Haraka 3.1.6 → 3.1.7

package/outbound/hmail.js

@@ -266,12 +266,12 @@ class HMailItem extends events.EventEmitter {
     }
 
     async found_mx(mxs) {
-        // support draft-delany-nullmx-02
+        // support RFC 7505 null MX
         if (mxs.length === 1 && mxs[0].priority === 0 && mxs[0].exchange === '') {
             for (const rcpt of this.todo.rcpt_to) {
                 this.extend_rcpt_with_dsn(
                     rcpt,
-                    DSN.addr_bad_dest_system(`Domain ${this.todo.domain} sends and receives no email (NULL MX)`),
+                    DSN.addr_null_mx(`Domain ${this.todo.domain} sends and receives no email (NULL MX)`),
                 )
             }
             return this.bounce(`Domain ${this.todo.domain} sends and receives no email (NULL MX)`)
@@ -459,7 +459,7 @@ class HMailItem extends events.EventEmitter {
                 } else if (r.toUpperCase() === 'ENHANCEDSTATUSCODES') {
                     smtp_properties.enh_status_codes = true
                 } else if (r.toUpperCase() === 'SMTPUTF8') {
-                    smtp_properties.smtp_utf8 = true
+                    smtp_properties.smtputf8 = true
                 } else {
                     // Check for SIZE parameter and limit
                     let matches = r.match(/^SIZE\s+(\d+)$/)
@@ -476,9 +476,9 @@ class HMailItem extends events.EventEmitter {
         }
 
         function get_reverse_path_with_params() {
-            const rp = self.todo.mail_from.format(!smtp_properties.smtp_utf8)
+            const rp = self.todo.mail_from.format(!smtp_properties.smtputf8)
             let rp_params = ''
-            if (smtp_properties.smtp_utf8 && has_non_ascii(rp)) rp_params += ' SMTPUTF8'
+            if (smtp_properties.smtputf8 && has_non_ascii(rp)) rp_params += ' SMTPUTF8'
             return `FROM:${rp}${rp_params}`
         }
 
@@ -678,12 +678,12 @@ class HMailItem extends events.EventEmitter {
                 processing_mail = false
                 // Release back to the pool and instruct it to terminate this connection
                 client_pool.release_client(socket, mx)
-                self.todo.rcpt_to.forEach((rcpt) => {
+                for (const rcpt of self.todo.rcpt_to) {
                     self.extend_rcpt_with_dsn(
                         rcpt,
                         DSN.proto_invalid_command(`Unrecognized response from upstream server: ${line}`),
                     )
-                })
+                }
                 self.bounce(`Unrecognized response from upstream server: ${line}`, { mx })
                 return
             }
@@ -720,14 +720,14 @@ class HMailItem extends events.EventEmitter {
                 }
                 // Error
                 reason = response.join(' ')
-                recipients.forEach((rcpt) => {
+                for (const rcpt of recipients) {
                     rcpt.dsn_action = 'delayed'
                     rcpt.dsn_smtp_code = code
                     rcpt.dsn_smtp_extc = extc
                     rcpt.dsn_status = extc
                     rcpt.dsn_smtp_response = response.join(' ')
                     rcpt.dsn_remote_mta = mx.exchange
-                })
+                }
                 send_command('QUIT')
                 processing_mail = false
                 return self.temp_fail(`Upstream error: ${code} ${extc ? `${extc} ` : ''}${reason}`)
@@ -756,14 +756,14 @@ class HMailItem extends events.EventEmitter {
                     }
                 } else if (processing_mail) {
                     reason = response.join(' ')
-                    recipients.forEach((rcpt) => {
+                    for (const rcpt of recipients) {
                         rcpt.dsn_action = 'delayed'
                         rcpt.dsn_smtp_code = code
                         rcpt.dsn_smtp_extc = extc
                         rcpt.dsn_status = extc
                         rcpt.dsn_smtp_response = response.join(' ')
                         rcpt.dsn_remote_mta = mx.exchange
-                    })
+                    }
                     send_command('QUIT')
                     processing_mail = false
                     return self.temp_fail(`Upstream error: ${code} ${extc ? `${extc} ` : ''}${reason}`)
@@ -803,14 +803,14 @@ class HMailItem extends events.EventEmitter {
                         }
                     }
                 } else {
-                    recipients.forEach((rcpt) => {
+                    for (const rcpt of recipients) {
                         rcpt.dsn_action = 'failed'
                         rcpt.dsn_smtp_code = code
                         rcpt.dsn_smtp_extc = extc
                         rcpt.dsn_status = extc
                         rcpt.dsn_smtp_response = response.join(' ')
                         rcpt.dsn_remote_mta = mx.exchange
-                    })
+                    }
                     send_command('QUIT')
                     processing_mail = false
                     return self.bounce(reason, { mx })
@@ -871,7 +871,7 @@ class HMailItem extends events.EventEmitter {
                 case 'mail':
                     last_recip = recipients[recip_index]
                     recip_index++
-                    send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtp_utf8)}`)
+                    send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtputf8)}`)
                     break
                 case 'rcpt':
                     if (last_recip && code.match(/^250/)) {
@@ -887,7 +887,7 @@ class HMailItem extends events.EventEmitter {
                     } else {
                         last_recip = recipients[recip_index]
                         recip_index++
-                        send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtp_utf8)}`)
+                        send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtputf8)}`)
                     }
                     break
                 case 'data': {
@@ -1036,7 +1036,7 @@ class HMailItem extends events.EventEmitter {
             msgid: `<${utils.uuid()}@${net_utils.get_primary_host_name()}>`,
         }
 
