Haraka 3.1.5 → 3.1.7

package/package.json

@@ -9,7 +9,7 @@
     "server",
     "email"
   ],
-  "version": "3.1.5",
+  "version": "3.1.7",
   "homepage": "http://haraka.github.io",
   "repository": {
     "type": "git",
@@ -20,69 +20,58 @@
     "node": ">=20"
   },
   "dependencies": {
-    "address-rfc2821": "^2.1.5",
-    "address-rfc2822": "^2.2.3",
-    "daemon": "~1.1.0",
-    "haraka-config": "^1.5.0",
-    "haraka-constants": "^1.0.7",
-    "haraka-dsn": "^1.1.0",
-    "haraka-email-message": "^1.3.2",
-    "haraka-message-stream": "^2.0.1",
-    "haraka-net-utils": "^1.7.2",
-    "haraka-notes": "^1.1.1",
-    "haraka-plugin-redis": "^2.0.11",
-    "haraka-results": "^2.3.0",
-    "haraka-tld": "^1.3.3",
-    "haraka-utils": "^1.1.4",
-    "ipaddr.js": "~2.3.0",
-    "node-gyp": "^12.2.0",
-    "nopt": "^9.0.0",
-    "npid": "~0.4.0",
-    "redis": "~5.11.0",
-    "semver": "^7.7.4",
-    "sockaddr": "^1.0.1",
-    "sprintf-js": "~1.1.3"
+    "address-rfc2821": "~2.2.0",
+    "address-rfc2822": "~2.2.3",
+    "haraka-config": "~1.6.0",
+    "haraka-constants": "~1.0.7",
+    "haraka-dsn": "~1.2.0",
+    "haraka-email-message": "~1.3.3",
+    "haraka-net-utils": "~1.8.2",
+    "haraka-notes": "~1.1.3",
+    "haraka-plugin-redis": "~2.0.11",
+    "haraka-results": "~2.3.0",
+    "haraka-tld": "~1.3.4",
+    "haraka-utils": "~1.1.4",
+    "ipaddr.js": "~2.4.0",
+    "node-gyp": "~12.3.0",
+    "nopt": "~10.0.0",
+    "redis": "~5.12.1",
+    "semver": "~7.8.0"
   },
   "optionalDependencies": {
-    "haraka-plugin-access": "^1.1.10",
-    "haraka-plugin-aliases": "^1.0.3",
-    "haraka-plugin-asn": "^2.0.6",
-    "haraka-plugin-attachment": "^1.2.0",
-    "haraka-plugin-avg": "^1.1.0",
-    "haraka-plugin-bounce": "^2.1.2",
-    "haraka-plugin-clamd": "^1.0.2",
-    "haraka-plugin-dcc": "^1.0.3",
-    "haraka-plugin-dkim": "^1.0.11",
-    "haraka-plugin-dns-list": "^1.2.4",
-    "haraka-plugin-early_talker": "^1.0.2",
-    "haraka-plugin-elasticsearch": "^8.1.6",
-    "haraka-plugin-esets": "^1.0.1",
-    "haraka-plugin-fcrdns": "^1.1.2",
-    "haraka-plugin-geoip": "^1.1.2",
-    "haraka-plugin-greylist": "^1.1.1",
-    "haraka-plugin-headers": "^1.1.0",
-    "haraka-plugin-helo.checks": "^1.1.0",
-    "haraka-plugin-karma": "^2.2.0",
-    "haraka-plugin-known-senders": "^1.1.3",
-    "haraka-plugin-limit": "^1.2.7",
-    "haraka-plugin-mail_from.is_resolvable": "^1.1.0",
-    "haraka-plugin-messagesniffer": "^1.0.1",
