Haraka 3.1.5 → 3.1.7

package/docs/plugins/queue/smtp_proxy.md

@@ -44,8 +44,7 @@ Configuration is stored in smtp_proxy.ini in the following keys:
 
 - enable_tls=[true|yes|1]
 
-  Enable TLS with the forward host (if supported). TLS uses options from
-  the tls plugin.
+  Enable opportunistic TLS with the forward host via `STARTTLS` (if the host advertises it).
 
 - auth_type=[plain|login]
 
@@ -58,3 +57,12 @@ Configuration is stored in smtp_proxy.ini in the following keys:
 - auth_pass=PASSWORD
 
   SMTP AUTH password to use.
+
+- [tls]
+
+Client STARTTLS options are assembled by merging:
+
+1. `tls.ini` `[main]` — the global Haraka TLS config.
+2. `smtp_proxy.ini` `[tls]` — overrides. Anything set here wins.
+
+Changes to `tls.ini` require a Haraka restart to apply to the proxy path; changes to `smtp_proxy.ini` are picked up by the existing reload hook.

package/docs/plugins/reseed_rng.md

@@ -1,18 +1,16 @@
 # reseed_rng
 
-The V8 that ships with node 0.4.x uses an unsophisticated method of
-seeding its random number generator- it simply uses the current time
-in ms. Worse, that version of V8 (at least) doesn't provide a way
-to explicitly reseed the RNG.
+Reseeds `Math.random()` in each cluster worker at start-up using
+`crypto.randomBytes(256)`. Without this, workers forked at nearly the
+same time can end up with correlated PRNG state, which can produce
+UUID collisions and other "this should be impossible" bugs.
 
-In situations where multiple processes can spawn in the same
-ms, processes can be seeded with the same value, leading to bad
-problems like UUID collisions. When using the 'cluster' module, it's
-quite easy to observe this behavior.
+The plugin relies on [seedrandom](https://www.npmjs.com/package/seedrandom)
+being loaded so that `Math.seedrandom()` is available.
 
-This plugin uses David Bao's reseed.js (see http://davidbau.com/archives/2010/01/30/random_seeds_coded_hints_and_quintillions.html)
-to provide a reseedable Math.random(), and hooks the init_child event
-to reseed the RNG with a sligtly better seed at spawned-process startup
-time.
+Anyone running with `nodes=...` in `smtp.ini` (i.e. cluster mode) should
+consider enabling this plugin.
 
-All users of the 'cluster' module should consider using this plugin.
+## Configuration
+
+No configuration.

package/docs/plugins/tls.md

@@ -155,9 +155,9 @@ Specifies minimum allowable TLS protocol version to use. Example:
 
      minVersion=TLSv1.1
 
-If unset, the default is node's tls.DEFAULT_MIN_VERSION constant.
-
-(**Node.js 11.4+ required**, for older instances you can use _secureProtocol_ settings)
+If unset, the default is Node's `tls.DEFAULT_MIN_VERSION` constant
+(currently `'TLSv1.2'`). Valid values: `'TLSv1.3'`, `'TLSv1.2'`,
+`'TLSv1.1'`, `'TLSv1'`.
 
 ### honorCipherOrder
 
@@ -195,10 +195,10 @@ requireAuthorized[]=465
 
 ### secureProtocol
 
-Specifies the OpenSSL API function used for handling the TLS session. Choose
-one of the methods described at the
-[OpenSSL API page](https://www.openssl.org/docs/manmaster/ssl/ssl.html).
-The default is `SSLv23_method`.
+Legacy. Specifies the OpenSSL API function used to negotiate TLS — see
+the [OpenSSL API page](https://www.openssl.org/docs/manmaster/ssl/ssl.html).
+Prefer `minVersion` for modern setups; `secureProtocol` is only useful
+to lock to a specific historic protocol.
 
 ### requestOCSP
 

package/docs/plugins/toobusy.md

@@ -5,11 +5,17 @@ latency is too high.
 
 See https://github.com/STRML/node-toobusy for details.
 
