return;
+            connection.logdebug(self, `error: ${line}`)
+            socket.send_command('QUIT')
+            return
         }
         switch (command) {
             case 'starttls':
-                this.upgrade({ key, cert });
-                break;
+                this.upgrade({ key, cert })
+                break
             case 'connect':
-                socket.send_command('EHLO', connection.local.host);
-                break;
+                socket.send_command('EHLO', connection.local.host)
+                break
             case 'auth':
                 // AUTH was successful
-                auth_complete = true;
-                auth_success = true;
-                socket.send_command('QUIT');
-                break;
+                auth_complete = true
+                auth_success = true
+                socket.send_command('QUIT')
+                break
             case 'ehlo':
             case 'helo':
             case 'quit':
-                socket.end();
-                break;
+                socket.end()
+                break
             default:
-                throw new Error(`[auth/auth_proxy] unknown command: ${command}`);
+                throw new Error(`[auth/auth_proxy] unknown command: ${command}`)
         }
-    });
+    })
 }

package/plugins/auth/auth_vpopmaild.js

@@ -1,12 +1,12 @@
 // Auth against vpopmaild
 
-const net = require('node:net');
+const net = require('node:net')
 
 exports.register = function () {
-    this.inherits('auth/auth_base');
-    this.blankout_password=true
+    this.inherits('auth/auth_base')
+    this.blankout_password = true
 
-    this.load_vpopmaild_ini();
+    this.load_vpopmaild_ini()
 
     if (this.cfg.main.constrain_sender) {
         this.register_hook('mail', 'constrain_sender')
@@ -14,150 +14,149 @@ exports.register = function () {
 }
 
 exports.load_vpopmaild_ini = function () {
-    this.cfg = this.config.get('auth_vpopmaild.ini', {
-        booleans: [
-            '+main.constrain_sender',
-        ]
-    },
-    () => {
-        this.load_vpopmaild_ini();
-    });
+    this.cfg = this.config.get(
+        'auth_vpopmaild.ini',
+        {
+            booleans: ['+main.constrain_sender'],
+        },
+        () => {
+            this.load_vpopmaild_ini()
+        },
+    )
 }
 
 exports.hook_capabilities = function (next, connection) {
-    if (!connection.tls.enabled) return next();
+    if (!connection.tls.enabled) return next()
 
-    const methods = [ 'PLAIN', 'LOGIN' ];
-    if (this.cfg.main.sysadmin) methods.push('CRAM-MD5');
+    const methods = ['PLAIN', 'LOGIN']
+    if (this.cfg.main.sysadmin) methods.push('CRAM-MD5')
 
-    connection.capabilities.push(`AUTH ${methods.join(' ')}`);
-    connection.notes.allowed_auth_methods = methods;
+    connection.capabilities.push(`AUTH ${methods.join(' ')}`)
+    connection.notes.allowed_auth_methods = methods
 
-    next();
+    next()
 }
 
 exports.check_plain_passwd = function (connection, user, passwd, cb) {
+    let chunk_count = 0
+    let auth_success = false
 
-    let chunk_count = 0;
-    let auth_success = false;
+    const socket = this.get_vpopmaild_socket(user)
+    socket.setEncoding('utf8')
 
-    const socket = this.get_vpopmaild_socket(user);
-    socket.setEncoding('utf8');
-
-    socket.on('data', chunk => {
-        chunk_count++;
+    socket.on('data', (chunk) => {
+        chunk_count++
         if (chunk_count === 1) {
             if (/^\+OK/.test(chunk)) {
-                socket.write(`slogin ${user} ${passwd}\n\r`);
-                return;
+                socket.write(`slogin ${user} ${passwd}\n\r`)
+                return
             }
-            socket.end();
+            socket.end()
         }
         if (chunk_count === 2) {
-            if (/^\+OK/.test(chunk)) {    // slogin reply
-                auth_success = true;
-                socket.write("quit\n\r");
+            if (/^\+OK/.test(chunk)) {
+                // slogin reply
+                auth_success = true
+                socket.write('quit\n\r')
             }
-            socket.end();             // disconnect
+            socket.end() // disconnect
         }
     })
 
