Haraka 3.1.6 → 3.2.0

package/smtp_client.js

@@ -192,7 +192,7 @@ class SMTPClient extends events.EventEmitter {
         client.socket.on('end', closed('ended'))
     }
 
-    load_tls_config(opts = {}) {
+    load_tls_options(opts = {}) {
         this.tls_options = { servername: this.host, ...opts }
     }
 
@@ -312,8 +312,8 @@ exports.onCapabilitiesOutbound = (smtp_client, secured, connection, config, on_s
             // Check if there are any banned TLS hosts
             if (smtp_client.tls_options.no_tls_hosts) {
                 // If there are check if these hosts are in the blacklist
-                hostBanned = net_utils.ip_in_list(smtp_client.tls_config.no_tls_hosts, config.host)
-                serverBanned = net_utils.ip_in_list(smtp_client.tls_config.no_tls_hosts, smtp_client.remote_ip)
+                hostBanned = net_utils.ip_in_list(smtp_client.tls_options.no_tls_hosts, config.host)
+                serverBanned = net_utils.ip_in_list(smtp_client.tls_options.no_tls_hosts, smtp_client.remote_ip)
             }
 
             if (!hostBanned && !serverBanned && config.enable_tls) {
@@ -358,7 +358,7 @@ exports.get_client_plugin = (plugin, connection, c, callback) => {
 
     let secured = false
 
-    smtp_client.load_tls_config(plugin.tls_options)
+    smtp_client.load_tls_options(plugin.tls_options)
 
     smtp_client.call_next = function (retval, msg) {
         if (this.next) {
@@ -369,7 +369,10 @@ exports.get_client_plugin = (plugin, connection, c, callback) => {
     }
 
     smtp_client.on('client_protocol', (line) => {
-        connection.logprotocol(plugin, `C: ${line}`)
+        // Don't leak SASL credentials (e.g. AUTH PLAIN <base64>) into
+        // protocol logs.
+        const safe = String(line).replace(/^(AUTH\s+\S+\s+).+$/i, '$1[redacted]')
+        connection.logprotocol(plugin, `C: ${safe}`)
     })
 
     smtp_client.on('server_protocol', (line) => {
@@ -401,21 +404,27 @@ exports.get_client_plugin = (plugin, connection, c, callback) => {
         if (!c.auth || smtp_client.authenticated) {
             if (smtp_client.is_dead_sender(plugin, connection)) return
 
-            smtp_client.send_command('MAIL', `FROM:${connection.transaction.mail_from.format(!smtp_client.smtp_utf8)}`)
+            smtp_client.send_command('MAIL', `FROM:${connection.transaction.mail_from.format(!smtp_client.smtputf8)}`)
             return
         }
 
         if (c.auth.type === null || typeof c.auth.type === 'undefined') return // Ignore blank
         const auth_type = c.auth.type.toLowerCase()
+        // This listener runs from the socket line handler; an uncaught
+        // throw here crashes the forwarding worker. Route failures
+        // through the existing smtp_client 'error' flow (logwarn +
+        // call_next) so a misconfigured/hostile upstream degrades to a
+        // normal SMTP error path instead.
         if (!smtp_client.auth_capabilities.includes(auth_type)) {
-            throw new Error(
+            return smtp_client.emit(
+                'error',
                 `Auth type "${auth_type}" not supported by server (supports: ${smtp_client.auth_capabilities.join(',')})`,
             )
         }
         switch (auth_type) {
             case 'plain':
                 if (!c.auth.user || !c.auth.pass) {
-                    throw new Error('Must include auth.user and auth.pass for PLAIN auth.')
+                    return smtp_client.emit('error', 'Must include auth.user and auth.pass for PLAIN auth.')
                 }
                 logger.debug(`[smtp_client] uuid=${smtp_client.uuid} authenticating as "${c.auth.user}"`)
                 smtp_client.send_command(
@@ -424,9 +433,9 @@ exports.get_client_plugin = (plugin, connection, c, callback) => {
                 )
                 break
             case 'cram-md5':
-                throw new Error('Not implemented')
+                return smtp_client.emit('error', `AUTH ${auth_type} not implemented`)
             default:
-                throw new Error(`Unknown AUTH type: ${auth_type}`)
+                return smtp_client.emit('error', `Unknown AUTH type: ${auth_type}`)
         }
     })
 
@@ -437,7 +446,7 @@ exports.get_client_plugin = (plugin, connection, c, callback) => {
         if (smtp_client.is_dead_sender(plugin, connection)) return
 
         smtp_client.authenticated = true
-        smtp_client.send_command('MAIL', `FROM:${connection.transaction.mail_from.format(!smtp_client.smtp_utf8)}`)
+        smtp_client.send_command('MAIL', `FROM:${connection.transaction.mail_from.format(!smtp_client.smtputf8)}`)
     })
 