-    "haraka-plugin-p0f": "^1.0.11",
-    "haraka-plugin-qmail-deliverable": "^1.3.3",
-    "haraka-plugin-recipient-routes": "^1.3.1",
-    "haraka-plugin-relay": "^1.0.1",
-    "haraka-plugin-rspamd": "^1.4.2",
-    "haraka-plugin-spamassassin": "^1.0.3",
-    "haraka-plugin-spf": "^1.2.11",
-    "haraka-plugin-syslog": "^1.0.7",
-    "haraka-plugin-uribl": "^1.0.10",
-    "haraka-plugin-watch": "^2.0.9",
-    "@techteamer/ocsp": "^1.0.1"
+    "@haraka/ocsp": "~1.2.0",
+    "haraka-plugin-access": "~1.2.0",
+    "haraka-plugin-aliases": "~1.0.3",
+    "haraka-plugin-asn": "~2.1.0",
+    "haraka-plugin-attachment": "~1.2.0",
+    "haraka-plugin-bounce": "~2.1.2",
+    "haraka-plugin-clamd": "~1.0.2",
+    "haraka-plugin-dcc": "~1.0.3",
+    "haraka-plugin-dkim": "~1.1.2",
+    "haraka-plugin-dns-list": "~1.2.4",
+    "haraka-plugin-early_talker": "~1.0.2",
+    "haraka-plugin-fcrdns": "~1.1.2",
+    "haraka-plugin-geoip": "~1.1.2",
+    "haraka-plugin-greylist": "~1.1.1",
+    "haraka-plugin-headers": "~1.1.2",
+    "haraka-plugin-helo.checks": "~1.1.1",
+    "haraka-plugin-karma": "~2.4.1",
+    "haraka-plugin-known-senders": "~1.1.4",
+    "haraka-plugin-limit": "~1.2.7",
+    "haraka-plugin-mail_from.is_resolvable": "~1.2.0",
+    "haraka-plugin-messagesniffer": "~1.0.1",
+    "haraka-plugin-qmail-deliverable": "~1.3.5",
+    "haraka-plugin-relay": "~1.0.2",
+    "haraka-plugin-rspamd": "~1.5.0",
+    "haraka-plugin-spamassassin": "~1.0.4",
+    "haraka-plugin-spf": "~1.2.11",
+    "haraka-plugin-syslog": "~1.1.0",
+    "haraka-plugin-uribl": "~1.0.10"
   },
   "devDependencies": {
-    "@haraka/eslint-config": "^2.0.4",
-    "haraka-test-fixtures": "^1.4.1",
-    "mock-require": "^3.0.3"
+    "@haraka/eslint-config": "~2.0.4",
+    "haraka-test-fixtures": "~1.6.0",
+    "mock-require": "~3.0.3"
   },
   "bugs": {
     "mail": "haraka.mail@gmail.com",
@@ -101,7 +90,8 @@
     "test": "sh ./run_tests",
     "versions": "npx npm-dep-mgr check",
     "versions:fix": "npx npm-dep-mgr update",
-    "test:coverage": "npx c8 --reporter=text --reporter=text-summary npm test"
+    "test:coverage": "node --test --test-concurrency=1 --experimental-test-coverage",
+    "test:coverage:lcov": "mkdir -p coverage && node --test --test-concurrency=1 --experimental-test-coverage --test-reporter=lcov --test-reporter-destination=coverage/lcov.info"
   },
   "prettier": {
     "singleQuote": true,

