npm - Haraka - Versions diffs - 3.1.4 → 3.1.6 - Mend

Haraka 3.1.4 → 3.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

package/.prettierignore +1 -1
package/{Changes.md → CHANGELOG.md} +34 -0
package/CONTRIBUTORS.md +26 -26
package/README.md +68 -93
package/SECURITY.md +178 -0
package/bin/haraka +7 -14
package/config/plugins +0 -3
package/docs/Connection.md +126 -39
package/docs/CoreConfig.md +92 -74
package/docs/HAProxy.md +41 -25
package/docs/Logging.md +68 -38
package/docs/Outbound.md +124 -179
package/docs/Plugins.md +38 -59
package/docs/Transaction.md +78 -83
package/docs/Tutorial.md +122 -209
package/docs/plugins/aliases.md +1 -141
package/docs/plugins/auth/auth_ldap.md +2 -39
package/docs/plugins/max_unrecognized_commands.md +4 -18
package/docs/plugins/process_title.md +3 -3
package/docs/plugins/reseed_rng.md +11 -13
package/docs/plugins/tls.md +7 -7
package/docs/plugins/toobusy.md +10 -4
package/docs/tutorials/SettingUpOutbound.md +40 -48
package/endpoint.js +32 -2
package/outbound/hmail.js +3 -2
package/outbound/index.js +3 -0
package/package.json +21 -34
package/plugins/queue/smtp_forward.js +4 -4
package/run_tests +3 -15
package/server.js +17 -7
package/smtp_client.js +8 -6
package/test/connection.js +234 -0
package/test/endpoint.js +32 -4
package/test/host_pool.js +57 -31
package/test/logger.js +75 -135
package/test/outbound/bounce_net_errors.js +87 -131
package/test/outbound/bounce_rfc3464.js +177 -254
package/test/outbound/hmail.js +19 -0
package/test/outbound/index.js +189 -0
package/test/outbound/queue.js +92 -0
package/test/plugins/auth/auth_base.js +39 -44
package/test/plugins/auth/auth_vpopmaild.js +8 -9
package/test/plugins/queue/smtp_forward.js +953 -183
package/test/plugins/rcpt_to.host_list_base.js +58 -93
package/test/plugins/rcpt_to.in_host_list.js +126 -175
package/test/plugins/record_envelope_addresses.js +8 -8
package/test/plugins/status.js +10 -10
package/test/plugins/tls.js +9 -19
package/test/plugins/xclient.js +75 -110
package/test/plugins.js +10 -13
package/test/rfc1869.js +50 -70
package/test/server.js +438 -421
package/test/smtp_client.js +1192 -218
package/test/tls_socket.js +242 -0
package/tls_socket.js +18 -22

package/test/server.js CHANGED Viewed

@@ -1,124 +1,203 @@
-const assert = require('node:assert')
+'use strict'
+const { describe, it, beforeEach, afterEach } = require('node:test')
+const assert = require('node:assert/strict')
+const { createHmac } = require('node:crypto')
+const net = require('node:net')
 const path = require('node:path')
+const tls = require('node:tls')
+const constants = require('haraka-constants')
 const endpoint = require('../endpoint')
 const message = require('haraka-email-message')
+const { get_client } = require('../smtp_client')
-const _set_up = (done) => {
-    this.config = require('haraka-config')
-    this.server = require('../server')
-    done()
-}
-const _setupServer = (ip_port, done) => {
-    process.env.YES_REALLY_DO_DISCARD = 1 // for queue/discard plugin
-    process.env.HARAKA_TEST_DIR = path.resolve('test')
-    // test sets the default path for plugin instances to the test dir
-    const test_cfg_path = path.resolve('test')
-    this.server = require('../server')
-    this.config = require('haraka-config').module_config(test_cfg_path)
-    this.server.logger.loglevel = 6 // INFO
+// ─── CRAM-MD5 helper ──────────────────────────────────────────────────────────
-    // set the default path for the plugin loader
-    this.server.config = this.config.module_config(test_cfg_path)
-    this.server.plugins.config = this.config.module_config(test_cfg_path)
-    // this.server.outbound.config = this.config.module_config(this_cfg_path);
-    this.server.load_smtp_ini()
-    this.server.cfg.main.listen = ip_port
-    this.server.cfg.main.smtps_port = 2465
-    this.server.load_default_tls_config(() => {
-        this.server.createServer({})
-        setTimeout(() => {
-            done()
-        }, 200)
-    })
+/** Compute a CRAM-MD5 response to a server challenge. */
+const cramMd5Response = (user, pass, challenge) => {
+    const decoded = Buffer.from(challenge, 'base64').toString()
+    const hmac = createHmac('md5', pass).update(decoded).digest('hex')
+    return Buffer.from(`${user} ${hmac}`).toString('base64')
 }
-const _tearDownServer = (done) => {
-    delete process.env.YES_REALLY_DO_DISCARD
-    delete process.env.HARAKA_TEST_DIR
-    this.server.stopListeners()
-    this.server.plugins.registered_hooks = {}
-    setTimeout(() => {
-        done()
-    }, 200)
-}
+// ─── Server lifecycle helpers ─────────────────────────────────────────────────
-describe('server', () => {
-    describe('get_listen_addrs', () => {
-        beforeEach(_set_up)
+const setupServer = (ip_port) =>
+    new Promise((resolve) => {
+        process.env.YES_REALLY_DO_DISCARD = '1'
+        process.env.HARAKA_TEST_DIR = path.resolve('test')
+        const test_cfg_path = path.resolve('test')
-        it('IPv4 fully qualified', () => {
-            const listeners = this.server.get_listen_addrs({
-                listen: '127.0.0.1:25',
-            })
-            assert.deepEqual(['127.0.0.1:25'], listeners)
-        })
+        this.server = require('../server')
+        this.config = require('haraka-config').module_config(test_cfg_path)
+        this.server.logger.loglevel = 6
+        this.server.config = this.config.module_config(test_cfg_path)