-To use this plugin you have to install the 'toobusy-js' module by running
-'npm install toobusy-js' in your Haraka configuration directory.
+To use this plugin you must install the [`toobusy-js`](https://www.npmjs.com/package/toobusy-js)
+module — it is not bundled with Haraka. From your Haraka install
+directory:
 
-This plugin should be listed at the top of your config/plugins file so that
-it runs before any other plugin that hooks lookup_rdns.
+```sh
+npm install toobusy-js
+```
+
+This plugin registers on the `connect` hook with priority `-100`, so it
+runs ahead of other `connect`/`lookup_rdns` plugins. Listing it near the
+top of `config/plugins` is still a good idea for clarity.
 
 ## Configuration
 

package/docs/tutorials/SettingUpOutbound.md

@@ -1,70 +1,62 @@
 # Configuring Haraka For Outbound Email
 
-It is trivially easy to configure Haraka as an outbound email server. But
-first there are external things you may want to sort out:
+It is straightforward to run Haraka as an outbound (submission) mail server. Before turning on the server itself, get a few external things in order:
 
-- Get your DNS PTR record working - make sure it matches the A record of the
-  host you are sending from.
-- Consider implementing an SPF record. I don't personally do this, but some
-  people seem to think it helps.
+- **DNS PTR record** — make sure it matches the A/AAAA record of the host you are sending from. Receivers that disagree on `HELO`/PTR will treat your mail with suspicion.
+- **SPF, DKIM, and DMARC** — publish records for any domain you send from. Most receivers downgrade or reject mail without them. Haraka signs outbound with [haraka-plugin-dkim](https://github.com/haraka/haraka-plugin-dkim).
+- **Reverse DNS at the IP owner** — if your hosting provider controls the PTR, set the value through their console.
 
-There's lots of information elsewhere on the internet about getting these
-things working, and they are specific to your network and your DNS hosting.
+How to provision DNS varies by provider; the records are network-specific so no one-size-fits-all command applies.
 
-## First Some Background
+## Background
 
-Sending outbound mail through Haraka is called "relaying", and that is the
-term the internals use. The process is simple - if a plugin in Haraka tells
-the internals that this mail is to be relayed, then it gets queued in the
-"queue" directory for delivery. Then it will go through several delivery
-attempts until it is either successful or fails hard for some reason. A
-hard failure will result in a bounce email being sent to the "MAIL FROM"
-address used when connecting to Haraka. If that address also bounces then
-it is considered a "double bounce" and Haraka will log an error and drop it
-on the floor.
+Haraka treats outbound mail as "relaying". When any plugin sets `connection.relaying = true`, the message is queued for outbound delivery once `DATA` ends. The outbound engine then tries each MX in sequence; on permanent failure a DSN is generated and sent to the `MAIL FROM` address. If the DSN itself bounces, Haraka logs the "double bounce" and drops it.
 
-## The Setup
+## Setup
 
-Outbound mail servers should run on port 587 and enforce authentication. This
-is slightly different from the "old" model where there would simply be a
-check based on the connecting IP address to see if it was valid to relay.
-Note however that Haraka doesn't stop you doing it this way - we just don't
-provide a plugin to do that by default - you will have to write one. The
-reason is purely based on security and personal preference.
+Modern submission uses **implicit TLS on port 465** (RFC 8314); port 587 with `STARTTLS` is also still common. Plain port 25 is for server-to-server traffic and should not be used for submission.
 
-Let's create a new Haraka instance:
+Create a new Haraka instance:
 
-    haraka -i haraka-outbound
-    cd haraka-outbound
+```sh
+haraka -i haraka-outbound
+cd haraka-outbound
+```
 
-Now edit config/smtp.ini - change the port to 587.
+In `config/smtp.ini`, set the listener:
 
-Next we setup our plugins - all we need is the tls and auth plugin. AUTH capability is only advertised after TLS/SSL negotiation (except for connections from the local host):
+```ini
+listen=[::0]:465,[::0]:587
+smtps_port=465
+```
 
-    echo "tls
-    auth/flat_file" > config/plugins
+Anything in `smtps_port` runs implicit TLS; the other ports advertise `STARTTLS`.
 