-        bounce_msg_.forEach((line) => {
+        for (let line of bounce_msg_) {
             line = line.replace(/\{(\w+)\}/g, (i, word) => values[word] || '?')
 
             if (bounce_headers_done == false && line == '') {
@@ -1046,7 +1046,7 @@ class HMailItem extends events.EventEmitter {
             } else if (bounce_headers_done == true) {
                 bounce_body_lines.push(line)
             }
-        })
+        }
 
         const escaped_chars = {
             '&': 'amp',
@@ -1059,7 +1059,7 @@ class HMailItem extends events.EventEmitter {
         }
         const escape_pattern = new RegExp(`[${Object.keys(escaped_chars).join('')}]`, 'g')
 
-        bounce_msg_html_.forEach((line) => {
+        for (let line of bounce_msg_html_) {
             line = line.replace(/\{(\w+)\}/g, (i, word) => {
                 if (word in values) {
                     return String(values[word]).replace(escape_pattern, (m) => `&${escaped_chars[m]};`)
@@ -1069,18 +1069,18 @@ class HMailItem extends events.EventEmitter {
             })
 
             bounce_html_lines.push(line)
-        })
+        }
 
-        bounce_msg_image_.forEach((line) => {
+        for (const line of bounce_msg_image_) {
             bounce_image_lines.push(line)
-        })
+        }
 
         const boundary = `boundary_${utils.uuid()}`
         const bounce_body = []
 
-        bounce_header_lines.forEach((line) => {
+        for (const line of bounce_header_lines) {
             bounce_body.push(`${line}${CRLF}`)
-        })
+        }
         bounce_body.push(
             `Content-Type: multipart/report; report-type=delivery-status;${CRLF}    boundary="${boundary}"${CRLF}`,
         )
@@ -1108,18 +1108,18 @@ class HMailItem extends events.EventEmitter {
         bounce_body.push(`--${boundary}${boundary_incr}${CRLF}`)
         bounce_body.push(`Content-Type: text/plain; charset=us-ascii${CRLF}`)
         bounce_body.push(CRLF)
-        bounce_body_lines.forEach((line) => {
+        for (const line of bounce_body_lines) {
             bounce_body.push(`${line}${CRLF}`)
-        })
+        }
         bounce_body.push(CRLF)
 
         if (bounce_html_lines.length > 1) {
             bounce_body.push(`--${boundary}${boundary_incr}${CRLF}`)
             bounce_body.push(`Content-Type: text/html; charset=us-ascii${CRLF}`)
             bounce_body.push(CRLF)
-            bounce_html_lines.forEach((line) => {
+            for (const line of bounce_html_lines) {
                 bounce_body.push(`${line}${CRLF}`)
-            })
+            }
             bounce_body.push(CRLF)
             bounce_body.push(`--${boundary}${boundary_incr}--${CRLF}`)
 
