Haraka 3.1.6 → 3.2.0

package/connection.js

@@ -12,7 +12,7 @@ const constants = require('haraka-constants')
 const net_utils = require('haraka-net-utils')
 const Notes = require('haraka-notes')
 const utils = require('haraka-utils')
-const { Address } = require('address-rfc2821')
+const { Address } = require('./address')
 const ResultStore = require('haraka-results')
 
 // Haraka libs
@@ -329,7 +329,7 @@ class Connection {
                 } catch (err) {
                     if (err.stack) {
                         this.logerror(`${method} failed: ${err}`)
-                        err.stack.split('\n').forEach(this.logerror)
+                        for (const line of err.stack.split('\n')) this.logerror(line)
                     } else {
                         this.logerror(`${method} failed: ${err}`)
                     }
@@ -1039,7 +1039,7 @@ class Connection {
         this.lognotice(dmsg, {
             code: constants.translate(retval === constants.cont ? constants.ok : retval),
             msg: msg || '',
-            sender: this.transaction.mail_from.address(),
+            sender: this.transaction.mail_from.address,
         })
         switch (retval) {
             case constants.deny:
@@ -1089,7 +1089,7 @@ class Connection {
             this.lognotice(dmsg, {
                 code: constants.translate(retval === constants.cont ? constants.ok : retval),
                 msg: msg || '',
-                sender: this.transaction.mail_from.address(),
+                sender: this.transaction.mail_from.address,
             })
         }
         switch (retval) {
@@ -1234,6 +1234,13 @@ class Connection {
         if (!host) {
             return this.respond(501, 'HELO requires domain/address - see RFC-2821 4.1.1.1')
         }
+        // RFC 5321 §4.1.1.1: the domain/address-literal cannot contain
+        // control characters. process_line() only strips the first \r?\n,
+        // so a bare \r could otherwise survive into hello.host and the
+        // generated Received: header / logs (header injection).
+        if (/[\x00-\x1f\x7f]/.test(host)) {
+            return this.respond(501, 'HELO syntax error - see RFC-2821 4.1.1.1')
+        }
 
         this.reset_transaction(() => {
             this.set('hello', 'verb', 'HELO')
@@ -1248,6 +1255,10 @@ class Connection {
         if (!host) {
             return this.respond(501, 'EHLO requires domain/address - see RFC-2821 4.1.1.1')
         }
+        // RFC 5321 §4.1.1.1: reject control chars (see cmd_helo).
+        if (/[\x00-\x1f\x7f]/.test(host)) {
+            return this.respond(501, 'EHLO syntax error - see RFC-2821 4.1.1.1')
+        }
 
         this.reset_transaction(() => {
             this.set('hello', 'verb', 'EHLO')
@@ -1320,10 +1331,10 @@ class Connection {
 
         // Get rest of key=value pairs
         const params = {}
-        results.forEach((param) => {
+        for (const param of results) {
             const kv = param.match(/^([^=]+)(?:=(.+))?$/)
             if (kv) params[kv[1].toUpperCase()] = kv[2] || null
-        })
+        }
 
         // Parameters are only valid if EHLO was sent
         if (!this.esmtp && Object.keys(params).length > 0) {
@@ -1379,10 +1390,10 @@ class Connection {
 
         // Get rest of key=value pairs
         const params = {}
-        results.forEach((param) => {
+        for (const param of results) {
             const kv = param.match(/^([^=]+)(?:=(.+))?$/)
             if (kv) params[kv[1].toUpperCase()] = kv[2] || null
-        })
+        }
 
         // Parameters are only valid if EHLO was sent
         if (!this.esmtp && Object.keys(params).length > 0) {
@@ -1433,17 +1444,23 @@ class Connection {
             this.transaction.notes.authentication_results = []
         }
 