-Now edit the flat file password file, and put in an appropriate username
-and password:
+Enable just the TLS and auth plugins. AUTH is only advertised after TLS is established (except for connections from localhost):
 
-    vi config/auth_flat_file.ini
+```sh
+cat > config/plugins <<'EOF'
+tls
+auth/flat_file
+EOF
+```
 
-See the documentation in docs/plugins/auth/flat_file.md for information about
-what can go in that file.
+Add a user to `config/auth_flat_file.ini`. See [`docs/plugins/auth/flat_file.md`](../plugins/auth/flat_file.md) for the format.
 
-Now you can start Haraka. That's all the configuration you need.
+Start Haraka:
 
-    haraka -c .
+```sh
+haraka -c .
+```
 
-Now in another window you can run swaks to test this - be sure to substitute
-an email address you can monitor in place of youremail@yourdomain.com, and the
-username and password you added for the --auth-user and --auth-password params:
+In another shell, test with [swaks](https://www.jetmore.org/john/code/swaks/) — substitute your real test address and the credentials you configured:
 
-    swaks --to youremail@yourdomain.com --from test@example.com --server localhost \
-      --port 587 --auth-user testuser --auth-password testpassword
+```sh
+swaks --to youremail@yourdomain.com --from test@example.com \
+    --server localhost --port 587 --tls \
+    --auth-user testuser --auth-password testpassword
+```
 
-Watch the output of swaks and ensure no errors have occurred. Then watch
-the recipient email address (easiest to make this your webmail account) and
-see that the email arrived.
+For port 465 (implicit TLS), use `--tls-on-connect` instead of `--tls`.
 
-You are done!
+Watch the swaks output for errors and confirm the message arrives. That's all the basic configuration you need; once you're satisfied, turn on DKIM signing for the domains you send from.

package/endpoint.js

@@ -2,12 +2,42 @@
 // Socket address parser/formatter and server binding helper
 
 const fs = require('node:fs/promises')
-const sockaddr = require('sockaddr')
+const net = require('node:net')
+
+function parseSockaddr(addr, defaultPort = 0) {
+    let match
+    if (/^[0-9]+$/.test(addr)) return { host: '::', port: parseInt(addr, 10) }
+
+    const lastColon = addr.lastIndexOf(':')
+    if (lastColon !== -1) {
+        const host = addr.slice(0, lastColon)
+        const port = addr.slice(lastColon + 1)
+
+        if (host.includes(':') && /^\d+$/.test(port) && net.isIP(host) === 6) {
+            return { host: host.toLowerCase(), port: parseInt(port, 10) }
+        }
+    }
+    if (net.isIP(addr) === 6) return { host: addr.toLowerCase(), port: defaultPort }
+
+    if ((match = /^(\d{1,3}(?:\.\d{1,3}){3})(?::(\d+))?$/.exec(addr)))
+        return { host: match[1], port: match[2] !== undefined ? parseInt(match[2], 10) : defaultPort }
+    if ((match = /^\[([0-9a-fA-F:]+)\](?::(\d+))?$/.exec(addr)))
+        return { host: match[1].toLowerCase(), port: match[2] !== undefined ? parseInt(match[2], 10) : defaultPort }
+    if (
+        (match =
+            /^([a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?)*)(?::(\d+))?$/.exec(
+                addr,
+            ))
+    )
+        return { host: match[1].toLowerCase(), port: match[2] !== undefined ? parseInt(match[2], 10) : defaultPort }
+    if (addr.includes('/')) return { path: addr }
+    throw new Error(`Invalid socket address ${addr}`)
+}
 
 module.exports = function endpoint(addr, defaultPort) {
     try {
         if ('string' === typeof addr || 'number' === typeof addr) {
-            addr = sockaddr(addr, { defaultPort })
+            addr = parseSockaddr(addr, defaultPort)
             const match = /^(.*):([0-7]{3})$/.exec(addr.path || '')
             if (match) {
                 addr.path = match[1]

package/haraka.js

@@ -25,7 +25,7 @@ exports.version = utils.getVersion(__dirname)
 