+        this.server.plugins.config = this.config.module_config(test_cfg_path)
-        it('IPv4, default port', () => {
-            const listeners = this.server.get_listen_addrs({
-                listen: '127.0.0.1',
-            })
-            assert.deepEqual(['127.0.0.1:25'], listeners)
-        })
+        this.server.load_smtp_ini()
+        this.server.cfg.main.listen = ip_port
+        this.server.cfg.main.smtps_port = 2465
-        it('IPv4, custom port', () => {
-            const listeners = this.server.get_listen_addrs({ listen: '127.0.0.1' }, 250)
-            assert.deepEqual(['127.0.0.1:250'], listeners)
+        this.server.load_default_tls_config(() => {
+            this.server.createServer({})
+            setTimeout(resolve, 200)
         })
+    })
-        it('IPv6 fully qualified', () => {
-            const listeners = this.server.get_listen_addrs({
-                listen: '[::1]:25',
-            })
-            assert.deepEqual(['[::1]:25'], listeners)
-        })
+const tearDownServer = () =>
+    new Promise((resolve) => {
+        delete process.env.YES_REALLY_DO_DISCARD
+        delete process.env.HARAKA_TEST_DIR
+        this.server.stopListeners()
+        this.server.plugins.registered_hooks = {}
+        setTimeout(resolve, 200)
+    })
-        it('IPv6, default port', () => {
-            const listeners = this.server.get_listen_addrs({ listen: '[::1]' })
-            assert.deepEqual(['[::1]:25'], listeners)
-        })
+// ─── SMTP session helper ──────────────────────────────────────────────────────
+/**
+ * Deliver a message via smtp_client and return a Promise that resolves on
+ * acceptance (dot event) or rejects on any SMTP error (bad_code event).
+ *
+ * When `user`/`pass` are provided, CRAM-MD5 authentication is performed
+ * before sending the message.
+ */
+const sendMessage = ({
+    host = '127.0.0.1',
+    port,
+    from = '<test@haraka.local>',
+    to = '<discard@haraka.local>',
+    user,
+    pass,
+    body = 'Hello from smtp_client test',
+} = {}) =>
+    new Promise((resolve, reject) => {
+        get_client(
+            { notes: {} },
+            (client) => {
+                let credsSent = false
+                client
+                    .on('greeting', (cmd) => client.send_command(cmd, host))
+                    .on('helo', () => {
+                        if (user && !credsSent) {
+                            client.authenticating = true
+                            client.send_command('AUTH', 'CRAM-MD5')
+                        } else {
+                            client.send_command('MAIL', `FROM:${from}`)
+                        }
+                    })
+                    .on('auth', () => {
+                        if (client.authenticated) {
+                            client.send_command('MAIL', `FROM:${from}`)
+                        } else if (!credsSent) {
+                            credsSent = true
+                            const resp = cramMd5Response(user, pass, client.response[0])
+                            // Write CRAM-MD5 response directly (no command prefix)
+                            client.command = 'auth'
+                            client.response = []
+                            client.socket.write(`${resp}\r\n`)
+                        }
+                    })
+                    .on('mail', () => client.send_command('RCPT', `TO:${to}`))
+                    .on('rcpt', () => client.send_command('DATA'))
+                    .on('data', () => {
+                        const stream = new message.stream({ main: { spool_after: 1024 } }, 'testId')
+                        stream.on('end', () => client.socket.write('.\r\n'))
+                        stream.add_line('Subject: test\r\n')
+                        stream.add_line('\r\n')
+                        stream.add_line(`${body}\r\n`)
+                        stream.add_line_end()
+                        client.start_data(stream)
+                    })
+                    .on('dot', () => {
+                        client.release()
+                        resolve()
+                    })
+                    .on('bad_code', (code, msg) => {
+                        client.release()
+                        reject(new Error(`${code} ${msg}`))
+                    })
+            },
+            { host, port, connect_timeout: 5 },
+        )
+    })
-        it('IPv6, custom port', () => {
-            const listeners = this.server.get_listen_addrs({ listen: '[::1]' }, 250)
-            assert.deepEqual(['[::1]:250'], listeners)
-        })
+// ─── Tests ────────────────────────────────────────────────────────────────────
-        it('IPv4 & IPv6 fully qualified', () => {
-            const listeners = this.server.get_listen_addrs({
-                listen: '127.0.0.1:25,[::1]:25',
-            })
-            assert.deepEqual(['127.0.0.1:25', '[::1]:25'], listeners)
+describe('server', () => {
+    // ── get_listen_addrs ──────────────────────────────────────────────────────
+    describe('get_listen_addrs', () => {
+        beforeEach(() => {
+            this.config = require('haraka-config')
+            this.server = require('../server')
         })
-        it('IPv4 & IPv6, default port', () => {
-            const listeners = this.server.get_listen_addrs({
-                listen: '127.0.0.1:25,[::1]',
+        const cases = [
+            {