     socket.on('end', () => {
-        connection.loginfo(this, `AUTH user="${user}" success=${auth_success}`);
-        cb(auth_success);
+        connection.loginfo(this, `AUTH user="${user}" success=${auth_success}`)
+        cb(auth_success)
     })
 }
 
 exports.get_sock_opts = function (user) {
-
     this.sock_opts = {
         port: 89,
         host: '127.0.0.1',
         sysadmin: undefined,
-    };
+    }
 
-    const domain = (user.split('@'))[1];
-    let sect = this.cfg.main;
-    if (domain && this.cfg[domain]) sect = this.cfg[domain];
+    const domain = user.split('@')[1]
+    let sect = this.cfg.main
+    if (domain && this.cfg[domain]) sect = this.cfg[domain]
 
-    if (sect.port)     this.sock_opts.port     = sect.port;
-    if (sect.host)     this.sock_opts.host     = sect.host;
-    if (sect.sysadmin) this.sock_opts.sysadmin = sect.sysadmin;
+    if (sect.port) this.sock_opts.port = sect.port
+    if (sect.host) this.sock_opts.host = sect.host
+    if (sect.sysadmin) this.sock_opts.sysadmin = sect.sysadmin
 
-    this.logdebug(`sock: ${this.sock_opts.host}:${this.sock_opts.port}`);
-    return this.sock_opts;
+    this.logdebug(`sock: ${this.sock_opts.host}:${this.sock_opts.port}`)
+    return this.sock_opts
 }
 
 exports.get_vpopmaild_socket = function (user) {
-    this.get_sock_opts(user);
+    this.get_sock_opts(user)
 
-    const socket = new net.Socket();
-    socket.connect(this.sock_opts.port, this.sock_opts.host);
-    socket.setTimeout(300 * 1000);
-    socket.setEncoding('utf8');
+    const socket = new net.Socket()
+    socket.connect(this.sock_opts.port, this.sock_opts.host)
+    socket.setTimeout(300 * 1000)
+    socket.setEncoding('utf8')
 
     socket.on('timeout', () => {
-        this.logerror("vpopmaild connection timed out");
-        socket.end();
+        this.logerror('vpopmaild connection timed out')
+        socket.end()
     })
-    socket.on('error', err => {
-        this.logerror(`vpopmaild connection failed: ${err}`);
-        socket.end();
+    socket.on('error', (err) => {
+        this.logerror(`vpopmaild connection failed: ${err}`)
+        socket.end()
     })
     socket.on('connect', () => {
-        this.logdebug('vpopmail connected');
+        this.logdebug('vpopmail connected')
     })
-    return socket;
+    return socket
 }
 
 exports.get_plain_passwd = function (user, connection, cb) {
-
-    const socket = this.get_vpopmaild_socket(user);
+    const socket = this.get_vpopmaild_socket(user)
     if (!this.sock_opts.sysadmin) {
-        this.logerror("missing sysadmin credentials");
-        return cb(null);
+        this.logerror('missing sysadmin credentials')
+        return cb(null)
     }
 
-    const sys = this.sock_opts.sysadmin.split(':');
-    let plain_pass = null;
-    let chunk_count = 0;
+    const sys = this.sock_opts.sysadmin.split(':')
+    let plain_pass = null
+    let chunk_count = 0
 