 process.on('uncaughtException', (err) => {
     if (err.stack) {
-        err.stack.split('\n').forEach((line) => logger.crit(line))
+        for (const line of err.stack.split('\n')) logger.crit(line)
     } else {
         logger.crit(`Caught exception: ${JSON.stringify(err)}`)
     }

package/outbound/hmail.js

@@ -87,9 +87,10 @@ class HMailItem extends events.EventEmitter {
             this.file_size = stats.size
             this.read_todo()
         } catch (err) {
-            // we are fucked... guess I need somewhere for this to go
+            // The file is unreadable (deleted, permissions, I/O error) and this.todo
+            // is still null, so there is no sender to bounce to. Release the queue slot.
             this.logerror(`Error obtaining file size: ${err}`)
-            this.temp_fail('Error obtaining file size')
+            this.next_cb()
         }
     }
 
@@ -265,12 +266,12 @@ class HMailItem extends events.EventEmitter {
     }
 
     async found_mx(mxs) {
-        // support draft-delany-nullmx-02
+        // support RFC 7505 null MX
         if (mxs.length === 1 && mxs[0].priority === 0 && mxs[0].exchange === '') {
             for (const rcpt of this.todo.rcpt_to) {
                 this.extend_rcpt_with_dsn(
                     rcpt,
-                    DSN.addr_bad_dest_system(`Domain ${this.todo.domain} sends and receives no email (NULL MX)`),
+                    DSN.addr_null_mx(`Domain ${this.todo.domain} sends and receives no email (NULL MX)`),
                 )
             }
             return this.bounce(`Domain ${this.todo.domain} sends and receives no email (NULL MX)`)
@@ -458,7 +459,7 @@ class HMailItem extends events.EventEmitter {
                 } else if (r.toUpperCase() === 'ENHANCEDSTATUSCODES') {
                     smtp_properties.enh_status_codes = true
                 } else if (r.toUpperCase() === 'SMTPUTF8') {
-                    smtp_properties.smtp_utf8 = true
+                    smtp_properties.smtputf8 = true
                 } else {
                     // Check for SIZE parameter and limit
                     let matches = r.match(/^SIZE\s+(\d+)$/)
@@ -475,9 +476,9 @@ class HMailItem extends events.EventEmitter {
         }
 
         function get_reverse_path_with_params() {
-            const rp = self.todo.mail_from.format(!smtp_properties.smtp_utf8)
+            const rp = self.todo.mail_from.format(!smtp_properties.smtputf8)
             let rp_params = ''
-            if (smtp_properties.smtp_utf8 && has_non_ascii(rp)) rp_params += ' SMTPUTF8'
+            if (smtp_properties.smtputf8 && has_non_ascii(rp)) rp_params += ' SMTPUTF8'
             return `FROM:${rp}${rp_params}`
         }
 