+                desc: 'IPv4 fully qualified',
+                args: [{ listen: '127.0.0.1:25' }],
+                expected: ['127.0.0.1:25'],
+            },
+            {
+                desc: 'IPv4, default port',
+                args: [{ listen: '127.0.0.1' }],
+                expected: ['127.0.0.1:25'],
+            },
+            {
+                desc: 'IPv4, custom port',
+                args: [{ listen: '127.0.0.1' }, 250],
+                expected: ['127.0.0.1:250'],
+            },
+            {
+                desc: 'IPv6 fully qualified',
+                args: [{ listen: '[::1]:25' }],
+                expected: ['[::1]:25'],
+            },
+            {
+                desc: 'IPv6, default port',
+                args: [{ listen: '[::1]' }],
+                expected: ['[::1]:25'],
+            },
+            {
+                desc: 'IPv6, custom port',
+                args: [{ listen: '[::1]' }, 250],
+                expected: ['[::1]:250'],
+            },
+            {
+                desc: 'IPv4 & IPv6 fully qualified',
+                args: [{ listen: '127.0.0.1:25,[::1]:25' }],
+                expected: ['127.0.0.1:25', '[::1]:25'],
+            },
+            {
+                desc: 'IPv4 & IPv6, default port',
+                args: [{ listen: '127.0.0.1:25,[::1]' }],
+                expected: ['127.0.0.1:25', '[::1]:25'],
+            },
+            {
+                desc: 'IPv4 & IPv6, custom port',
+                args: [{ listen: '127.0.0.1,[::1]' }, 250],
+                expected: ['127.0.0.1:250', '[::1]:250'],
+            },
+        ]
+        for (const { desc, args, expected } of cases) {
+            it(desc, () => {
+                assert.deepEqual(this.server.get_listen_addrs(...args), expected)
             })
-            assert.deepEqual(['127.0.0.1:25', '[::1]:25'], listeners)
-        })
-        it('IPv4 & IPv6, custom port', () => {
-            const listeners = this.server.get_listen_addrs(
-                {
-                    listen: '127.0.0.1,[::1]',
-                },
-                250,
-            )
-            assert.deepEqual(['127.0.0.1:250', '[::1]:250'], listeners)
-        })
+        }
     })
+    // ── load_smtp_ini ─────────────────────────────────────────────────────────
     describe('load_smtp_ini', () => {
-        beforeEach(_set_up)
+        beforeEach(() => {
+            this.config = require('haraka-config')
+            this.server = require('../server')
+        })
         it('saves settings to Server.cfg', () => {
             this.server.load_smtp_ini()
-            // console.log(this.server.cfg);
             const c = this.server.cfg.main
             assert.notEqual(c.daemonize, undefined)
             assert.notEqual(c.daemon_log_file, undefined)
@@ -126,387 +205,325 @@ describe('server', () => {
         })
     })
+    // ── get_smtp_server ───────────────────────────────────────────────────────
     describe('get_smtp_server', () => {
-        beforeEach((done) => {
-            this.config = require('haraka-config')
-            this.config = this.config.module_config(path.resolve('test'))
+        beforeEach(async () => {
+            this.config = require('haraka-config').module_config(path.resolve('test'))
             this.server = require('../server')
             this.server.config = this.config
             this.server.plugins.config = this.config
-            this.server.load_default_tls_config(() => {
-                setTimeout(() => {
-                    done()
-                }, 200)
+            await new Promise((resolve) => {
+                this.server.load_default_tls_config(() => setTimeout(resolve, 200))
             })
         })
-        it('gets a net server object', (done) => {
-            this.server.get_smtp_server(endpoint('0.0.0.0:2501'), 10).then((server) => {
-                if (!server) {
-                    console.error('unable to bind to 0.0.0.0:2501')
-                    if (process.env.CI) return // can't bind to IP/port (fails on Travis)
-                }
-                assert.ok(server)
-                assert.equal(server.has_tls, false)
-                server.getConnections((err, count) => {
-                    assert.equal(0, count)
-                    done()
-                })
-            })
+        it('gets a net server object', async () => {
+            const server = await this.server.get_smtp_server(endpoint('0.0.0.0:2501'), 10)
+            if (!server) {
+                if (process.env.CI) return
+                assert.fail('unable to bind to 0.0.0.0:2501')
+            }
+            assert.ok(server)
+            assert.equal(server.has_tls, false)
+            const count = await new Promise((res) => server.getConnections((err, n) => res(n)))
+            assert.equal(count, 0)
         })
-        it('gets a TLS net server object', (done) => {
+        it('gets a TLS net server object', async () => {
             this.server.cfg.main.smtps_port = 2502
-            this.server.get_smtp_server(endpoint('0.0.0.0:2502'), 10).then((server) => {
-                if (!server) {
-                    console.error('unable to bind to 0.0.0.0:2502')
-                    if (process.env.CI) return // can't bind to IP/port (fails on Travis)
-                }
-                assert.ok(server)
-                assert.equal(server.has_tls, true)