@@ -1128,9 +1128,9 @@ class HMailItem extends events.EventEmitter {
                 bounce_body.push(`--${boundary}${boundary_incr}${CRLF}`)
                 //bounce_body.push(`Content-Type: text/html; charset=us-ascii${CRLF}`);
                 //bounce_body.push(CRLF);
-                bounce_image_lines.forEach((line) => {
+                for (const line of bounce_image_lines) {
                     bounce_body.push(`${line}${CRLF}`)
-                })
+                }
                 bounce_body.push(CRLF)
                 bounce_body.push(`--${boundary}${boundary_incr}--${CRLF}`)
             }
@@ -1146,7 +1146,7 @@ class HMailItem extends events.EventEmitter {
         if (this.todo.queue_time) {
             bounce_body.push(`Arrival-Date: ${utils.date_to_str(new Date(this.todo.queue_time))}${CRLF}`)
         }
-        this.todo.rcpt_to.forEach((rcpt_to) => {
+        for (const rcpt_to of this.todo.rcpt_to) {
             bounce_body.push(CRLF)
             bounce_body.push(`Final-Recipient: rfc822;${rcpt_to.address()}${CRLF}`)
             let dsn_action = null
@@ -1208,16 +1208,16 @@ class HMailItem extends events.EventEmitter {
             if (diag_code != null) {
                 bounce_body.push(`Diagnostic-Code: ${diag_code}${CRLF}`)
             }
-        })
+        }
         bounce_body.push(CRLF)
 
         bounce_body.push(`--${boundary}${CRLF}`)
         bounce_body.push(`Content-Description: Undelivered Message Headers${CRLF}`)
         bounce_body.push(`Content-Type: text/rfc822-headers${CRLF}`)
         bounce_body.push(CRLF)
-        header.header_list.forEach((line) => {
+        for (const line of header.header_list) {
             bounce_body.push(line)
-        })
+        }
         bounce_body.push(CRLF)
 
         bounce_body.push(`--${boundary}--${CRLF}`)
@@ -1322,12 +1322,12 @@ class HMailItem extends events.EventEmitter {
     }
 
     convert_temp_failed_to_bounce(err, extra) {
-        this.todo.rcpt_to.forEach((rcpt_to) => {
+        for (const rcpt_to of this.todo.rcpt_to) {
             rcpt_to.dsn_action = 'failed'
             if (rcpt_to.dsn_status) {
                 rcpt_to.dsn_status = `${rcpt_to.dsn_status}`.replace(/^4/, '5')
             }
-        })
+        }
         return this.bounce(err, extra)
     }
 
@@ -1446,9 +1446,9 @@ class HMailItem extends events.EventEmitter {
         })
         function err_handler(err, location) {
             logger.error(this, `Error while splitting to new recipients (${location}): ${err}`)
-            hmail.todo.rcpt_to.forEach((rcpt) => {
+            for (const rcpt of hmail.todo.rcpt_to) {
                 hmail.extend_rcpt_with_dsn(rcpt, DSN.sys_unspecified(`Error splitting to new recipients: ${err}`))
-            })
+            }
             hmail.bounce(`Error splitting to new recipients: ${err}`)
         }
 