@@ -677,12 +678,12 @@ class HMailItem extends events.EventEmitter {
                 processing_mail = false
                 // Release back to the pool and instruct it to terminate this connection
                 client_pool.release_client(socket, mx)
-                self.todo.rcpt_to.forEach((rcpt) => {
+                for (const rcpt of self.todo.rcpt_to) {
                     self.extend_rcpt_with_dsn(
                         rcpt,
                         DSN.proto_invalid_command(`Unrecognized response from upstream server: ${line}`),
                     )
-                })
+                }
                 self.bounce(`Unrecognized response from upstream server: ${line}`, { mx })
                 return
             }
@@ -719,14 +720,14 @@ class HMailItem extends events.EventEmitter {
                 }
                 // Error
                 reason = response.join(' ')
-                recipients.forEach((rcpt) => {
+                for (const rcpt of recipients) {
                     rcpt.dsn_action = 'delayed'
                     rcpt.dsn_smtp_code = code
                     rcpt.dsn_smtp_extc = extc
                     rcpt.dsn_status = extc
                     rcpt.dsn_smtp_response = response.join(' ')
                     rcpt.dsn_remote_mta = mx.exchange
-                })
+                }
                 send_command('QUIT')
                 processing_mail = false
                 return self.temp_fail(`Upstream error: ${code} ${extc ? `${extc} ` : ''}${reason}`)
@@ -755,14 +756,14 @@ class HMailItem extends events.EventEmitter {
                     }
                 } else if (processing_mail) {
                     reason = response.join(' ')
-                    recipients.forEach((rcpt) => {
+                    for (const rcpt of recipients) {
                         rcpt.dsn_action = 'delayed'
                         rcpt.dsn_smtp_code = code
                         rcpt.dsn_smtp_extc = extc
                         rcpt.dsn_status = extc
                         rcpt.dsn_smtp_response = response.join(' ')
                         rcpt.dsn_remote_mta = mx.exchange
-                    })
+                    }
                     send_command('QUIT')
                     processing_mail = false
                     return self.temp_fail(`Upstream error: ${code} ${extc ? `${extc} ` : ''}${reason}`)
@@ -802,14 +803,14 @@ class HMailItem extends events.EventEmitter {
                         }
                     }
                 } else {
-                    recipients.forEach((rcpt) => {
+                    for (const rcpt of recipients) {
                         rcpt.dsn_action = 'failed'
                         rcpt.dsn_smtp_code = code
                         rcpt.dsn_smtp_extc = extc
                         rcpt.dsn_status = extc
                         rcpt.dsn_smtp_response = response.join(' ')
                         rcpt.dsn_remote_mta = mx.exchange
-                    })
+                    }
                     send_command('QUIT')
                     processing_mail = false
                     return self.bounce(reason, { mx })
@@ -870,7 +871,7 @@ class HMailItem extends events.EventEmitter {
                 case 'mail':
                     last_recip = recipients[recip_index]
                     recip_index++
-                    send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtp_utf8)}`)
+                    send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtputf8)}`)
                     break
                 case 'rcpt':
                     if (last_recip && code.match(/^250/)) {
@@ -886,7 +887,7 @@ class HMailItem extends events.EventEmitter {
                     } else {
                         last_recip = recipients[recip_index]
                         recip_index++
-                        send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtp_utf8)}`)
+                        send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtputf8)}`)
                     }
                     break
                 case 'data': {
@@ -1035,7 +1036,7 @@ class HMailItem extends events.EventEmitter {
             msgid: `<${utils.uuid()}@${net_utils.get_primary_host_name()}>`,
         }
 
-        bounce_msg_.forEach((line) => {
+        for (let line of bounce_msg_) {
             line = line.replace(/\{(\w+)\}/g, (i, word) => values[word] || '?')
 
             if (bounce_headers_done == false && line == '') {
@@ -1045,7 +1046,7 @@ class HMailItem extends events.EventEmitter {
             } else if (bounce_headers_done == true) {
                 bounce_body_lines.push(line)
             }
-        })
+        }
 
         const escaped_chars = {
             '&': 'amp',
@@ -1058,7 +1059,7 @@ class HMailItem extends events.EventEmitter {
         }
         const escape_pattern = new RegExp(`[${Object.keys(escaped_chars).join('')}]`, 'g')
 
-        bounce_msg_html_.forEach((line) => {
+        for (let line of bounce_msg_html_) {
             line = line.replace(/\{(\w+)\}/g, (i, word) => {
                 if (word in values) {
                     return String(values[word]).replace(escape_pattern, (m) => `&${escaped_chars[m]};`)
@@ -1068,18 +1069,18 @@ class HMailItem extends events.EventEmitter {
             })
 
             bounce_html_lines.push(line)
-        })
+        }
 
-        bounce_msg_image_.forEach((line) => {
+        for (const line of bounce_msg_image_) {
             bounce_image_lines.push(line)
-        })
+        }
 
         const boundary = `boundary_${utils.uuid()}`
         const bounce_body = []
 