+        // Strip CR/LF and other control chars: an attacker-influenced
+        // value (e.g. a failed AUTH username, see auth_base) must not be
+        // able to inject extra header lines into Authentication-Results.
+        // The legitimate folding (;\r\n\t) is added by the join below.
+        const ar_clean = (s) => String(s).replace(/[\x00-\x1f\x7f]/g, '')
+
         // if message, store it in the appropriate note
         if (message) {
             if (has_tran === true) {
-                this.transaction.notes.authentication_results.push(message)
+                this.transaction.notes.authentication_results.push(ar_clean(message))
             } else {
-                this.notes.authentication_results.push(message)
+                this.notes.authentication_results.push(ar_clean(message))
             }
         }
 
         // assemble the new header
-        let header = [this.local.host, ...this.notes.authentication_results]
+        let header = [ar_clean(this.local.host), ...this.notes.authentication_results]
         if (has_tran === true) {
             header = [...header, ...this.transaction.notes.authentication_results]
         }

package/docs/Outbound.md

@@ -203,7 +203,7 @@ Options accepted by `send_email(from, to, contents, next, options)`:
 
 To send an already-built `Transaction` directly, use `outbound.send_trans_email(transaction, next)`. This is what `send_email()` calls internally and fires the `pre_send_trans_email` hook.
 
-<a name="fn1">1</a>: `Address` objects are [address-rfc2821](https://github.com/haraka/node-address-rfc2821) objects.
+<a name="fn1">1</a>: `Address` objects are [@haraka/email-address](https://github.com/haraka/email-address) objects.
 
 [url-tls]: plugins/tls.md
 [url-harakamx]: https://github.com/haraka/haraka-net-utils?tab=readme-ov-file#harakamx

package/docs/Transaction.md

@@ -132,4 +132,4 @@ Append a banner to the end of the message. If `html` is omitted, each newline in
 
 Register a filter applied to body parts. `ct_match` is either a regex matched against the content-type line, or a string matched as a prefix (e.g. `/^text\/html/` or `'text/plain'`). `filter` receives `(content_type, encoding, buffer)` and must return a `Buffer` with the replacement body (in the same encoding).
 
-[address]: https://github.com/haraka/node-address-rfc2821
+[address]: https://github.com/haraka/email-address

package/docs/plugins/queue/smtp_forward.md

@@ -38,9 +38,7 @@ Configuration is stored in smtp_forward.ini in the following keys:
 
 - enable_tls=[true]
 
-  Enable TLS with the forward host (if supported). TLS uses options from the tls plugin. If key and cert are provided in the the outbound section of the tls plugin, that certificate will be used as a TLS Client Certificate.
-
-  This option controls the use of TLS via `STARTTLS`. This plugin does not work with SMTP over TLS.
+  Enable opportunistic TLS with the forward host via `STARTTLS` (if the host advertises it). This plugin does not work with implicit SMTP over TLS.
 
 - auth_type=[plain\|login]
 
@@ -69,6 +67,24 @@ Configuration is stored in smtp_forward.ini in the following keys:
   [example.com]
   [example.net]
 
+- [tls]
+
+Client STARTTLS options are assembled by merging:
+
+1. `tls.ini` `[main]` — the global Haraka TLS config
+2. `smtp_forward.ini` `[tls]` — overrides. Anything set here wins.
+
+Example `smtp_forward.ini` `[tls]` section:
+
+    [tls]
+    rejectUnauthorized=true
+    minVersion=TLSv1.2
+    no_tls_hosts[]=10.0.0.5
+
+Per-domain `enable_tls=false` still disables STARTTLS for that backend. Per-domain TLS cipher/cert overrides are not currently supported.
+
+Changes to `tls.ini` require a Haraka restart to apply to the forward path; changes to `smtp_forward.ini` are picked up by the existing reload hook.
+
 # Per-Domain Configuration
 
 More specific forward routes for domains can be defined. The domain is chosen based on the value of the `domain_selector` config variable.

package/docs/plugins/queue/smtp_proxy.md

@@ -44,8 +44,7 @@ Configuration is stored in smtp_proxy.ini in the following keys:
 
 - enable_tls=[true|yes|1]
 
-  Enable TLS with the forward host (if supported). TLS uses options from
-  the tls plugin.
+  Enable opportunistic TLS with the forward host via `STARTTLS` (if the host advertises it).
 