@@ -1486,9 +1486,9 @@ class HMailItem extends events.EventEmitter {
         ws.on('error', (err) => {
             logger.error(this, `Unable to write queue file (${fname}): ${err}`)
             ws.destroy()
-            hmail.todo.rcpt_to.forEach((rcpt) => {
+            for (const rcpt of hmail.todo.rcpt_to) {
                 hmail.extend_rcpt_with_dsn(rcpt, DSN.sys_unspecified(`Error re-queueing some recipients: ${err}`))
-            })
+            }
             hmail.bounce(`Error re-queueing some recipients: ${err}`)
         })
 

package/outbound/index.js

@@ -200,16 +200,16 @@ function get_deliveries(transaction) {
 
     // First get each domain
     const recips = {}
-    transaction.rcpt_to.forEach((rcpt) => {
+    for (const rcpt of transaction.rcpt_to) {
         const domain = rcpt.host
         if (!recips[domain]) {
             recips[domain] = []
         }
         recips[domain].push(rcpt)
-    })
-    Object.keys(recips).forEach((domain) => {
+    }
+    for (const domain of Object.keys(recips)) {
         deliveries.push({ domain, rcpts: recips[domain] })
-    })
+    }
     return deliveries
 }
 

package/outbound/tls.js

@@ -8,18 +8,6 @@ const hkredis = require('haraka-plugin-redis')
 const logger = require('../logger')
 const tls_socket = require('../tls_socket')
 
-const inheritable_opts = [
-    'key',
-    'cert',
-    'ciphers',
-    'minVersion',
-    'dhparam',
-    'requestCert',
-    'honorCipherOrder',
-    'rejectUnauthorized',
-    'force_tls_hosts',
-]
-
 class OutboundTLS {
     constructor() {
         this.config = config
@@ -34,37 +22,8 @@ class OutboundTLS {
 
     load_config() {
         const tls_cfg = tls_socket.load_tls_ini({ role: 'client' })
-        const cfg = JSON.parse(JSON.stringify(tls_cfg.outbound || {}))
-        cfg.redis = tls_cfg.redis // Don't clone - contains methods
-
-        for (const opt of inheritable_opts) {
-            if (cfg[opt] !== undefined) continue // option set in [outbound]
-            if (tls_cfg.main[opt] === undefined) continue // opt unset in tls.ini[main]
-            cfg[opt] = tls_cfg.main[opt] // use value from [main] section
-        }
-
-        if (cfg.key) {
-            if (Array.isArray(cfg.key)) {
-                cfg.key = cfg.key[0]
-            }
-            cfg.key = this.config.get(cfg.key, 'binary')
-        }
-
-        if (cfg.dhparam) {
-            cfg.dhparam = this.config.get(cfg.dhparam, 'binary')
-        }
-
-        if (cfg.cert) {
-            if (Array.isArray(cfg.cert)) {
-                cfg.cert = cfg.cert[0]
-            }
-            cfg.cert = this.config.get(cfg.cert, 'binary')
-        }
-
-        if (!cfg.no_tls_hosts) cfg.no_tls_hosts = []
-        if (!cfg.force_tls_hosts) cfg.force_tls_hosts = []
-
-        this.cfg = cfg
+        this.cfg = tls_socket.load_plugin_tls_options(tls_cfg.outbound || {})
+        this.cfg.redis = tls_cfg.redis // outbound-only: TLS NO-GO db (don't clone — has methods)
     }
 