-        bounce_header_lines.forEach((line) => {
+        for (const line of bounce_header_lines) {
             bounce_body.push(`${line}${CRLF}`)
-        })
+        }
         bounce_body.push(
             `Content-Type: multipart/report; report-type=delivery-status;${CRLF}    boundary="${boundary}"${CRLF}`,
         )
@@ -1107,18 +1108,18 @@ class HMailItem extends events.EventEmitter {
         bounce_body.push(`--${boundary}${boundary_incr}${CRLF}`)
         bounce_body.push(`Content-Type: text/plain; charset=us-ascii${CRLF}`)
         bounce_body.push(CRLF)
-        bounce_body_lines.forEach((line) => {
+        for (const line of bounce_body_lines) {
             bounce_body.push(`${line}${CRLF}`)
-        })
+        }
         bounce_body.push(CRLF)
 
         if (bounce_html_lines.length > 1) {
             bounce_body.push(`--${boundary}${boundary_incr}${CRLF}`)
             bounce_body.push(`Content-Type: text/html; charset=us-ascii${CRLF}`)
             bounce_body.push(CRLF)
-            bounce_html_lines.forEach((line) => {
+            for (const line of bounce_html_lines) {
                 bounce_body.push(`${line}${CRLF}`)
-            })
+            }
             bounce_body.push(CRLF)
             bounce_body.push(`--${boundary}${boundary_incr}--${CRLF}`)
 
@@ -1127,9 +1128,9 @@ class HMailItem extends events.EventEmitter {
                 bounce_body.push(`--${boundary}${boundary_incr}${CRLF}`)
                 //bounce_body.push(`Content-Type: text/html; charset=us-ascii${CRLF}`);
                 //bounce_body.push(CRLF);
-                bounce_image_lines.forEach((line) => {
+                for (const line of bounce_image_lines) {
                     bounce_body.push(`${line}${CRLF}`)
-                })
+                }
                 bounce_body.push(CRLF)
                 bounce_body.push(`--${boundary}${boundary_incr}--${CRLF}`)
             }
@@ -1145,7 +1146,7 @@ class HMailItem extends events.EventEmitter {
         if (this.todo.queue_time) {
             bounce_body.push(`Arrival-Date: ${utils.date_to_str(new Date(this.todo.queue_time))}${CRLF}`)
         }
-        this.todo.rcpt_to.forEach((rcpt_to) => {
+        for (const rcpt_to of this.todo.rcpt_to) {
             bounce_body.push(CRLF)
             bounce_body.push(`Final-Recipient: rfc822;${rcpt_to.address()}${CRLF}`)
             let dsn_action = null
@@ -1207,16 +1208,16 @@ class HMailItem extends events.EventEmitter {
             if (diag_code != null) {
                 bounce_body.push(`Diagnostic-Code: ${diag_code}${CRLF}`)
             }
-        })
+        }
         bounce_body.push(CRLF)
 
         bounce_body.push(`--${boundary}${CRLF}`)
         bounce_body.push(`Content-Description: Undelivered Message Headers${CRLF}`)
         bounce_body.push(`Content-Type: text/rfc822-headers${CRLF}`)
         bounce_body.push(CRLF)
-        header.header_list.forEach((line) => {
+        for (const line of header.header_list) {
             bounce_body.push(line)
-        })
+        }
         bounce_body.push(CRLF)
 
         bounce_body.push(`--${boundary}--${CRLF}`)
@@ -1321,12 +1322,12 @@ class HMailItem extends events.EventEmitter {
     }
 
     convert_temp_failed_to_bounce(err, extra) {
-        this.todo.rcpt_to.forEach((rcpt_to) => {
+        for (const rcpt_to of this.todo.rcpt_to) {
             rcpt_to.dsn_action = 'failed'
             if (rcpt_to.dsn_status) {
                 rcpt_to.dsn_status = `${rcpt_to.dsn_status}`.replace(/^4/, '5')
             }
-        })
+        }
         return this.bounce(err, extra)
     }
 
@@ -1445,9 +1446,9 @@ class HMailItem extends events.EventEmitter {
         })
         function err_handler(err, location) {
             logger.error(this, `Error while splitting to new recipients (${location}): ${err}`)
-            hmail.todo.rcpt_to.forEach((rcpt) => {
+            for (const rcpt of hmail.todo.rcpt_to) {
                 hmail.extend_rcpt_with_dsn(rcpt, DSN.sys_unspecified(`Error splitting to new recipients: ${err}`))
-            })
+            }
             hmail.bounce(`Error splitting to new recipients: ${err}`)
         }
 