 - auth_type=[plain|login]
 
@@ -58,3 +57,12 @@ Configuration is stored in smtp_proxy.ini in the following keys:
 - auth_pass=PASSWORD
 
   SMTP AUTH password to use.
+
+- [tls]
+
+Client STARTTLS options are assembled by merging:
+
+1. `tls.ini` `[main]` — the global Haraka TLS config.
+2. `smtp_proxy.ini` `[tls]` — overrides. Anything set here wins.
+
+Changes to `tls.ini` require a Haraka restart to apply to the proxy path; changes to `smtp_proxy.ini` are picked up by the existing reload hook.

package/docs/plugins/status.md

@@ -11,15 +11,31 @@ This plugin allows to get internal status of queues and pools with SMTP commands
 
 ```
 < 220 example.com ESMTP Haraka ready
-> STATUS QUEUE LIST
+> STATUS QUEUE INSPECT
 < 211 {"delivery_queue":[],"temp_fail_queue":[]}
 ```
 
 ## Available commands list
 
-- `STATUS POOL LIST` - list of active pools
-- `STATUS QUEUE STATS` - queue statistics in format "<in_progress>/<delivery_queue length>/<temp_fail_queue length>"
-- `STATUS QUEUE LIST` - list of parsed queue files with _uuid, domain, mail_from, rcpt_to_ attributes
-- `STATUS QUEUE INSPECT` - returns content of _outbound.delivery_queue_ and _outbound.temp_fail_queue_
+- `STATUS POOL LIST` - map of active outbound connection pools, keyed by `host:port`
+- `STATUS QUEUE STATS` - queue statistics in format `"<in_progress>/<delivery_queue length>/<temp_fail_queue length>"`
+- `STATUS QUEUE LIST` - list of queue files on disk with _uuid, domain, mail_from, rcpt_to_ attributes
+- `STATUS QUEUE INSPECT` - returns merged content of `outbound.delivery_queue` and `outbound.temp_fail_queue` across all workers
 - `STATUS QUEUE DISCARD file` - stop delivering email file
 - `STATUS QUEUE PUSH file` - try to re-deliver email immediately
+
+## Notes
+
+### Live data only
+
+`POOL LIST`, `QUEUE STATS`, and `QUEUE INSPECT` reflect live in-memory state. They show only messages currently being processed or waiting in the retry queue. `QUEUE LIST` reads queue files from disk and may show messages that have already been delivered if they haven't been cleaned up yet.
+
+### Cluster mode
+
+In cluster mode, `POOL LIST`, `QUEUE STATS`, and `QUEUE INSPECT` aggregate results from all worker processes into a single response:
+
+- `POOL LIST` — pool maps from all workers are merged into one object
+- `QUEUE STATS` — counters from all workers are summed into a single `"N/N/N"` string
+- `QUEUE INSPECT` — `delivery_queue` and `temp_fail_queue` arrays from all workers are concatenated
+
+`QUEUE LIST` always runs on the master process since it reads shared queue files from disk.

package/haraka.js

@@ -25,7 +25,7 @@ exports.version = utils.getVersion(__dirname)
 
 process.on('uncaughtException', (err) => {
     if (err.stack) {
-        err.stack.split('\n').forEach((line) => logger.crit(line))
+        for (const line of err.stack.split('\n')) logger.crit(line)
     } else {
         logger.crit(`Caught exception: ${JSON.stringify(err)}`)
     }

package/outbound/hmail.js

@@ -7,7 +7,7 @@ const dns = require('node:dns')
 const net = require('node:net')
 const path = require('node:path')
 