package/plugins/auth/auth_base.js

@@ -99,6 +99,12 @@ exports.check_user = function (next, connection, credentials, method) {
             (typeof opts === 'object' ? opts.message : opts) ||
             (valid ? '2.7.0 Authentication successful' : '5.7.8 Authentication failed')
 
+        // The AUTH username is attacker-controlled (base64-decoded). Strip
+        // control chars before it is stored in notes or emitted into the
+        // Authentication-Results header (header injection).
+        // eslint-disable-next-line no-control-regex
+        const safe_user = String(credentials[0] ?? '').replace(/[\x00-\x1f\x7f]/g, '')
+
         if (valid) {
             connection.relaying = true
             connection.results.add({ name: 'relay' }, { pass: plugin.name })
@@ -108,14 +114,14 @@ exports.check_user = function (next, connection, credentials, method) {
                 {
                     pass: plugin.name,
                     method,
-                    user: credentials[0],
+                    user: safe_user,
                 },
             )
 
             connection.respond(status_code, status_message, () => {
                 connection.authheader = '(authenticated bits=0)\n'
                 connection.auth_results(`auth=pass (${method.toLowerCase()})`)
-                connection.notes.auth_user = credentials[0]
+                connection.notes.auth_user = safe_user
                 if (!plugin.blankout_password) connection.notes.auth_passwd = credentials[1]
                 next(OK)
             })
@@ -133,7 +139,7 @@ exports.check_user = function (next, connection, credentials, method) {
         }
         connection.lognotice(plugin, `delaying for ${delay} seconds`)
         // here we include the username, as shown in RFC 5451 example
-        connection.auth_results(`auth=fail (${method.toLowerCase()}) smtp.auth=${credentials[0]}`)
+        connection.auth_results(`auth=fail (${method.toLowerCase()}) smtp.auth=${safe_user}`)
         setTimeout(() => {
             connection.respond(status_code, status_message, () => {
                 connection.reset_transaction(() => next(OK))

package/plugins/auth/auth_proxy.js

@@ -93,7 +93,9 @@ exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
         if (cmd === 'dot') {
             line = '.'
         }
-        connection.logprotocol(self, `C: ${line}`)
+        // Don't leak proxied SASL credentials (AUTH PLAIN <base64>) to logs
+        const safe = line.replace(/^(AUTH\s+\S+\s+).+$/i, '$1[redacted]')
+        connection.logprotocol(self, `C: ${safe}`)
         command = cmd.toLowerCase()
         this.write(`${line}\r\n`)
         // Clear response buffer from previous command
@@ -128,18 +130,19 @@ exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
             for (const i in response) {
                 if (/^STARTTLS/.test(response[i])) {
                     if (secure) continue // silly remote, we've already upgraded
-                    // Use TLS opportunistically if we found the key and certificate
+                    // Opportunistic TLS: a client does not need its own
+                    // certificate to negotiate TLS, so always STARTTLS when
+                    // the backend offers it. The local key/cert are only
+                    // attached if configured (mutual TLS), not required.
                     key = self.config.get(self.tls_cfg.main.key || 'tls_key.pem', 'binary')
                     cert = self.config.get(self.tls_cfg.main.cert || 'tls_cert.pem', 'binary')
-                    if (key && cert) {
-                        this.on('secure', () => {
-                            if (secure) return
-                            secure = true
-                            socket.send_command('EHLO', connection.local.host)
-                        })
-                        socket.send_command('STARTTLS')
-                        return
-                    }
+                    this.on('secure', () => {
+                        if (secure) return
+                        secure = true
+                        socket.send_command('EHLO', connection.local.host)
+                    })
+                    socket.send_command('STARTTLS')
+                    return
                 } else if (/^AUTH /.test(response[i])) {
                     // Parse supported AUTH methods
                     const parse = /^AUTH (.+)$/.exec(response[i])

package/plugins/block_me.js

@@ -4,6 +4,7 @@
 // mail_from.blocklist plugin for this to work fully.
 
 const fs = require('node:fs')
+const path = require('node:path')
 const utils = require('haraka-utils')
 
 exports.hook_data = (next, connection) => {
@@ -45,8 +46,9 @@ exports.hook_data_post = function (next, connection) {
 
     connection.transaction.notes.block_me = 1
 
-    // add to mail_from.blocklist
-    fs.open('./config/mail_from.blocklist', 'a', (err, fd) => {
+    // add to mail_from.blocklist, in the same config dir the plugin reads from
+    const blocklist = path.join(this.config.root_path, 'mail_from.blocklist')
+    fs.open(blocklist, 'a', (err, fd) => {
         if (err) {
             connection.logerror(this, `Unable to append to mail_from.blocklist: ${err}`)
             return

package/plugins/prevent_credential_leaks.js

@@ -22,9 +22,11 @@ exports.hook_data_post = (next, connection) => {
     let user = connection.notes.auth_user
     let domain
     const idx = user.indexOf('@')
-    if (idx) {
+    if (idx > 0) {
         // If the username is qualified (e.g. user@domain.com)
         // then we make the @domain.com part optional in the regexp.
+        // (idx === -1 is "no @"; idx === 0 is a leading @ — neither is
+        // a qualified user@domain, so don't split.)
         domain = user.substring(idx)
         user = user.substring(0, idx)
     }

