Haraka 3.1.6 → 3.1.7

package/plugins/queue/qmail-queue.js

@@ -28,6 +28,20 @@ exports.load_qmail_queue_ini = function () {
     )
 }
 
+// qmail-queue envelope: F<sender>\0 (T<rcpt>\0)* \0
+// Built dynamically, sized to exactly the bytes needed.
+//   doesn't emit zero padding after the terminating NUL.
+//   encodes non-ASCII (SMTPUTF8) addresses correctly
+exports.build_envelope = function (transaction) {
+    const NUL = Buffer.from([0])
+    const parts = [Buffer.from('F'), Buffer.from(transaction.mail_from.address), NUL]
+    for (const rcpt of transaction.rcpt_to) {
+        parts.push(Buffer.from('T'), Buffer.from(rcpt.address), NUL)
+    }
+    parts.push(NUL)
+    return Buffer.concat(parts)
+}
+
 exports.hook_queue = function (next, connection) {
     const plugin = this
 
@@ -72,25 +86,7 @@ exports.hook_queue = function (next, connection) {
             return
         }
         plugin.loginfo('Message Stream sent to qmail. Now sending envelope')
-        // now send envelope
-        // Hope this will be big enough...
-        const buf = Buffer.alloc(4096)
-        let p = 0
-        buf[p++] = 70
-        const mail_from = connection.transaction.mail_from.address()
-        for (let i = 0; i < mail_from.length; i++) {
-            buf[p++] = mail_from.charCodeAt(i)
-        }
-        buf[p++] = 0
-        connection.transaction.rcpt_to.forEach((rcpt) => {
-            buf[p++] = 84
-            const rcpt_to = rcpt.address()
-            for (let j = 0; j < rcpt_to.length; j++) {
-                buf[p++] = rcpt_to.charCodeAt(j)
-            }
-            buf[p++] = 0
-        })
-        buf[p++] = 0
+        const buf = plugin.build_envelope(connection.transaction)
         qmail_queue.stdout.on('error', (err) => {}) // stdout throws an error on close
         qmail_queue.stdout.end(buf)
     })

package/plugins/queue/smtp_forward.js

@@ -7,6 +7,7 @@
 const url = require('node:url')
 
 const smtp_client_mod = require('../../smtp_client')
+const tls_socket = require('../../tls_socket')
 
 exports.register = function () {
     this.load_errs = []
@@ -46,12 +47,19 @@ exports.load_smtp_forward_ini = function () {
                 '-main.check_recipient',
                 '*.enable_tls',
                 '*.enable_outbound',
+                '+tls.requestCert',
+                '+tls.honorCipherOrder',
+                '-tls.rejectUnauthorized',
             ],
         },
         () => {
             this.load_smtp_forward_ini()
         },
     )
+
+    // Build backend TLS options from tls.ini [main] + this plugin's [tls] section.
+    // Re-derived on every (re)load so SIGHUP picks up edits.
+    this.tls_options = tls_socket.load_plugin_tls_options(this.cfg.tls || {})
 }
 
 exports.get_config = function (conn) {
@@ -264,7 +272,7 @@ exports.queue_forward = function (next, connection) {
                 smtp_client.send_command('DATA')
                 return
             }
-            smtp_client.send_command('RCPT', `TO:${txn.rcpt_to[rcpt].format(!smtp_client.smtp_utf8)}`)
+            smtp_client.send_command('RCPT', `TO:${txn.rcpt_to[rcpt].format(!smtp_client.smtputf8)}`)
             rcpt++
         }
 
@@ -354,10 +362,10 @@ exports.get_mx = function (next, hmail, domain) {
     }
 
     // apply auth/mx options
-    mx_opts.forEach((o) => {
-        if (cfg[o] === undefined) return
+    for (const o of mx_opts) {
+        if (cfg[o] === undefined) continue
         mx[o] = this.cfg[dom][o]
-    })
+    }
 
     next(OK, mx)
 }

package/plugins/queue/smtp_proxy.js

@@ -4,7 +4,8 @@
 // and passes back any errors seen on the ongoing server to the
 // originating server.
 