     init(cb) {

package/package.json

@@ -9,7 +9,7 @@
     "server",
     "email"
   ],
-  "version": "3.1.6",
+  "version": "3.1.7",
   "homepage": "http://haraka.github.io",
   "repository": {
     "type": "git",
@@ -20,58 +20,58 @@
     "node": ">=20"
   },
   "dependencies": {
-    "address-rfc2821": "^2.2.0",
-    "address-rfc2822": "^2.2.3",
-    "haraka-config": "^1.5.0",
-    "haraka-constants": "^1.0.7",
-    "haraka-dsn": "^1.1.0",
-    "haraka-email-message": "^1.3.3",
-    "haraka-net-utils": "^1.8.2",
-    "haraka-notes": "^1.1.1",
-    "haraka-plugin-redis": "^2.0.11",
-    "haraka-results": "^2.3.0",
-    "haraka-tld": "^1.3.4",
-    "haraka-utils": "^1.1.4",
+    "address-rfc2821": "~2.2.0",
+    "address-rfc2822": "~2.2.3",
+    "haraka-config": "~1.6.0",
+    "haraka-constants": "~1.0.7",
+    "haraka-dsn": "~1.2.0",
+    "haraka-email-message": "~1.3.3",
+    "haraka-net-utils": "~1.8.2",
+    "haraka-notes": "~1.1.3",
+    "haraka-plugin-redis": "~2.0.11",
+    "haraka-results": "~2.3.0",
+    "haraka-tld": "~1.3.4",
+    "haraka-utils": "~1.1.4",
     "ipaddr.js": "~2.4.0",
-    "node-gyp": "^12.3.0",
-    "nopt": "^9.0.0",
+    "node-gyp": "~12.3.0",
+    "nopt": "~10.0.0",
     "redis": "~5.12.1",
-    "semver": "^7.8.0"
+    "semver": "~7.8.0"
   },
   "optionalDependencies": {
-    "@haraka/ocsp": "^1.2.0",
-    "haraka-plugin-access": "^1.2.0",
-    "haraka-plugin-aliases": "^1.0.3",
-    "haraka-plugin-asn": "^2.0.6",
-    "haraka-plugin-attachment": "^1.2.0",
-    "haraka-plugin-bounce": "^2.1.2",
-    "haraka-plugin-clamd": "^1.0.2",
-    "haraka-plugin-dcc": "^1.0.3",
-    "haraka-plugin-dkim": "^1.1.2",
-    "haraka-plugin-dns-list": "^1.2.4",
-    "haraka-plugin-early_talker": "^1.0.2",
-    "haraka-plugin-fcrdns": "^1.1.2",
-    "haraka-plugin-geoip": "^1.1.2",
-    "haraka-plugin-greylist": "^1.1.1",
-    "haraka-plugin-headers": "^1.1.0",
-    "haraka-plugin-helo.checks": "^1.1.0",
-    "haraka-plugin-karma": "^2.4.1",
-    "haraka-plugin-known-senders": "^1.1.3",
-    "haraka-plugin-limit": "^1.2.7",
-    "haraka-plugin-mail_from.is_resolvable": "^1.2.0",
-    "haraka-plugin-messagesniffer": "^1.0.1",
-    "haraka-plugin-qmail-deliverable": "^1.3.5",
-    "haraka-plugin-relay": "^1.0.1",
-    "haraka-plugin-rspamd": "^1.5.0",
-    "haraka-plugin-spamassassin": "^1.0.4",
-    "haraka-plugin-spf": "^1.2.11",
-    "haraka-plugin-syslog": "^1.0.7",
-    "haraka-plugin-uribl": "^1.0.10"
+    "@haraka/ocsp": "~1.2.0",
+    "haraka-plugin-access": "~1.2.0",
+    "haraka-plugin-aliases": "~1.0.3",
+    "haraka-plugin-asn": "~2.1.0",
+    "haraka-plugin-attachment": "~1.2.0",
+    "haraka-plugin-bounce": "~2.1.2",
+    "haraka-plugin-clamd": "~1.0.2",
+    "haraka-plugin-dcc": "~1.0.3",
+    "haraka-plugin-dkim": "~1.1.2",
+    "haraka-plugin-dns-list": "~1.2.4",
+    "haraka-plugin-early_talker": "~1.0.2",
+    "haraka-plugin-fcrdns": "~1.1.2",
+    "haraka-plugin-geoip": "~1.1.2",
+    "haraka-plugin-greylist": "~1.1.1",
+    "haraka-plugin-headers": "~1.1.2",
+    "haraka-plugin-helo.checks": "~1.1.1",
+    "haraka-plugin-karma": "~2.4.1",
+    "haraka-plugin-known-senders": "~1.1.4",
+    "haraka-plugin-limit": "~1.2.7",
+    "haraka-plugin-mail_from.is_resolvable": "~1.2.0",
+    "haraka-plugin-messagesniffer": "~1.0.1",
+    "haraka-plugin-qmail-deliverable": "~1.3.5",
+    "haraka-plugin-relay": "~1.0.2",
+    "haraka-plugin-rspamd": "~1.5.0",
+    "haraka-plugin-spamassassin": "~1.0.4",
+    "haraka-plugin-spf": "~1.2.11",
+    "haraka-plugin-syslog": "~1.1.0",
+    "haraka-plugin-uribl": "~1.0.10"
   },
   "devDependencies": {
-    "@haraka/eslint-config": "^2.0.4",
-    "haraka-test-fixtures": "^1.4.3",
-    "mock-require": "^3.0.3"
+    "@haraka/eslint-config": "~2.0.4",
+    "haraka-test-fixtures": "~1.6.0",
+    "mock-require": "~3.0.3"
   },
   "bugs": {
     "mail": "haraka.mail@gmail.com",
@@ -90,7 +90,8 @@
     "test": "sh ./run_tests",
     "versions": "npx npm-dep-mgr check",
     "versions:fix": "npx npm-dep-mgr update",
-    "test:coverage": "npx c8 --reporter=text --reporter=text-summary npm test"
+    "test:coverage": "node --test --test-concurrency=1 --experimental-test-coverage",
+    "test:coverage:lcov": "mkdir -p coverage && node --test --test-concurrency=1 --experimental-test-coverage --test-reporter=lcov --test-reporter-destination=coverage/lcov.info"
   },
   "prettier": {
     "singleQuote": true,