-                server.getConnections((err, count) => {
-                    assert.equal(0, count)
-                    done()
-                })
-            })
+            const server = await this.server.get_smtp_server(endpoint('0.0.0.0:2502'), 10)
+            if (!server) {
+                if (process.env.CI) return
+                assert.fail('unable to bind to 0.0.0.0:2502')
+            }
+            assert.ok(server)
+            assert.equal(server.has_tls, true)
+            const count = await new Promise((res) => server.getConnections((err, n) => res(n)))
+            assert.equal(count, 0)
         })
     })
+    // ── get_http_docroot ──────────────────────────────────────────────────────
     describe('get_http_docroot', () => {
-        beforeEach(_set_up)
+        beforeEach(() => {
+            this.config = require('haraka-config')
+            this.server = require('../server')
+        })
         it('gets a fs path', () => {
             assert.ok(this.server.get_http_docroot())
         })
     })
-    describe('smtp_client', () => {
-        beforeEach((done) => {
-            _setupServer('localhost:2500', done)
+    describe('lifecycle helpers', () => {
+        beforeEach(() => {
+            this.server = require('../server')
+            this.server.cfg = this.server.cfg || { main: {} }
+            this.server.cfg.main = this.server.cfg.main || {}
         })
-        afterEach(_tearDownServer)
+        it('init_child_respond OK path starts HTTP listeners', () => {
+            let called = 0
+            const original = this.server.setup_http_listeners
+            this.server.setup_http_listeners = () => {
+                called++
+            }
+            try {
+                this.server.init_child_respond(constants.ok)
+                assert.equal(called, 1)
+            } finally {
+                this.server.setup_http_listeners = original
+            }
+        })
-        it('accepts SMTP message', () => {
-            const server = { notes: {} }
-            const cfg = {
-                connect_timeout: 2,
+        it('init_child_respond error path kills master and exits', () => {
+            process.env.CLUSTER_MASTER_PID = '12345'
+            const originalKill = process.kill
+            const originalDump = this.server.logger.dump_and_exit
+            let killed = null
+            let exitCode = null
+            process.kill = (pid) => {
+                killed = pid
             }
+            this.server.logger.dump_and_exit = (code) => {
+                exitCode = code
+            }
+            try {
+                this.server.init_child_respond(constants.deny, 'nope')
+                assert.equal(killed, '12345')
+                assert.equal(exitCode, 1)
+            } finally {
+                process.kill = originalKill
+                this.server.logger.dump_and_exit = originalDump
+                delete process.env.CLUSTER_MASTER_PID
+            }
+        })
-            const smtp_client = require('../smtp_client')
-            smtp_client.get_client(
-                server,
-                (client) => {
-                    client
-                        .on('greeting', (command) => {
-                            client.send_command('HELO', 'haraka.local')
-                        })
-                        .on('helo', () => {
-                            client.send_command('MAIL', 'FROM:<test@haraka.local>')
-                        })
-                        .on('mail', () => {
-                            client.send_command('RCPT', 'TO:<nobody-will-see-this@haraka.local>')
-                        })
-                        .on('rcpt', () => {
-                            client.send_command('DATA')
-                        })
-                        .on('data', () => {
-                            const message_stream = new message.stream({ main: { spool_after: 1024 } }, 'theMessageId')
-                            message_stream.on('end', () => {
-                                client.socket.write('.\r\n')
-                            })
-                            message_stream.add_line('Header: test\r\n')
-                            message_stream.add_line('\r\n')
-                            message_stream.add_line('I am body text\r\n')
-                            message_stream.add_line_end()
-                            client.start_data(message_stream)
-                        })
-                        .on('dot', () => {
-                            assert.ok(1)
-                            client.release()
-                        })
-                        .on('bad_code', (code, msg) => {
-                            client.release()
-                        })
-                },
-                { port: 2500, host: 'localhost', cfg },
-            )
+        it('listening applies configured uid/gid and marks ready', () => {
+            this.server.cfg.main.group = 'staff'
+            this.server.cfg.main.user = 'nobody'
+            const originalGetGid = process.getgid
+            const originalSetGid = process.setgid
+            const originalGetUid = process.getuid
+            const originalSetUid = process.setuid
+            const calls = { setgid: 0, setuid: 0 }
+            process.getgid = () => 20
+            process.setgid = () => {
+                calls.setgid++