@@ -1485,9 +1486,9 @@ class HMailItem extends events.EventEmitter {
         ws.on('error', (err) => {
             logger.error(this, `Unable to write queue file (${fname}): ${err}`)
             ws.destroy()
-            hmail.todo.rcpt_to.forEach((rcpt) => {
+            for (const rcpt of hmail.todo.rcpt_to) {
                 hmail.extend_rcpt_with_dsn(rcpt, DSN.sys_unspecified(`Error re-queueing some recipients: ${err}`))
-            })
+            }
             hmail.bounce(`Error re-queueing some recipients: ${err}`)
         })
 

package/outbound/index.js

@@ -200,16 +200,16 @@ function get_deliveries(transaction) {
 
     // First get each domain
     const recips = {}
-    transaction.rcpt_to.forEach((rcpt) => {
+    for (const rcpt of transaction.rcpt_to) {
         const domain = rcpt.host
         if (!recips[domain]) {
             recips[domain] = []
         }
         recips[domain].push(rcpt)
-    })
-    Object.keys(recips).forEach((domain) => {
+    }
+    for (const domain of Object.keys(recips)) {
         deliveries.push({ domain, rcpts: recips[domain] })
-    })
+    }
     return deliveries
 }
 
@@ -248,6 +248,9 @@ exports.send_trans_email = function (transaction, next) {
 
         let todo_index = 1
 
+        // See haraka/Haraka#3551
+        await new Promise((resolve) => setImmediate(resolve))
+
         try {
             for (const deliv of deliveries) {
                 const todo = new TODOItem(deliv.domain, deliv.rcpts, transaction)

package/outbound/tls.js

@@ -8,18 +8,6 @@ const hkredis = require('haraka-plugin-redis')
 const logger = require('../logger')
 const tls_socket = require('../tls_socket')
 
-const inheritable_opts = [
-    'key',
-    'cert',
-    'ciphers',
-    'minVersion',
-    'dhparam',
-    'requestCert',
-    'honorCipherOrder',
-    'rejectUnauthorized',
-    'force_tls_hosts',
-]
-
 class OutboundTLS {
     constructor() {
         this.config = config
@@ -34,37 +22,8 @@ class OutboundTLS {
 
     load_config() {
         const tls_cfg = tls_socket.load_tls_ini({ role: 'client' })
-        const cfg = JSON.parse(JSON.stringify(tls_cfg.outbound || {}))
-        cfg.redis = tls_cfg.redis // Don't clone - contains methods
-
-        for (const opt of inheritable_opts) {
-            if (cfg[opt] !== undefined) continue // option set in [outbound]
-            if (tls_cfg.main[opt] === undefined) continue // opt unset in tls.ini[main]
-            cfg[opt] = tls_cfg.main[opt] // use value from [main] section
-        }
-
-        if (cfg.key) {
-            if (Array.isArray(cfg.key)) {
-                cfg.key = cfg.key[0]
-            }
-            cfg.key = this.config.get(cfg.key, 'binary')
-        }
-
-        if (cfg.dhparam) {
-            cfg.dhparam = this.config.get(cfg.dhparam, 'binary')
-        }
-
-        if (cfg.cert) {
-            if (Array.isArray(cfg.cert)) {
-                cfg.cert = cfg.cert[0]
-            }
-            cfg.cert = this.config.get(cfg.cert, 'binary')
-        }
-
-        if (!cfg.no_tls_hosts) cfg.no_tls_hosts = []
-        if (!cfg.force_tls_hosts) cfg.force_tls_hosts = []
-
-        this.cfg = cfg
+        this.cfg = tls_socket.load_plugin_tls_options(tls_cfg.outbound || {})
+        this.cfg.redis = tls_cfg.redis // outbound-only: TLS NO-GO db (don't clone — has methods)
     }
 
     init(cb) {