-const { Address } = require('address-rfc2821')
+const { Address } = require('../address')
 const config = require('haraka-config')
 const constants = require('haraka-constants')
 const DSN = require('haraka-dsn')
@@ -266,12 +266,12 @@ class HMailItem extends events.EventEmitter {
     }
 
     async found_mx(mxs) {
-        // support draft-delany-nullmx-02
+        // support RFC 7505 null MX
         if (mxs.length === 1 && mxs[0].priority === 0 && mxs[0].exchange === '') {
             for (const rcpt of this.todo.rcpt_to) {
                 this.extend_rcpt_with_dsn(
                     rcpt,
-                    DSN.addr_bad_dest_system(`Domain ${this.todo.domain} sends and receives no email (NULL MX)`),
+                    DSN.addr_null_mx(`Domain ${this.todo.domain} sends and receives no email (NULL MX)`),
                 )
             }
             return this.bounce(`Domain ${this.todo.domain} sends and receives no email (NULL MX)`)
@@ -459,7 +459,7 @@ class HMailItem extends events.EventEmitter {
                 } else if (r.toUpperCase() === 'ENHANCEDSTATUSCODES') {
                     smtp_properties.enh_status_codes = true
                 } else if (r.toUpperCase() === 'SMTPUTF8') {
-                    smtp_properties.smtp_utf8 = true
+                    smtp_properties.smtputf8 = true
                 } else {
                     // Check for SIZE parameter and limit
                     let matches = r.match(/^SIZE\s+(\d+)$/)
@@ -476,9 +476,9 @@ class HMailItem extends events.EventEmitter {
         }
 
         function get_reverse_path_with_params() {
-            const rp = self.todo.mail_from.format(!smtp_properties.smtp_utf8)
+            const rp = self.todo.mail_from.format(!smtp_properties.smtputf8)
             let rp_params = ''
-            if (smtp_properties.smtp_utf8 && has_non_ascii(rp)) rp_params += ' SMTPUTF8'
+            if (smtp_properties.smtputf8 && has_non_ascii(rp)) rp_params += ' SMTPUTF8'
             return `FROM:${rp}${rp_params}`
         }
 
@@ -678,12 +678,12 @@ class HMailItem extends events.EventEmitter {
                 processing_mail = false
                 // Release back to the pool and instruct it to terminate this connection
                 client_pool.release_client(socket, mx)
-                self.todo.rcpt_to.forEach((rcpt) => {
+                for (const rcpt of self.todo.rcpt_to) {
                     self.extend_rcpt_with_dsn(
                         rcpt,
                         DSN.proto_invalid_command(`Unrecognized response from upstream server: ${line}`),
                     )
-                })
+                }
                 self.bounce(`Unrecognized response from upstream server: ${line}`, { mx })
                 return
             }
@@ -720,14 +720,14 @@ class HMailItem extends events.EventEmitter {
                 }
                 // Error
                 reason = response.join(' ')
-                recipients.forEach((rcpt) => {
+                for (const rcpt of recipients) {
                     rcpt.dsn_action = 'delayed'
                     rcpt.dsn_smtp_code = code
                     rcpt.dsn_smtp_extc = extc
                     rcpt.dsn_status = extc
                     rcpt.dsn_smtp_response = response.join(' ')
                     rcpt.dsn_remote_mta = mx.exchange
-                })
+                }
                 send_command('QUIT')
                 processing_mail = false
                 return self.temp_fail(`Upstream error: ${code} ${extc ? `${extc} ` : ''}${reason}`)
@@ -756,14 +756,14 @@ class HMailItem extends events.EventEmitter {
                     }
                 } else if (processing_mail) {
                     reason = response.join(' ')
-                    recipients.forEach((rcpt) => {
+                    for (const rcpt of recipients) {
                         rcpt.dsn_action = 'delayed'
                         rcpt.dsn_smtp_code = code
                         rcpt.dsn_smtp_extc = extc
                         rcpt.dsn_status = extc
                         rcpt.dsn_smtp_response = response.join(' ')
                         rcpt.dsn_remote_mta = mx.exchange
-                    })
+                    }
                     send_command('QUIT')
                     processing_mail = false
                     return self.temp_fail(`Upstream error: ${code} ${extc ? `${extc} ` : ''}${reason}`)
@@ -803,14 +803,14 @@ class HMailItem extends events.EventEmitter {
                         }
                     }
                 } else {
-                    recipients.forEach((rcpt) => {
+                    for (const rcpt of recipients) {
                         rcpt.dsn_action = 'failed'
                         rcpt.dsn_smtp_code = code
                         rcpt.dsn_smtp_extc = extc
                         rcpt.dsn_status = extc
                         rcpt.dsn_smtp_response = response.join(' ')
                         rcpt.dsn_remote_mta = mx.exchange
-                    })
+                    }
                     send_command('QUIT')
                     processing_mail = false
                     return self.bounce(reason, { mx })
@@ -871,7 +871,7 @@ class HMailItem extends events.EventEmitter {
                 case 'mail':
                     last_recip = recipients[recip_index]
                     recip_index++
-                    send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtp_utf8)}`)
+                    send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtputf8)}`)
                     break
                 case 'rcpt':
                     if (last_recip && code.match(/^250/)) {
@@ -887,7 +887,7 @@ class HMailItem extends events.EventEmitter {
                     } else {
                         last_recip = recipients[recip_index]
                         recip_index++
-                        send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtp_utf8)}`)
+                        send_command('RCPT', `TO:${last_recip.format(!smtp_properties.smtputf8)}`)
                     }
                     break
                 case 'data': {
@@ -1036,7 +1036,7 @@ class HMailItem extends events.EventEmitter {
             msgid: `<${utils.uuid()}@${net_utils.get_primary_host_name()}>`,
         }
 