-const smtp_client_mod = require('./smtp_client')
+const smtp_client_mod = require('../../smtp_client')
+const tls_socket = require('../../tls_socket')
 
 exports.register = function () {
     this.load_smtp_proxy_ini()
@@ -18,13 +19,23 @@ exports.load_smtp_proxy_ini = function () {
     this.cfg = this.config.get(
         'smtp_proxy.ini',
         {
-            booleans: ['-main.enable_tls', '+main.enable_outbound'],
+            booleans: [
+                '-main.enable_tls',
+                '+main.enable_outbound',
+                '+tls.requestCert',
+                '+tls.honorCipherOrder',
+                '-tls.rejectUnauthorized',
+            ],
         },
         () => {
             this.load_smtp_proxy_ini()
         },
     )
 
+    // Build backend TLS options from tls.ini [main] + this plugin's [tls] section.
+    // Re-derived on every (re)load so SIGHUP picks up edits.
+    this.tls_options = tls_socket.load_plugin_tls_options(this.cfg.tls || {})
+
     if (this.cfg.main.enable_outbound) {
         this.lognotice('outbound enabled, will default to disabled in Haraka v3 (see #1472)')
     }
@@ -82,7 +93,7 @@ exports.hook_rcpt_ok = (next, connection, recipient) => {
         return
     }
     smtp_client.next = next
-    smtp_client.send_command('RCPT', `TO:${recipient.format(!smtp_client.smtp_utf8)}`)
+    smtp_client.send_command('RCPT', `TO:${recipient.format(!smtp_client.smtputf8)}`)
 }
 
 exports.hook_data = (next, connection) => {

package/plugins/tls.js

@@ -85,6 +85,14 @@ exports.upgrade_connection = function (next, connection, params) {
     /* Watch for STARTTLS directive from client. */
     if (params[0].toUpperCase() !== 'STARTTLS') return next()
 
+    // RFC 3207 §4: discard any plaintext the client pipelined after
+    // STARTTLS. Otherwise connection.respond() restores state to CMD and
+    // re-enters _process_data(), parsing and executing those buffered
+    // cleartext commands before the TLS handshake completes (STARTTLS
+    // command injection). Mirrors the buffer-nuke already used for
+    // SSL-over-plaintext detection in connection.process_line().
+    connection.current_data = null
+
     /* Respond to STARTTLS command. */
     connection.respond(220, 'Go ahead.')
 
@@ -109,7 +117,7 @@ exports.upgrade_connection = function (next, connection, params) {
     connection.notes.cleanUpDisconnect = nextOnce
 
     /* Upgrade the connection to TLS. */
-    connection.client.upgrade((verified, verifyErr, cert, cipher) => {
+    connection.client.upgrade((verified, verifyError, cert, cipher) => {
         if (called_next) return
         clearTimeout(connection.notes.tls_timer)
         called_next = true
@@ -117,12 +125,12 @@ exports.upgrade_connection = function (next, connection, params) {
             connection.setTLS({
                 cipher,
                 verified,
-                authorizationError: verifyErr,
+                verifyError,
                 peerCertificate: cert,
             })
 
             connection.results.add(plugin, connection.tls)
-            plugin.emit_upgrade_msg(connection, verified, verifyErr, cert, cipher)
+            plugin.emit_upgrade_msg(connection, verified, verifyError, cert, cipher)
             next(OK)
         })
     })
@@ -135,13 +143,13 @@ exports.hook_disconnect = (next, connection) => {
     next()
 }
 
-exports.emit_upgrade_msg = function (conn, verified, verifyErr, cert, cipher) {
+exports.emit_upgrade_msg = function (conn, verified, verifyError, cert, cipher) {
     let msg = 'secured:'
     if (cipher) {
         msg += ` cipher=${cipher.name} version=${cipher.version}`
     }
     msg += ` verified=${verified}`
-    if (verifyErr) msg += ` error="${verifyErr}"`
+    if (verifyError) msg += ` error="${verifyError}"`
     if (cert) {
         if (cert.subject) {
             msg += ` cn="${cert.subject.CN}" organization="${cert.subject.O}"`

package/plugins/xclient.js

@@ -110,7 +110,9 @@ exports.hook_unrecognized_command = function (next, connection, params) {
     connection.set('remote.login', xclient.login ? xclient.login : undefined)
     connection.set('hello.host', xclient.helo ? xclient.helo : undefined)
     connection.set('local.ip', xclient.destaddr ? xclient.destaddr : undefined)
-    connection.set('local.port', xclient.destport ? xclient.destport : undefined)
+    // parseInt so downstream numeric checks (e.g. the 587/465 auth-required
+    // gate in connection.cmd_mail) work; matches the PROXY path.
+    connection.set('local.port', xclient.destport ? parseInt(xclient.destport, 10) : undefined)
     if (xclient.proto) {
         connection.set('hello', 'verb', xclient.proto === 'esmtp' ? 'EHLO' : 'HELO')
     }

package/server.js

@@ -175,7 +175,7 @@ Server._graceful = async (shutdown) => {
     const todo = []
 