package/plugins/auth/auth_base.js

@@ -99,6 +99,12 @@ exports.check_user = function (next, connection, credentials, method) {
             (typeof opts === 'object' ? opts.message : opts) ||
             (valid ? '2.7.0 Authentication successful' : '5.7.8 Authentication failed')
 
+        // The AUTH username is attacker-controlled (base64-decoded). Strip
+        // control chars before it is stored in notes or emitted into the
+        // Authentication-Results header (header injection).
+        // eslint-disable-next-line no-control-regex
+        const safe_user = String(credentials[0] ?? '').replace(/[\x00-\x1f\x7f]/g, '')
+
         if (valid) {
             connection.relaying = true
             connection.results.add({ name: 'relay' }, { pass: plugin.name })
@@ -108,14 +114,14 @@ exports.check_user = function (next, connection, credentials, method) {
                 {
                     pass: plugin.name,
                     method,
-                    user: credentials[0],
+                    user: safe_user,
                 },
             )
 
             connection.respond(status_code, status_message, () => {
                 connection.authheader = '(authenticated bits=0)\n'
                 connection.auth_results(`auth=pass (${method.toLowerCase()})`)
-                connection.notes.auth_user = credentials[0]
+                connection.notes.auth_user = safe_user
                 if (!plugin.blankout_password) connection.notes.auth_passwd = credentials[1]
                 next(OK)
             })
@@ -133,7 +139,7 @@ exports.check_user = function (next, connection, credentials, method) {
         }
         connection.lognotice(plugin, `delaying for ${delay} seconds`)
         // here we include the username, as shown in RFC 5451 example
-        connection.auth_results(`auth=fail (${method.toLowerCase()}) smtp.auth=${credentials[0]}`)
+        connection.auth_results(`auth=fail (${method.toLowerCase()}) smtp.auth=${safe_user}`)
         setTimeout(() => {
             connection.respond(status_code, status_message, () => {
                 connection.reset_transaction(() => next(OK))