-        bounce_msg_.forEach((line) => {
+        for (let line of bounce_msg_) {
             line = line.replace(/\{(\w+)\}/g, (i, word) => values[word] || '?')
 
             if (bounce_headers_done == false && line == '') {
@@ -1046,7 +1046,7 @@ class HMailItem extends events.EventEmitter {
             } else if (bounce_headers_done == true) {
                 bounce_body_lines.push(line)
             }
-        })
+        }
 
         const escaped_chars = {
             '&': 'amp',
@@ -1059,7 +1059,7 @@ class HMailItem extends events.EventEmitter {
         }
         const escape_pattern = new RegExp(`[${Object.keys(escaped_chars).join('')}]`, 'g')
 
-        bounce_msg_html_.forEach((line) => {
+        for (let line of bounce_msg_html_) {
             line = line.replace(/\{(\w+)\}/g, (i, word) => {
                 if (word in values) {
                     return String(values[word]).replace(escape_pattern, (m) => `&${escaped_chars[m]};`)
@@ -1069,18 +1069,18 @@ class HMailItem extends events.EventEmitter {
             })
 
             bounce_html_lines.push(line)
-        })
+        }
 
-        bounce_msg_image_.forEach((line) => {
+        for (const line of bounce_msg_image_) {
             bounce_image_lines.push(line)
-        })
+        }
 
         const boundary = `boundary_${utils.uuid()}`
         const bounce_body = []
 
-        bounce_header_lines.forEach((line) => {
+        for (const line of bounce_header_lines) {
             bounce_body.push(`${line}${CRLF}`)
-        })
+        }
         bounce_body.push(
             `Content-Type: multipart/report; report-type=delivery-status;${CRLF}    boundary="${boundary}"${CRLF}`,
         )
@@ -1108,18 +1108,18 @@ class HMailItem extends events.EventEmitter {
         bounce_body.push(`--${boundary}${boundary_incr}${CRLF}`)
         bounce_body.push(`Content-Type: text/plain; charset=us-ascii${CRLF}`)
         bounce_body.push(CRLF)
-        bounce_body_lines.forEach((line) => {
+        for (const line of bounce_body_lines) {
             bounce_body.push(`${line}${CRLF}`)
-        })
+        }
         bounce_body.push(CRLF)
 
         if (bounce_html_lines.length > 1) {
             bounce_body.push(`--${boundary}${boundary_incr}${CRLF}`)
             bounce_body.push(`Content-Type: text/html; charset=us-ascii${CRLF}`)
             bounce_body.push(CRLF)
-            bounce_html_lines.forEach((line) => {
+            for (const line of bounce_html_lines) {
                 bounce_body.push(`${line}${CRLF}`)
-            })
+            }
             bounce_body.push(CRLF)
             bounce_body.push(`--${boundary}${boundary_incr}--${CRLF}`)
 