     for (const id of Object.keys(cluster.workers)) {
-        todo.push((id) => {
+        todo.push(() => {
             return new Promise((resolve) => {
                 Server.lognotice(`Killing worker: ${id}`)
                 const worker = cluster.workers[id]
@@ -223,8 +223,10 @@ Server._graceful = async (shutdown) => {
     }
 
     while (todo.length) {
-        // process batches of workers
-        await Promise.all(todo.splice(0, limit))
+        // process batches of workers: invoke each queued thunk so we
+        // actually await the worker shutdown promises (passing the bare
+        // functions to Promise.all would resolve immediately).
+        await Promise.all(todo.splice(0, limit).map((fn) => fn()))
     }
 
     if (shutdown) {

package/smtp_client.js

@@ -192,7 +192,7 @@ class SMTPClient extends events.EventEmitter {
         client.socket.on('end', closed('ended'))
     }
 
-    load_tls_config(opts = {}) {
+    load_tls_options(opts = {}) {
         this.tls_options = { servername: this.host, ...opts }
     }
 
@@ -312,8 +312,8 @@ exports.onCapabilitiesOutbound = (smtp_client, secured, connection, config, on_s
             // Check if there are any banned TLS hosts
             if (smtp_client.tls_options.no_tls_hosts) {
                 // If there are check if these hosts are in the blacklist
-                hostBanned = net_utils.ip_in_list(smtp_client.tls_config.no_tls_hosts, config.host)
-                serverBanned = net_utils.ip_in_list(smtp_client.tls_config.no_tls_hosts, smtp_client.remote_ip)
+                hostBanned = net_utils.ip_in_list(smtp_client.tls_options.no_tls_hosts, config.host)
+                serverBanned = net_utils.ip_in_list(smtp_client.tls_options.no_tls_hosts, smtp_client.remote_ip)
             }
 
             if (!hostBanned && !serverBanned && config.enable_tls) {
@@ -358,7 +358,7 @@ exports.get_client_plugin = (plugin, connection, c, callback) => {
 
     let secured = false
 
-    smtp_client.load_tls_config(plugin.tls_options)
+    smtp_client.load_tls_options(plugin.tls_options)
 
     smtp_client.call_next = function (retval, msg) {
         if (this.next) {
@@ -369,7 +369,10 @@ exports.get_client_plugin = (plugin, connection, c, callback) => {
     }
 
     smtp_client.on('client_protocol', (line) => {
-        connection.logprotocol(plugin, `C: ${line}`)
+        // Don't leak SASL credentials (e.g. AUTH PLAIN <base64>) into
+        // protocol logs.
+        const safe = String(line).replace(/^(AUTH\s+\S+\s+).+$/i, '$1[redacted]')
+        connection.logprotocol(plugin, `C: ${safe}`)
     })
 
     smtp_client.on('server_protocol', (line) => {
@@ -401,21 +404,27 @@ exports.get_client_plugin = (plugin, connection, c, callback) => {
         if (!c.auth || smtp_client.authenticated) {
             if (smtp_client.is_dead_sender(plugin, connection)) return
 
-            smtp_client.send_command('MAIL', `FROM:${connection.transaction.mail_from.format(!smtp_client.smtp_utf8)}`)
+            smtp_client.send_command('MAIL', `FROM:${connection.transaction.mail_from.format(!smtp_client.smtputf8)}`)
             return
         }
 
         if (c.auth.type === null || typeof c.auth.type === 'undefined') return // Ignore blank
         const auth_type = c.auth.type.toLowerCase()
+        // This listener runs from the socket line handler; an uncaught
+        // throw here crashes the forwarding worker. Route failures
+        // through the existing smtp_client 'error' flow (logwarn +
+        // call_next) so a misconfigured/hostile upstream degrades to a
+        // normal SMTP error path instead.
         if (!smtp_client.auth_capabilities.includes(auth_type)) {
-            throw new Error(
+            return smtp_client.emit(
+                'error',
                 `Auth type "${auth_type}" not supported by server (supports: ${smtp_client.auth_capabilities.join(',')})`,
             )
         }
         switch (auth_type) {
             case 'plain':
                 if (!c.auth.user || !c.auth.pass) {
-                    throw new Error('Must include auth.user and auth.pass for PLAIN auth.')
+                    return smtp_client.emit('error', 'Must include auth.user and auth.pass for PLAIN auth.')
                 }
                 logger.debug(`[smtp_client] uuid=${smtp_client.uuid} authenticating as "${c.auth.user}"`)
                 smtp_client.send_command(
@@ -424,9 +433,9 @@ exports.get_client_plugin = (plugin, connection, c, callback) => {
                 )
                 break
             case 'cram-md5':
-                throw new Error('Not implemented')
+                return smtp_client.emit('error', `AUTH ${auth_type} not implemented`)
             default:
-                throw new Error(`Unknown AUTH type: ${auth_type}`)
+                return smtp_client.emit('error', `Unknown AUTH type: ${auth_type}`)
         }
     })
 