+            }
+            process.getuid = () => 501
+            process.setuid = () => {
+                calls.setuid++
+            }
+            try {
+                this.server.listening()
+                assert.equal(calls.setgid, 1)
+                assert.equal(calls.setuid, 1)
+                assert.equal(this.server.ready, 1)
+            } finally {
+                process.getgid = originalGetGid
+                process.setgid = originalSetGid
+                process.getuid = originalGetUid
+                process.setuid = originalSetUid
+                delete this.server.cfg.main.group
+                delete this.server.cfg.main.user
+            }
         })
-    })
-    describe('nodemailer', () => {
-        beforeEach((done) => {
-            _setupServer('127.0.0.1:2503', done)
+        it('sendToMaster calls receiveAsMaster when not clustered', () => {
+            const originalCluster = this.server.cluster
+            const originalReceive = this.server.receiveAsMaster
+            const seen = []
+            this.server.cluster = null
+            this.server.receiveAsMaster = (cmd, params) => {
+                seen.push([cmd, params])
+            }
+            try {
+                this.server.sendToMaster('flushQueue', ['example.com'])
+                assert.deepEqual(seen[0], ['flushQueue', ['example.com']])
+            } finally {
+                this.server.cluster = originalCluster
+                this.server.receiveAsMaster = originalReceive
+            }
         })
-        afterEach(_tearDownServer)
+        it('receiveAsMaster ignores invalid commands and executes valid ones', () => {
+            const errors = []
+            const originalLogError = this.server.logerror
+            this.server.logerror = (msg) => errors.push(msg)
+            this.server._testCommand = (a, b) => {
+                this.server.notes.received = [a, b]
+            }
+            try {
+                this.server.receiveAsMaster('notACommand', [])
+                assert.equal(errors.length > 0, true)
+                this.server.receiveAsMaster('_testCommand', ['x', 'y'])
+                assert.deepEqual(this.server.notes.received, ['x', 'y'])
+            } finally {
+                this.server.logerror = originalLogError
+                delete this.server._testCommand
+            }
+        })
+    })
-        it('accepts SMTP message', (done) => {
-            const nodemailer = require('nodemailer')
-            const transporter = nodemailer.createTransport({
-                host: '127.0.0.1',
-                port: 2503,
-                tls: {
-                    // do not fail on invalid certs
-                    rejectUnauthorized: false,
-                },
-            })
-            transporter.sendMail(
-                {
-                    from: '"Testalicious Matt" <harakamail@gmail.com>',
-                    to: 'nobody-will-see-this@haraka.local',
-                    envelope: {
-                        from: 'Haraka Test <test@haraka.local>',
-                        to: 'Discard Queue <discard@haraka.local>',
-                    },
-                    subject: 'Hello ✔',
-                    text: 'Hello world ?',
-                    html: '<b>Hello world ?</b>',
-                },
-                (error, info) => {
-                    if (error) {
-                        console.log(error)
-                        return
-                    }
-                    assert.deepEqual(info.accepted, ['discard@haraka.local'])
-                    console.log(`Message sent: ${info.response}`)
-                    done()
-                },
-            )
+    describe('HTTP helpers', () => {
+        beforeEach(() => {
+            this.server = require('../server')
         })
-        it('accepts authenticated SMTP', (done) => {
-            const nodemailer = require('nodemailer')
-            const transporter = nodemailer.createTransport({
-                host: '127.0.0.1',
-                port: 2503,
-                auth: {
-                    user: 'matt',
-                    pass: 'goodPass',
-                },
-                requireTLS: true,
-                tls: {
-                    // do not fail on invalid certs
-                    rejectUnauthorized: false,
+        it('handle404 serves html/json/text based on request accepts', () => {
+            const makeReq = (kind) => ({
+                accepts(type) {
+                    return type === kind
                 },
             })
-            transporter.sendMail(
-                {
-                    from: '"Testalicious Matt" <harakamail@gmail.com>',
-                    to: 'nobody-will-see-this@haraka.local',
-                    envelope: {
-                        from: 'Haraka Test <test@haraka.local>',
-                        to: 'Discard Queue <discard@haraka.local>',
-                    },
-                    subject: 'Hello ✔',
-                    text: 'Hello world ?',
-                    html: '<b>Hello world ?</b>',
+            const responses = []
+            const makeRes = () => ({
+                status(code) {
+                    responses.push({ code })
+                    return this
                 },
-                (error, info) => {
-                    if (error) {
-                        console.log(error)