package/plugins/process_title.js

@@ -64,17 +64,17 @@ exports.hook_init_master = function (next, server) {
                     server.notes.pt_connections++
                     server.notes.pt_concurrent_cluster[msg.wid]++
                     count = 0
-                    Object.keys(server.notes.pt_concurrent_cluster).forEach((id) => {
+                    for (const id of Object.keys(server.notes.pt_concurrent_cluster)) {
                         count += server.notes.pt_concurrent_cluster[id]
-                    })
+                    }
                     server.notes.pt_concurrent = count
                     break
                 case 'process_title.disconnect':
                     server.notes.pt_concurrent_cluster[msg.wid]--
                     count = 0
-                    Object.keys(server.notes.pt_concurrent_cluster).forEach((id) => {
+                    for (const id of Object.keys(server.notes.pt_concurrent_cluster)) {
                         count += server.notes.pt_concurrent_cluster[id]
-                    })
+                    }
                     server.notes.pt_concurrent = count
                     break
                 case 'process_title.recipient':
@@ -109,9 +109,9 @@ exports.hook_init_master = function (next, server) {
             delete server.notes.pt_concurrent_cluster[worker.id]
             // Update concurrency
             let count = 0
-            Object.keys(server.notes.pt_concurrent_cluster).forEach((id) => {
+            for (const id of Object.keys(server.notes.pt_concurrent_cluster)) {
                 count += server.notes.pt_concurrent_cluster[id]
-            })
+            }
             server.notes.pt_concurrent = count
             server.notes.pt_child_exits++
         })

package/plugins/queue/qmail-queue.js

@@ -28,6 +28,20 @@ exports.load_qmail_queue_ini = function () {
     )
 }
 
+// qmail-queue envelope: F<sender>\0 (T<rcpt>\0)* \0
+// Built dynamically, sized to exactly the bytes needed.
+//   doesn't emit zero padding after the terminating NUL.
+//   encodes non-ASCII (SMTPUTF8) addresses correctly
+exports.build_envelope = function (transaction) {
+    const NUL = Buffer.from([0])
+    const parts = [Buffer.from('F'), Buffer.from(transaction.mail_from.address), NUL]
+    for (const rcpt of transaction.rcpt_to) {
+        parts.push(Buffer.from('T'), Buffer.from(rcpt.address), NUL)
+    }
+    parts.push(NUL)
+    return Buffer.concat(parts)
+}
+
 exports.hook_queue = function (next, connection) {
     const plugin = this
 
@@ -72,25 +86,7 @@ exports.hook_queue = function (next, connection) {
             return
         }
         plugin.loginfo('Message Stream sent to qmail. Now sending envelope')
-        // now send envelope
-        // Hope this will be big enough...
-        const buf = Buffer.alloc(4096)
-        let p = 0
-        buf[p++] = 70
-        const mail_from = connection.transaction.mail_from.address()
-        for (let i = 0; i < mail_from.length; i++) {
-            buf[p++] = mail_from.charCodeAt(i)
-        }
-        buf[p++] = 0
-        connection.transaction.rcpt_to.forEach((rcpt) => {
-            buf[p++] = 84
-            const rcpt_to = rcpt.address()
-            for (let j = 0; j < rcpt_to.length; j++) {
-                buf[p++] = rcpt_to.charCodeAt(j)
-            }
-            buf[p++] = 0
-        })
-        buf[p++] = 0
+        const buf = plugin.build_envelope(connection.transaction)
         qmail_queue.stdout.on('error', (err) => {}) // stdout throws an error on close
         qmail_queue.stdout.end(buf)
     })

package/plugins/queue/smtp_forward.js

@@ -7,6 +7,7 @@
 const url = require('node:url')
 
 const smtp_client_mod = require('../../smtp_client')
+const tls_socket = require('../../tls_socket')
 
 exports.register = function () {
     this.load_errs = []
@@ -46,12 +47,19 @@ exports.load_smtp_forward_ini = function () {
                 '-main.check_recipient',
                 '*.enable_tls',
                 '*.enable_outbound',
+                '+tls.requestCert',
+                '+tls.honorCipherOrder',
+                '-tls.rejectUnauthorized',
             ],
         },
         () => {
             this.load_smtp_forward_ini()
         },
     )
+
+    // Build backend TLS options from tls.ini [main] + this plugin's [tls] section.
+    // Re-derived on every (re)load so SIGHUP picks up edits.
+    this.tls_options = tls_socket.load_plugin_tls_options(this.cfg.tls || {})
 }
 
 exports.get_config = function (conn) {
@@ -264,7 +272,7 @@ exports.queue_forward = function (next, connection) {
                 smtp_client.send_command('DATA')
                 return
             }
-            smtp_client.send_command('RCPT', `TO:${txn.rcpt_to[rcpt].format(!smtp_client.smtp_utf8)}`)
+            smtp_client.send_command('RCPT', `TO:${txn.rcpt_to[rcpt].format(!smtp_client.smtputf8)}`)
             rcpt++
         }
 