@@ -437,7 +446,7 @@ exports.get_client_plugin = (plugin, connection, c, callback) => {
         if (smtp_client.is_dead_sender(plugin, connection)) return
 
         smtp_client.authenticated = true
-        smtp_client.send_command('MAIL', `FROM:${connection.transaction.mail_from.format(!smtp_client.smtp_utf8)}`)
+        smtp_client.send_command('MAIL', `FROM:${connection.transaction.mail_from.format(!smtp_client.smtputf8)}`)
     })
 
     // these errors only get thrown when the connection is still active

package/test/config/block_me.recipient

@@ -0,0 +1 @@
+blocklist@example.com

package/test/config/block_me.senders

@@ -0,0 +1 @@
+sender@example.com

package/test/connection.js

@@ -676,4 +676,28 @@ describe('connection', () => {
             assert.equal(this.connection.transaction.data_bytes, 0)
         })
     })
+
+    describe('header injection', () => {
+        beforeEach(setUp)
+
+        it('cmd_helo rejects control chars in the host', () => {
+            const r = this.connection.cmd_helo('evil\rINJECTED')
+            assert.match(String(r), /^501/)
+            assert.equal(this.connection.hello.host, null)
+        })
+
+        it('cmd_ehlo rejects control chars in the host', () => {
+            const r = this.connection.cmd_ehlo('evil\r\nINJECTED')
+            assert.match(String(r), /^501/)
+            assert.equal(this.connection.hello.host, null)
+        })
+
+        it('auth_results strips CR/LF so it cannot inject a header', () => {
+            const out = this.connection.auth_results('auth=fail smtp.auth=evil\r\nInjected-Header: pwned')
+            assert.ok(!out.includes('\r\nInjected-Header:'))
+            // the only CRLF present is the legitimate folding (;\r\n\t)
+            assert.equal(out.replace(/;\r\n\t/g, '').includes('\r'), false)
+            assert.equal(out.replace(/;\r\n\t/g, '').includes('\n'), false)
+        })
+    })
 })

package/test/outbound/bounce_net_errors.js

@@ -98,9 +98,10 @@ const testCases = [
         trigger: (h) => HMailItem.prototype.get_mx_error.apply(h, [{ code: 'SOME-OTHER-ERR' }, {}]),
     },
     {
-        name: 'found_mx with empty exchange triggers bounce with dsn_status 5.1.2',
+        // RFC 7505 NULL MX → DSN.addr_null_mx → 5.1.10 (per haraka-dsn).
+        name: 'found_mx with NULL MX (RFC 7505) triggers bounce with dsn_status 5.1.10',
         method: 'bounce',
-        status: '5.1.2',
+        status: '5.1.10',
         trigger: (h) => HMailItem.prototype.found_mx.apply(h, [[{ priority: 0, exchange: '' }]]),
     },
     {

package/test/plugins/auth/auth_bridge.js

@@ -0,0 +1,80 @@
+'use strict'
+
+const assert = require('node:assert')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+
+describe('auth/auth_bridge', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('auth/auth_bridge')
+        plugin.load_flat_ini()
+    })
+
+    describe('load_flat_ini', () => {
+        it('loads smtp_bridge.ini config', () => {
+            assert.ok(plugin.cfg)
+            assert.ok(plugin.cfg.main)
+        })
+
+        it('cfg.main.host defaults to localhost', () => {
+            assert.equal(plugin.cfg.main.host, 'localhost')
+        })
+    })
+
+    describe('check_plain_passwd', () => {
+        let conn
+
+        beforeEach(() => {
+            conn = fixtures.connection.createConnection()
+        })
+
+        it('calls try_auth_proxy with just host when no port configured', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                assert.equal(host, 'mail.example.com')
+                assert.equal(user, 'testuser')
+                assert.equal(passwd, 'testpass')
+                cb(true)
+            }
+            plugin.check_plain_passwd(conn, 'testuser', 'testpass', (result) => {
+                assert.equal(result, true)
+                done()
+            })
+        })
+
+        it('calls try_auth_proxy with host:port when port is configured', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com', port: '587' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                assert.equal(host, 'mail.example.com:587')
+                cb(true)
+            }
+            plugin.check_plain_passwd(conn, 'testuser', 'testpass', (result) => {
+                assert.equal(result, true)
+                done()
+            })
+        })
+
+        it('passes authentication failure through to callback', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                cb(false)
+            }
+            plugin.check_plain_passwd(conn, 'baduser', 'badpass', (result) => {
+                assert.equal(result, false)
+                done()
+            })
+        })
+
+        it('passes the connection object to try_auth_proxy', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                assert.equal(connection, conn)
+                cb(true)
+            }
+            plugin.check_plain_passwd(conn, 'user', 'pass', () => done())
+        })
+    })
+})