-                        return
-                    }
-                    assert.deepEqual(info.accepted, ['discard@haraka.local'])
-                    console.log(`Message sent: ${info.response}`)
-                    done()
+                sendFile(name, opts) {
+                    responses.push({ type: 'html', name, opts })
                 },
-            )
-        })
-        it('rejects invalid auth', (done) => {
-            const nodemailer = require('nodemailer')
-            const transporter = nodemailer.createTransport({
-                host: '127.0.0.1',
-                port: 2503,
-                auth: {
-                    user: 'matt',
-                    pass: 'badPass',
-                },
-                tls: {
-                    // do not fail on invalid certs
-                    rejectUnauthorized: false,
+                send(body) {
+                    responses.push({ type: 'body', body })
                 },
             })
-            transporter.sendMail(
-                {
-                    from: '"Testalicious Matt" <harakamail@gmail.com>',
-                    to: 'nobody-will-see-this@haraka.local',
-                    envelope: {
-                        from: 'Haraka Test <test@haraka.local>',
-                        to: 'Discard Queue <discard@haraka.local>',
-                    },
-                    subject: 'Hello ✔',
-                    text: 'Hello world ?',
-                    html: '<b>Hello world ?</b>',
-                },
-                (error, info) => {
-                    if (error) {
-                        assert.equal(error.code, 'EAUTH')
-                        // console.log(error);
-                        return done()
-                    }
-                    console.log(info.response)
-                    done()
-                },
-            )
-        })
+            this.server.handle404(makeReq('html'), makeRes())
+            this.server.handle404(makeReq('json'), makeRes())
+            this.server.handle404(makeReq('none'), makeRes())
-        it('DKIM validates signed message', (done) => {
-            const nodemailer = require('nodemailer')
-            const transporter = nodemailer.createTransport({
-                host: '127.0.0.1',
-                port: 2503,
-                tls: {
-                    // do not fail on invalid certs
-                    rejectUnauthorized: false,
-                },
-            })
+            assert.equal(responses[0].code, 404)
+            assert.equal(responses[1].type, 'html')
+            assert.equal(responses[3].type, 'body')
+            assert.deepEqual(responses[3].body, { err: 'Not found' })
+            assert.equal(responses[5].body, 'Not found!')
+        })
-            transporter.sendMail(
-                {
-                    from: '"Testalicious Matt" <harakamail@gmail.com>',
-                    to: 'nobody-will-see-this@haraka.local',
-                    envelope: {
-                        from: 'Haraka Test <test@haraka.local>',
-                        to: 'Discard Queue <discard@haraka.local>',
-                    },
-                    subject: 'Hello ✔',
-                    text: 'Hello world ?',
-                    html: '<b>Hello world ?</b>',
-                    dkim: {
-                        domainName: 'test.simerson.com',
-                        keySelector: 'harakatest2017',
-                        privateKey:
-                            '-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAxqoUAnQ9GB3iNnkS7coj0Iggd0nyryW062tpK95NC5UXmmAwIpUMfkYdiHY2o2duWYGF0Bp237M/QXKhJYTXfsgkwP/bq9OGWtRZxHPHhbhdjbiI\nqObi6zvYcxrI77gpWDDvruhMeS9Hwa1R99pLUWd4PsuYTzbV/jwu2pz+XZXXXNEU\nVxzDAAj0yF7mwxHMLzQfR+hdhWcrgN0stUP0o7hm7hoOP8IWgcSW3JiQYavIKoI4\nm4+I9I1LzDJN2rHVnQvmjUrqqpG7X6SyFVFtuTWGaMqf1Cj/t8eSvU9VdgLFllS8\ntThqUZHq5S5hm8M8VzLuQLG9U0dtFolcFmJkbQIDAQABAoIBAB4fUbNhjpXmihM6\nXm1htfZ7fXi45Kw76me7vJGjPklgTNjidsn3kZJf7UBwtC4ok6nMos6ABMA8fH3e\n9KIst0QI8tG0ucke5INHKWlJKNqUrtK7RTVe9M84HsStLgRzBwnRObZqkJXbXmT2\nc7RCDCOGrcvPsQNpzB6lX3FUVpk3x24RXpQV1qSgH8yuHSPc1C6rssXwPAgnESfS\nK3MHRx2CLZvTTkq/YCsT+wS/O9RWPCVOYuWaa5DDDAIp3Yw1wYq9Upoh0BdIFC3U\nWm+5Cr3o9wxcvS6+W2RA6I51eymzvCU5ZakWt/bnUDb6/ByxsWOn5rL4WfPpCwE4\nnuC72v0CgYEA9imEq6a0GoaEsMoR7cxT7uXKimQH+Jaq3CGkuh0iN32F4FXhuUKz\nLYKSLCZzpb1MiDJv6BBchV6uSQ6ATo1cZ8WzYQISikk175bf0SPom591OZElvKA2\nSOrTrXtbl33YbWZEgyEcpTgelVi5ys9rj4eKkMvM0lwRmW6gctEFXRcCgYEAzpqc\nR/wqPjgPhpF1CZtdEwOZg4kkOig8CBcuQ7o/hDG7N69A9ZbeJO8eD+gKDrHRfkYr\nTH/UdkZGjilBk/lxnpIZpyBLxQ6UdhNPuwtxXKAvuSN+aQ0pdJn8tg03OSj2OzTK\nJ4hMsO/wt1xM8EDRobLZEosMadaYZUHzx8VU5RsCgYEAvFZbuXEcT0cocpLIUOaK\nOTf7VRLfvmSYaUAcZoEv0sDpExDiWPodWO6To8/vn5lL2tCsKiOKhkhAlIjRxkgF\nsSfj7I7HXKJS7/LBX6RXrem8qMTS2JTDs9pnBk5hb3DLjDg4pxNIdWiQjbeKvw8f\nvnr3m30yQqhKlte7Tt15exUCgYBzq7RbyR6Nfy2SFdYE7usJPjawohOaS/RwQyov\n2RK+nGlJH+GqnjD5VLbsCOm4mG3F2NtdFSSKo4XVCdwhUMMAGKQsIbTKOwN7qAw3\nmIx7Y2PUr76SakAPfDc0ZenJItnZBBE6WOE3Ht8Siaa5zFCRy2QlMZxdlTv1VRt7\neUuyiQKBgQDdXJO5+3h1HPxbYZcmNm/2CJUNw2ehU8vCiBXCcWPn7JukayHx+TXy\nyj0j/b1SvmKgjB+4JWluiqIU+QBjRjvb397QY1YoCEaGZd0zdFjTZwQksQ5AFst9\nCiD9OFXe/kkmIUQQra6aw1CoppyAfvAblp8uevLWb57xU3VUB3xeGg==\n-----END RSA PRIVATE KEY-----\n',
-                    },
-                },
-                (error, info) => {
-                    // console.log(info);
-                    if (error) {
-                        console.log(error)
-                        return