@@ -1128,9 +1128,9 @@ class HMailItem extends events.EventEmitter {
                 bounce_body.push(`--${boundary}${boundary_incr}${CRLF}`)
                 //bounce_body.push(`Content-Type: text/html; charset=us-ascii${CRLF}`);
                 //bounce_body.push(CRLF);
-                bounce_image_lines.forEach((line) => {
+                for (const line of bounce_image_lines) {
                     bounce_body.push(`${line}${CRLF}`)
-                })
+                }
                 bounce_body.push(CRLF)
                 bounce_body.push(`--${boundary}${boundary_incr}--${CRLF}`)
             }
@@ -1146,9 +1146,9 @@ class HMailItem extends events.EventEmitter {
         if (this.todo.queue_time) {
             bounce_body.push(`Arrival-Date: ${utils.date_to_str(new Date(this.todo.queue_time))}${CRLF}`)
         }
-        this.todo.rcpt_to.forEach((rcpt_to) => {
+        for (const rcpt_to of this.todo.rcpt_to) {
             bounce_body.push(CRLF)
-            bounce_body.push(`Final-Recipient: rfc822;${rcpt_to.address()}${CRLF}`)
+            bounce_body.push(`Final-Recipient: rfc822;${rcpt_to.address}${CRLF}`)
             let dsn_action = null
             if (rcpt_to.dsn_action) {
                 dsn_action = rcpt_to.dsn_action
@@ -1208,16 +1208,16 @@ class HMailItem extends events.EventEmitter {
             if (diag_code != null) {
                 bounce_body.push(`Diagnostic-Code: ${diag_code}${CRLF}`)
             }
-        })
+        }
         bounce_body.push(CRLF)
 
         bounce_body.push(`--${boundary}${CRLF}`)
         bounce_body.push(`Content-Description: Undelivered Message Headers${CRLF}`)
         bounce_body.push(`Content-Type: text/rfc822-headers${CRLF}`)
         bounce_body.push(CRLF)
-        header.header_list.forEach((line) => {
+        for (const line of header.header_list) {
             bounce_body.push(line)
-        })
+        }
         bounce_body.push(CRLF)
 
         bounce_body.push(`--${boundary}--${CRLF}`)
@@ -1322,12 +1322,12 @@ class HMailItem extends events.EventEmitter {
     }
 
     convert_temp_failed_to_bounce(err, extra) {
-        this.todo.rcpt_to.forEach((rcpt_to) => {
+        for (const rcpt_to of this.todo.rcpt_to) {
             rcpt_to.dsn_action = 'failed'
             if (rcpt_to.dsn_status) {
                 rcpt_to.dsn_status = `${rcpt_to.dsn_status}`.replace(/^4/, '5')
             }
-        })
+        }
         return this.bounce(err, extra)
     }
 
@@ -1446,9 +1446,9 @@ class HMailItem extends events.EventEmitter {
         })
         function err_handler(err, location) {
             logger.error(this, `Error while splitting to new recipients (${location}): ${err}`)
-            hmail.todo.rcpt_to.forEach((rcpt) => {
+            for (const rcpt of hmail.todo.rcpt_to) {
                 hmail.extend_rcpt_with_dsn(rcpt, DSN.sys_unspecified(`Error splitting to new recipients: ${err}`))
-            })
+            }
             hmail.bounce(`Error splitting to new recipients: ${err}`)
         }
 