package/test/plugins/auth/flat_file.js

@@ -0,0 +1,128 @@
+'use strict'
+
+const assert = require('node:assert')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+
+function makeConnection(opts = {}) {
+    const conn = fixtures.connection.createConnection()
+    conn.capabilities = []
+    conn.notes.allowed_auth_methods = []
+    conn.remote = { is_private: opts.is_private ?? false }
+    conn.tls = { enabled: opts.tls_enabled ?? false }
+    return conn
+}
+
+describe('auth/flat_file', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('auth/flat_file')
+        plugin.inherits('auth/auth_base')
+        plugin.load_flat_ini()
+    })
+
+    describe('load_flat_ini', () => {
+        it('populates cfg.users as an object', () => {
+            assert.ok(typeof plugin.cfg.users === 'object')
+        })
+
+        it('cfg.users defaults to empty object when not configured', () => {
+            // default config has no real users
+            assert.deepEqual(plugin.cfg.users, {})
+        })
+    })
+
+    describe('hook_capabilities', () => {
+        let conn
+
+        beforeEach(() => {
+            conn = makeConnection()
+        })
+
+        it('skips for public non-TLS connection', (t, done) => {
+            plugin.hook_capabilities((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.capabilities.length, 0)
+                done()
+            }, conn)
+        })
+
+        it('adds AUTH methods for private connection (non-TLS)', (t, done) => {
+            conn.remote.is_private = true
+            plugin.cfg.core.methods = 'PLAIN,LOGIN'
+            plugin.hook_capabilities((rc) => {
+                assert.equal(rc, undefined)
+                assert.ok(
+                    conn.capabilities.some((c) => c.startsWith('AUTH ')),
+                    'AUTH capability should be present',
+                )
+                done()
+            }, conn)
+        })
+
+        it('adds AUTH methods when TLS is enabled', (t, done) => {
+            conn.tls.enabled = true
+            plugin.cfg.core.methods = 'PLAIN,LOGIN'
+            plugin.hook_capabilities((rc) => {
+                assert.equal(rc, undefined)
+                assert.ok(conn.capabilities.some((c) => c.startsWith('AUTH ')))
+                done()
+            }, conn)
+        })
+
+        it('sets allowed_auth_methods on connection notes', (t, done) => {
+            conn.tls.enabled = true
+            plugin.cfg.core.methods = 'PLAIN,LOGIN'
+            plugin.hook_capabilities(() => {
+                assert.deepEqual(conn.notes.allowed_auth_methods, ['PLAIN', 'LOGIN'])
+                done()
+            }, conn)
+        })
+
+        it('does not add AUTH when no methods configured', (t, done) => {
+            conn.tls.enabled = true
+            plugin.cfg.core.methods = null
+            plugin.hook_capabilities(() => {
+                assert.equal(conn.capabilities.length, 0)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('get_plain_passwd', () => {
+        beforeEach(() => {
+            plugin.cfg.users = { alice: 'secret', bob: 'hunter2' }
+        })
+
+        it('returns password for known user', (t, done) => {
+            plugin.get_plain_passwd('alice', {}, (pw) => {
+                assert.equal(pw, 'secret')
+                done()
+            })
+        })
+
+        it('calls cb with no args for unknown user', (t, done) => {
+            plugin.get_plain_passwd('unknown', {}, (pw) => {
+                assert.equal(pw, undefined)
+                done()
+            })
+        })
+
+        it('handles multiple users', (t, done) => {
+            plugin.get_plain_passwd('bob', {}, (pw) => {
+                assert.equal(pw, 'hunter2')
+                done()
+            })
+        })
+
+        it('coerces password to string via toString()', (t, done) => {
+            plugin.cfg.users.numericuser = 12345
+            plugin.get_plain_passwd('numericuser', {}, (pw) => {
+                assert.equal(pw, '12345')
+                done()
+            })
+        })
+    })
+})