-                    }
-                    assert.deepEqual(info.accepted, ['discard@haraka.local'])
-                    console.log(`Message sent: ${info.response}`)
-                    done()
-                },
-            )
+        it('init_http_respond logs and returns when ws is unavailable', () => {
+            const Module = require('node:module')
+            const originalRequire = Module.prototype.require
+            const originalLogError = this.server.logerror
+            const errors = []
+            this.server.logerror = (msg) => {
+                errors.push(msg)
+            }
+            this.server.http = { server: {} }
+            Module.prototype.require = function (id) {
+                if (id === 'ws') throw new Error('ws missing')
+                return originalRequire.apply(this, arguments)
+            }
+            try {
+                this.server.init_http_respond()
+                assert.equal(errors.length > 0, true)
+            } finally {
+                Module.prototype.require = originalRequire
+                this.server.logerror = originalLogError
+            }
         })
     })
-    describe('requireAuthorized_SMTPS', () => {
-        beforeEach((done) => {
-            _setupServer('127.0.0.1:2465', done)
-        })
+    // ── SMTP sessions ─────────────────────────────────────────────────────────
+    describe('SMTP sessions', () => {
+        beforeEach(async () => setupServer('127.0.0.1:2503'))
+        afterEach(async () => tearDownServer())
-        afterEach(_tearDownServer)
+        it('accepts plain SMTP message', async () => {
+            await sendMessage({ port: 2503 })
+        })
-        it('rejects non-validated SMTPS connection', (done) => {
-            const nodemailer = require('nodemailer')
-            const transporter = nodemailer.createTransport({
-                host: '127.0.0.1',
-                port: 2465,
-                secure: true,
-                tls: {
-                    // do not fail on invalid certs
-                    rejectUnauthorized: false,
-                },
-            })
+        it('accepts CRAM-MD5 authenticated SMTP', async () => {
+            await sendMessage({ port: 2503, user: 'matt', pass: 'goodPass' })
+        })
-            // give the SMTPS listener a second to start listening
-            setTimeout(() => {
-                transporter.sendMail(
-                    {
-                        from: '"Testalicious Matt" <harakamail@gmail.com>',
-                        to: 'nobody-will-see-this@haraka.local',
-                        envelope: {
-                            from: 'Haraka Test <test@haraka.local>',
-                            to: 'Discard Queue <discard@haraka.local>',
-                        },
-                        subject: 'Hello ✔',
-                        text: 'Hello world ?',
-                        html: '<b>Hello world ?</b>',
-                    },
-                    (error, info) => {
-                        if (error) {
-                            // console.log(error);
-                            if (error.message === 'socket hang up') {
-                                // node 6 & 8
-                                assert.equal(error.message, 'socket hang up')
-                            } else if (/alert certificate required/.test(error.message)) {
-                                // node 18
-                                assert.ok(/alert certificate required/.test(error.message))
-                            } else {
-                                // node 10+
-                                assert.equal(
-                                    error.message,
-                                    'Client network socket disconnected before secure TLS connection was established',
-                                )
-                            }
-                        }
-                        done()
-                    },
-                )
-            }, 500)
+        it('rejects invalid CRAM-MD5 credentials', async () => {
+            await assert.rejects(() => sendMessage({ port: 2503, user: 'matt', pass: 'badPass' }), /5\d\d/)
         })
-    })
-    describe('requireAuthorized_STARTTLS', () => {
-        beforeEach((done) => {
-            _setupServer('127.0.0.1:2587', done)
+        it('accepts message with custom headers', async () => {
+            await sendMessage({
+                port: 2503,
+                from: '<sender@haraka.local>',
+                to: '<discard@haraka.local>',
+                body: 'X-Custom: test-value\r\n\r\nBody text',
+            })
         })
+    })
-        it('rejects non-validated STARTTLS connection', (done) => {
-            const nodemailer = require('nodemailer')
-            const transporter = nodemailer.createTransport({
-                host: '127.0.0.1',
-                port: 2587,
-                secure: false,
-                tls: {
-                    // do not fail on invalid certs
+    // ── requireAuthorized: SMTPS (implicit TLS) ───────────────────────────────
+    describe('requireAuthorized_SMTPS', () => {
+        beforeEach(async () => setupServer('127.0.0.1:2465'))
+        afterEach(async () => tearDownServer())
+        it('rejects non-validated SMTPS connection', async () => {
+            // Port 2465 is configured as SMTPS with requireAuthorized.