@@ -1486,9 +1486,9 @@ class HMailItem extends events.EventEmitter {
         ws.on('error', (err) => {
             logger.error(this, `Unable to write queue file (${fname}): ${err}`)
             ws.destroy()
-            hmail.todo.rcpt_to.forEach((rcpt) => {
+            for (const rcpt of hmail.todo.rcpt_to) {
                 hmail.extend_rcpt_with_dsn(rcpt, DSN.sys_unspecified(`Error re-queueing some recipients: ${err}`))
-            })
+            }
             hmail.bounce(`Error re-queueing some recipients: ${err}`)
         })
 

package/outbound/index.js

@@ -3,7 +3,7 @@
 const fs = require('node:fs/promises')
 const path = require('node:path')
 
-const { Address } = require('address-rfc2821')
+const { Address } = require('../address')
 const config = require('haraka-config')
 const constants = require('haraka-constants')
 const net_utils = require('haraka-net-utils')
@@ -200,16 +200,16 @@ function get_deliveries(transaction) {
 
     // First get each domain
     const recips = {}
-    transaction.rcpt_to.forEach((rcpt) => {
+    for (const rcpt of transaction.rcpt_to) {
         const domain = rcpt.host
         if (!recips[domain]) {
             recips[domain] = []
         }
         recips[domain].push(rcpt)
-    })
-    Object.keys(recips).forEach((domain) => {
+    }
+    for (const domain of Object.keys(recips)) {
         deliveries.push({ domain, rcpts: recips[domain] })
-    })
+    }
     return deliveries
 }
 

package/outbound/queue.js

@@ -4,7 +4,7 @@ const child_process = require('node:child_process')
 const fs = require('node:fs/promises')
 const path = require('node:path')
 
-const { Address } = require('address-rfc2821')
+const { Address } = require('../address')
 const config = require('haraka-config')
 
 const logger = require('../logger')

package/outbound/tls.js

@@ -8,18 +8,6 @@ const hkredis = require('haraka-plugin-redis')
 const logger = require('../logger')
 const tls_socket = require('../tls_socket')
 
-const inheritable_opts = [
-    'key',
-    'cert',
-    'ciphers',
-    'minVersion',
-    'dhparam',
-    'requestCert',
-    'honorCipherOrder',
-    'rejectUnauthorized',
-    'force_tls_hosts',
-]
-
 class OutboundTLS {
     constructor() {
         this.config = config
@@ -34,37 +22,8 @@ class OutboundTLS {
 
     load_config() {
         const tls_cfg = tls_socket.load_tls_ini({ role: 'client' })
-        const cfg = JSON.parse(JSON.stringify(tls_cfg.outbound || {}))
-        cfg.redis = tls_cfg.redis // Don't clone - contains methods
-
-        for (const opt of inheritable_opts) {
-            if (cfg[opt] !== undefined) continue // option set in [outbound]
-            if (tls_cfg.main[opt] === undefined) continue // opt unset in tls.ini[main]
-            cfg[opt] = tls_cfg.main[opt] // use value from [main] section
-        }
-
-        if (cfg.key) {
-            if (Array.isArray(cfg.key)) {
-                cfg.key = cfg.key[0]
-            }
-            cfg.key = this.config.get(cfg.key, 'binary')
-        }
-
-        if (cfg.dhparam) {
-            cfg.dhparam = this.config.get(cfg.dhparam, 'binary')
-        }
-
-        if (cfg.cert) {
-            if (Array.isArray(cfg.cert)) {
-                cfg.cert = cfg.cert[0]
-            }
-            cfg.cert = this.config.get(cfg.cert, 'binary')
-        }
-
-        if (!cfg.no_tls_hosts) cfg.no_tls_hosts = []
-        if (!cfg.force_tls_hosts) cfg.force_tls_hosts = []
-
-        this.cfg = cfg
+        this.cfg = tls_socket.load_plugin_tls_options(tls_cfg.outbound || {})
+        this.cfg.redis = tls_cfg.redis // outbound-only: TLS NO-GO db (don't clone — has methods)
     }
 
     init(cb) {