@@ -354,10 +362,10 @@ exports.get_mx = function (next, hmail, domain) {
     }
 
     // apply auth/mx options
-    mx_opts.forEach((o) => {
-        if (cfg[o] === undefined) return
+    for (const o of mx_opts) {
+        if (cfg[o] === undefined) continue
         mx[o] = this.cfg[dom][o]
-    })
+    }
 
     next(OK, mx)
 }

package/plugins/queue/smtp_proxy.js

@@ -4,7 +4,8 @@
 // and passes back any errors seen on the ongoing server to the
 // originating server.
 
-const smtp_client_mod = require('./smtp_client')
+const smtp_client_mod = require('../../smtp_client')
+const tls_socket = require('../../tls_socket')
 
 exports.register = function () {
     this.load_smtp_proxy_ini()
@@ -18,13 +19,23 @@ exports.load_smtp_proxy_ini = function () {
     this.cfg = this.config.get(
         'smtp_proxy.ini',
         {
-            booleans: ['-main.enable_tls', '+main.enable_outbound'],
+            booleans: [
+                '-main.enable_tls',
+                '+main.enable_outbound',
+                '+tls.requestCert',
+                '+tls.honorCipherOrder',
+                '-tls.rejectUnauthorized',
+            ],
         },
         () => {
             this.load_smtp_proxy_ini()
         },
     )
 
+    // Build backend TLS options from tls.ini [main] + this plugin's [tls] section.
+    // Re-derived on every (re)load so SIGHUP picks up edits.
+    this.tls_options = tls_socket.load_plugin_tls_options(this.cfg.tls || {})
+
     if (this.cfg.main.enable_outbound) {
         this.lognotice('outbound enabled, will default to disabled in Haraka v3 (see #1472)')
     }
@@ -82,7 +93,7 @@ exports.hook_rcpt_ok = (next, connection, recipient) => {
         return
     }
     smtp_client.next = next
-    smtp_client.send_command('RCPT', `TO:${recipient.format(!smtp_client.smtp_utf8)}`)
+    smtp_client.send_command('RCPT', `TO:${recipient.format(!smtp_client.smtputf8)}`)
 }
 
 exports.hook_data = (next, connection) => {

package/plugins/tls.js

@@ -85,6 +85,14 @@ exports.upgrade_connection = function (next, connection, params) {
     /* Watch for STARTTLS directive from client. */
     if (params[0].toUpperCase() !== 'STARTTLS') return next()
 
+    // RFC 3207 §4: discard any plaintext the client pipelined after
+    // STARTTLS. Otherwise connection.respond() restores state to CMD and
+    // re-enters _process_data(), parsing and executing those buffered
+    // cleartext commands before the TLS handshake completes (STARTTLS
+    // command injection). Mirrors the buffer-nuke already used for
+    // SSL-over-plaintext detection in connection.process_line().
+    connection.current_data = null
+
     /* Respond to STARTTLS command. */
     connection.respond(220, 'Go ahead.')
 
@@ -109,7 +117,7 @@ exports.upgrade_connection = function (next, connection, params) {
     connection.notes.cleanUpDisconnect = nextOnce
 
     /* Upgrade the connection to TLS. */
-    connection.client.upgrade((verified, verifyErr, cert, cipher) => {
+    connection.client.upgrade((verified, verifyError, cert, cipher) => {
         if (called_next) return
         clearTimeout(connection.notes.tls_timer)
         called_next = true
@@ -117,12 +125,12 @@ exports.upgrade_connection = function (next, connection, params) {
             connection.setTLS({
                 cipher,
                 verified,
-                authorizationError: verifyErr,
+                verifyError,
                 peerCertificate: cert,
             })
 
             connection.results.add(plugin, connection.tls)
-            plugin.emit_upgrade_msg(connection, verified, verifyErr, cert, cipher)
+            plugin.emit_upgrade_msg(connection, verified, verifyError, cert, cipher)
             next(OK)
         })
     })
@@ -135,13 +143,13 @@ exports.hook_disconnect = (next, connection) => {
     next()
 }
 