+            // In TLSv1.3 the handshake completes (secureConnect fires), then the server
+            // sends a post-handshake "certificate required" alert as a socket error.
+            const err = await new Promise((resolve) => {
+                const socket = tls.connect({
+                    host: '127.0.0.1',
+                    port: 2465,
                     rejectUnauthorized: false,
-                },
+                })
+                socket.on('error', resolve)
+                // secureConnect may fire before the post-handshake alert; keep waiting.
+                socket.on('secureConnect', () => {})
+                setTimeout(() => {
+                    socket.destroy()
+                    resolve(new Error('timeout'))
+                }, 3000)
             })
+            assert.ok(
+                /socket hang up|disconnected before secure TLS|alert certificate required/.test(err.message),
+                `unexpected error: ${err.message}`,
+            )
+        })
+    })
-            // give the SMTPS listener a half second to start listening
-            setTimeout(() => {
-                transporter.sendMail(
-                    {
-                        from: '"Testalicious Matt" <harakamail@gmail.com>',
-                        to: 'nobody-will-see-this@haraka.local',
-                        envelope: {
-                            from: 'Haraka Test <test@haraka.local>',
-                            to: 'Discard Queue <discard@haraka.local>',
-                        },
-                        subject: 'Hello ✔',
-                        text: 'Hello world ?',
-                        html: '<b>Hello world ?</b>',
-                    },
-                    (error, info) => {
-                        if (error) {
-                            // console.log(error);
-                            if (/alert certificate required/.test(error.message)) {
-                                // node 18
-                                assert.ok(/alert certificate required/.test(error.message))
-                            } else {
-                                assert.equal(
-                                    error.message,
-                                    'Client network socket disconnected before secure TLS connection was established',
-                                )
-                            }
+    // ── requireAuthorized: STARTTLS ───────────────────────────────────────────
+    describe('requireAuthorized_STARTTLS', () => {
+        beforeEach(async () => setupServer('127.0.0.1:2587'))
+        afterEach(async () => tearDownServer())
+        it('rejects non-validated STARTTLS connection', async () => {
+            // Port 2587 is plain SMTP; requireAuthorized enforces mutual TLS on STARTTLS upgrade.
+            // In TLSv1.3 secureConnect fires first, then the server sends a post-handshake
+            // "certificate required" alert. Use raw sockets to observe the TLS error.
+            // (smtp_client's upgrade path silently swallows the post-upgrade error.)
+            const err = await new Promise((resolve) => {
+                const sock = net.connect({ host: '127.0.0.1', port: 2587 })
+                let state = 'greeting'
+                let buf = ''
+                sock.on('data', (d) => {
+                    buf += d.toString()
+                    for (const line of buf.split('\r\n').slice(0, -1)) {
+                        buf = buf.slice(line.length + 2)
+                        if (line[3] === '-') continue // multi-line continuation
+                        if (state === 'greeting') {
+                            sock.write('EHLO test\r\n')
+                            state = 'ehlo'
+                        } else if (state === 'ehlo') {
+                            sock.write('STARTTLS\r\n')
+                            state = 'starttls'
+                        } else if (state === 'starttls') {
+                            state = 'tls'
+                            const cleartext = tls.connect({ socket: sock, rejectUnauthorized: false })
+                            cleartext.on('secureConnect', () => {})
+                            cleartext.on('error', resolve)
+                            cleartext.on('close', () => resolve(new Error('closed without error')))
                         }
-                        done()
-                    },
-                )
-            }, 500)
+                    }
+                })
+                sock.on('error', resolve)
+                setTimeout(() => resolve(new Error('timeout')), 3000)
+            })
+            assert.ok(
+                /alert certificate required|socket hang up|disconnected/.test(err.message),
+                `unexpected error: ${err.message}`,
+            )
         })
     })
 })