package/plugins/auth/auth_proxy.js

@@ -93,7 +93,9 @@ exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
         if (cmd === 'dot') {
             line = '.'
         }
-        connection.logprotocol(self, `C: ${line}`)
+        // Don't leak proxied SASL credentials (AUTH PLAIN <base64>) to logs
+        const safe = line.replace(/^(AUTH\s+\S+\s+).+$/i, '$1[redacted]')
+        connection.logprotocol(self, `C: ${safe}`)
         command = cmd.toLowerCase()
         this.write(`${line}\r\n`)
         // Clear response buffer from previous command
@@ -128,18 +130,19 @@ exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
             for (const i in response) {
                 if (/^STARTTLS/.test(response[i])) {
                     if (secure) continue // silly remote, we've already upgraded
-                    // Use TLS opportunistically if we found the key and certificate
+                    // Opportunistic TLS: a client does not need its own
+                    // certificate to negotiate TLS, so always STARTTLS when
+                    // the backend offers it. The local key/cert are only
+                    // attached if configured (mutual TLS), not required.
                     key = self.config.get(self.tls_cfg.main.key || 'tls_key.pem', 'binary')
                     cert = self.config.get(self.tls_cfg.main.cert || 'tls_cert.pem', 'binary')
-                    if (key && cert) {
-                        this.on('secure', () => {
-                            if (secure) return
-                            secure = true
-                            socket.send_command('EHLO', connection.local.host)
-                        })
-                        socket.send_command('STARTTLS')
-                        return
-                    }
+                    this.on('secure', () => {
+                        if (secure) return
+                        secure = true
+                        socket.send_command('EHLO', connection.local.host)
+                    })
+                    socket.send_command('STARTTLS')
+                    return
                 } else if (/^AUTH /.test(response[i])) {
                     // Parse supported AUTH methods
                     const parse = /^AUTH (.+)$/.exec(response[i])

package/plugins/block_me.js

@@ -4,6 +4,7 @@
 // mail_from.blocklist plugin for this to work fully.
 
 const fs = require('node:fs')
+const path = require('node:path')
 const utils = require('haraka-utils')
 
 exports.hook_data = (next, connection) => {
@@ -45,8 +46,9 @@ exports.hook_data_post = function (next, connection) {
 
     connection.transaction.notes.block_me = 1
 
-    // add to mail_from.blocklist
-    fs.open('./config/mail_from.blocklist', 'a', (err, fd) => {
+    // add to mail_from.blocklist, in the same config dir the plugin reads from
+    const blocklist = path.join(this.config.root_path, 'mail_from.blocklist')
+    fs.open(blocklist, 'a', (err, fd) => {
         if (err) {
             connection.logerror(this, `Unable to append to mail_from.blocklist: ${err}`)
             return

package/plugins/prevent_credential_leaks.js

@@ -22,9 +22,11 @@ exports.hook_data_post = (next, connection) => {
     let user = connection.notes.auth_user
     let domain
     const idx = user.indexOf('@')
-    if (idx) {
+    if (idx > 0) {
         // If the username is qualified (e.g. user@domain.com)
         // then we make the @domain.com part optional in the regexp.
+        // (idx === -1 is "no @"; idx === 0 is a leading @ — neither is
+        // a qualified user@domain, so don't split.)
         domain = user.substring(idx)
         user = user.substring(0, idx)
     }

package/plugins/process_title.js

@@ -64,17 +64,17 @@ exports.hook_init_master = function (next, server) {
                     server.notes.pt_connections++
                     server.notes.pt_concurrent_cluster[msg.wid]++
                     count = 0
-                    Object.keys(server.notes.pt_concurrent_cluster).forEach((id) => {
+                    for (const id of Object.keys(server.notes.pt_concurrent_cluster)) {
                         count += server.notes.pt_concurrent_cluster[id]
-                    })
+                    }
                     server.notes.pt_concurrent = count
                     break
                 case 'process_title.disconnect':
                     server.notes.pt_concurrent_cluster[msg.wid]--
                     count = 0
-                    Object.keys(server.notes.pt_concurrent_cluster).forEach((id) => {
+                    for (const id of Object.keys(server.notes.pt_concurrent_cluster)) {
                         count += server.notes.pt_concurrent_cluster[id]
-                    })
+                    }
                     server.notes.pt_concurrent = count
                     break
                 case 'process_title.recipient':
@@ -109,9 +109,9 @@ exports.hook_init_master = function (next, server) {
             delete server.notes.pt_concurrent_cluster[worker.id]
             // Update concurrency
             let count = 0
-            Object.keys(server.notes.pt_concurrent_cluster).forEach((id) => {
+            for (const id of Object.keys(server.notes.pt_concurrent_cluster)) {
                 count += server.notes.pt_concurrent_cluster[id]
-            })
+            }
             server.notes.pt_concurrent = count
             server.notes.pt_child_exits++
         })