-exports.emit_upgrade_msg = function (conn, verified, verifyErr, cert, cipher) {
+exports.emit_upgrade_msg = function (conn, verified, verifyError, cert, cipher) {
     let msg = 'secured:'
     if (cipher) {
         msg += ` cipher=${cipher.name} version=${cipher.version}`
     }
     msg += ` verified=${verified}`
-    if (verifyErr) msg += ` error="${verifyErr}"`
+    if (verifyError) msg += ` error="${verifyError}"`
     if (cert) {
         if (cert.subject) {
             msg += ` cn="${cert.subject.CN}" organization="${cert.subject.O}"`

package/plugins/xclient.js

@@ -110,7 +110,9 @@ exports.hook_unrecognized_command = function (next, connection, params) {
     connection.set('remote.login', xclient.login ? xclient.login : undefined)
     connection.set('hello.host', xclient.helo ? xclient.helo : undefined)
     connection.set('local.ip', xclient.destaddr ? xclient.destaddr : undefined)
-    connection.set('local.port', xclient.destport ? xclient.destport : undefined)
+    // parseInt so downstream numeric checks (e.g. the 587/465 auth-required
+    // gate in connection.cmd_mail) work; matches the PROXY path.
+    connection.set('local.port', xclient.destport ? parseInt(xclient.destport, 10) : undefined)
     if (xclient.proto) {
         connection.set('hello', 'verb', xclient.proto === 'esmtp' ? 'EHLO' : 'HELO')
     }

package/server.js

@@ -2,12 +2,11 @@
 // smtp network server
 
 const cluster = require('node:cluster')
+const { spawn } = require('node:child_process')
 const fs = require('node:fs')
 const os = require('node:os')
 const path = require('node:path')
 const tls = require('node:tls')
-
-const daemon = require('daemon')
 const constants = require('haraka-constants')
 
 const tls_socket = require('./tls_socket')
@@ -77,15 +76,26 @@ Server.daemonize = function () {
         // we get a spurious 'Exiting' log entry.
         process.removeAllListeners('exit')
         Server.lognotice('Daemonizing...')
-    }
 
-    const log_fd = fs.openSync(c.daemon_log_file, 'a')
-    daemon({ cwd: process.cwd(), stdout: log_fd })
+        const log_fd = fs.openSync(c.daemon_log_file, 'a')
+        const child = spawn(process.execPath, process.argv.slice(1), {
+            detached: true,
+            stdio: ['ignore', log_fd, log_fd],
+            env: { ...process.env, __daemon: '1' },
+            cwd: process.cwd(),
+        })
+        child.unref()
+        process.exit(0)
+    }
 
     // We are the daemon from here on...
-    const npid = require('npid')
     try {
-        npid.create(c.daemon_pid_file).removeOnExit()
+        fs.writeFileSync(c.daemon_pid_file, `${process.pid}\n`, { flag: 'wx' })
+        process.on('exit', () => {
+            try {
+                fs.unlinkSync(c.daemon_pid_file)
+            } catch {}
+        })
     } catch (err) {
         Server.logerror(err.message)
         logger.dump_and_exit(1)
@@ -165,7 +175,7 @@ Server._graceful = async (shutdown) => {
     const todo = []
 
     for (const id of Object.keys(cluster.workers)) {
-        todo.push((id) => {
+        todo.push(() => {
             return new Promise((resolve) => {
                 Server.lognotice(`Killing worker: ${id}`)
                 const worker = cluster.workers[id]
@@ -213,8 +223,10 @@ Server._graceful = async (shutdown) => {
     }
 
     while (todo.length) {
-        // process batches of workers
-        await Promise.all(todo.splice(0, limit))
+        // process batches of workers: invoke each queued thunk so we
+        // actually await the worker shutdown promises (passing the bare
+        // functions to Promise.all would resolve immediately).
+        await Promise.all(todo.splice(0, limit).map((fn) => fn()))
     }
 
     if (shutdown) {