-    socket.on('data', chunk => {
-        chunk_count++;
-        this.logdebug(`${chunk_count}\t${chunk}`);
+    socket.on('data', (chunk) => {
+        chunk_count++
+        this.logdebug(`${chunk_count}\t${chunk}`)
         if (chunk_count === 1) {
             if (/^\+OK/.test(chunk)) {
-                socket.write(`slogin ${sys[0]} ${sys[1]}\n\r`);
-                return;
+                socket.write(`slogin ${sys[0]} ${sys[1]}\n\r`)
+                return
             }
-            this.logerror("no ok to start");
-            socket.end();             // disconnect
+            this.logerror('no ok to start')
+            socket.end() // disconnect
         }
         // slogin reply
         if (chunk_count === 2) {
             if (/^\+OK/.test(chunk)) {
-                this.logdebug('login success, getting user info');
-                socket.write(`user_info ${user}\n\r`);
-                return;
+                this.logdebug('login success, getting user info')
+                socket.write(`user_info ${user}\n\r`)
+                return
             }
-            this.logerror("syadmin login failed");
-            socket.end();             // disconnect
+            this.logerror('syadmin login failed')
+            socket.end() // disconnect
         }
         if (chunk_count > 2) {
             if (/^-ERR/.test(chunk)) {
-                this.lognotice(`get_plain failed: ${chunk}`);
-                socket.end();         // disconnect
-                return;
+                this.lognotice(`get_plain failed: ${chunk}`)
+                socket.end() // disconnect
+                return
             }
             if (!/clear_text_password/.test(chunk)) {
-                return;   // pass might be in the next chunk
+                return // pass might be in the next chunk
             }
-            const pass = chunk.match(/clear_text_password\s(\S+)\s/);
-            plain_pass = pass[1];
-            socket.write("quit\n\r");
+            const pass = chunk.match(/clear_text_password\s(\S+)\s/)
+            plain_pass = pass[1]
+            socket.write('quit\n\r')
         }
-    });
+    })
     socket.on('end', () => {
-        cb(plain_pass ? plain_pass.toString() : plain_pass);
-    });
+        cb(plain_pass ? plain_pass.toString() : plain_pass)
+    })
 }

package/plugins/auth/flat_file.js

@@ -1,8 +1,8 @@
 // Auth against a flat file
 
 exports.register = function () {
-    this.inherits('auth/auth_base');
-    this.load_flat_ini();
+    this.inherits('auth/auth_base')
+    this.load_flat_ini()
 
     if (this.cfg.core.constrain_sender) {
         this.register_hook('mail', 'constrain_sender')
@@ -10,34 +10,35 @@ exports.register = function () {
 }
 
 exports.load_flat_ini = function () {
-    this.cfg = this.config.get('auth_flat_file.ini', {
-        booleans: [
-            '+core.constrain_sender',
-        ]
-    },
-    () => {
-        this.load_flat_ini();
-    });
+    this.cfg = this.config.get(
+        'auth_flat_file.ini',
+        {
+            booleans: ['+core.constrain_sender'],
+        },
+        () => {
+            this.load_flat_ini()
+        },
+    )
 
     if (this.cfg.users === undefined) this.cfg.users = {}
 }
 
 exports.hook_capabilities = function (next, connection) {
     if (!connection.remote.is_private && !connection.tls.enabled) {
-        connection.logdebug(this, "Auth disabled for insecure public connection");
-        return next();
+        connection.logdebug(this, 'Auth disabled for insecure public connection')
+        return next()
     }
 
     const methods = this.cfg.core?.methods ? this.cfg.core.methods.split(',') : null
     if (methods && methods.length > 0) {
-        connection.capabilities.push(`AUTH ${methods.join(' ')}`);
-        connection.notes.allowed_auth_methods = methods;
+        connection.capabilities.push(`AUTH ${methods.join(' ')}`)
+        connection.notes.allowed_auth_methods = methods
     }
-    next();
+    next()
 }
 
 exports.get_plain_passwd = function (user, connection, cb) {
-    if (this.cfg.users[user]) return cb(this.cfg.users[user].toString());
+    if (this.cfg.users[user]) return cb(this.cfg.users[user].toString())
 
-    cb();
+    cb()
 }