     // these errors only get thrown when the connection is still active

package/test/config/block_me.recipient

@@ -0,0 +1 @@
+blocklist@example.com

package/test/config/block_me.senders

@@ -0,0 +1 @@
+sender@example.com

package/test/connection.js

@@ -5,7 +5,7 @@ const assert = require('node:assert/strict')
 
 const constants = require('haraka-constants')
 const DSN = require('haraka-dsn')
-const { Address } = require('address-rfc2821')
+const { Address } = require('../address')
 
 const connection = require('../connection')
 const Server = require('../server')
@@ -676,4 +676,28 @@ describe('connection', () => {
             assert.equal(this.connection.transaction.data_bytes, 0)
         })
     })
+
+    describe('header injection', () => {
+        beforeEach(setUp)
+
+        it('cmd_helo rejects control chars in the host', () => {
+            const r = this.connection.cmd_helo('evil\rINJECTED')
+            assert.match(String(r), /^501/)
+            assert.equal(this.connection.hello.host, null)
+        })
+
+        it('cmd_ehlo rejects control chars in the host', () => {
+            const r = this.connection.cmd_ehlo('evil\r\nINJECTED')
+            assert.match(String(r), /^501/)
+            assert.equal(this.connection.hello.host, null)
+        })
+
+        it('auth_results strips CR/LF so it cannot inject a header', () => {
+            const out = this.connection.auth_results('auth=fail smtp.auth=evil\r\nInjected-Header: pwned')
+            assert.ok(!out.includes('\r\nInjected-Header:'))
+            // the only CRLF present is the legitimate folding (;\r\n\t)
+            assert.equal(out.replace(/;\r\n\t/g, '').includes('\r'), false)
+            assert.equal(out.replace(/;\r\n\t/g, '').includes('\n'), false)
+        })
+    })
 })

package/test/fixtures/util_hmailitem.js

@@ -2,7 +2,7 @@
 
 const assert = require('node:assert')
 
-const { Address } = require('address-rfc2821')
+const { Address } = require('../../address')
 const fixtures = require('haraka-test-fixtures')
 
 /**

package/test/outbound/bounce_net_errors.js

@@ -98,9 +98,10 @@ const testCases = [
         trigger: (h) => HMailItem.prototype.get_mx_error.apply(h, [{ code: 'SOME-OTHER-ERR' }, {}]),
     },
     {
-        name: 'found_mx with empty exchange triggers bounce with dsn_status 5.1.2',
+        // RFC 7505 NULL MX → DSN.addr_null_mx → 5.1.10 (per haraka-dsn).
+        name: 'found_mx with NULL MX (RFC 7505) triggers bounce with dsn_status 5.1.10',
         method: 'bounce',
-        status: '5.1.2',
+        status: '5.1.10',
         trigger: (h) => HMailItem.prototype.found_mx.apply(h, [[{ priority: 0, exchange: '' }]]),
     },
     {

package/test/outbound/index.js

@@ -211,7 +211,7 @@ describe('outbound', () => {
         it('yields to setImmediate before opening process_delivery pipes', async () => {
             const stream = require('node:stream')
             const Transaction = require('../../transaction')
-            const Address = require('address-rfc2821').Address
+            const Address = require('../../address').Address
             const outbound = require('../../outbound')
             const plugins = require('../../plugins')
 
@@ -271,7 +271,7 @@ describe('outbound', () => {
 
         it('adds missing Message-Id/Date and prepends Received before queueing', async () => {
             process.env.HARAKA_TEST_DIR = path.resolve('test')
-            const Address = require('address-rfc2821').Address
+            const Address = require('../../address').Address
             const outbound = require('../../outbound')
             const plugins = require('../../plugins')
 

package/test/plugins/auth/auth_base.js

@@ -2,7 +2,7 @@
 const assert = require('node:assert')
 const { describe, it, beforeEach } = require('node:test')
 
-const { Address } = require('address-rfc2821')
+const { Address } = require('../../../address')
 const fixtures = require('haraka-test-fixtures')
 const utils = require('haraka-utils')
 

package/test/plugins/auth/auth_bridge.js

@@ -0,0 +1,80 @@
+'use strict'
+
+const assert = require('node:assert')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+
+describe('auth/auth_bridge', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('auth/auth_bridge')
+        plugin.load_flat_ini()
+    })
+
+    describe('load_flat_ini', () => {
+        it('loads smtp_bridge.ini config', () => {
+            assert.ok(plugin.cfg)
+            assert.ok(plugin.cfg.main)
+        })
+
+        it('cfg.main.host defaults to localhost', () => {
+            assert.equal(plugin.cfg.main.host, 'localhost')
+        })
+    })
+
+    describe('check_plain_passwd', () => {
+        let conn
+
+        beforeEach(() => {
+            conn = fixtures.connection.createConnection()
+        })
+
+        it('calls try_auth_proxy with just host when no port configured', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                assert.equal(host, 'mail.example.com')
+                assert.equal(user, 'testuser')
+                assert.equal(passwd, 'testpass')
+                cb(true)
+            }
+            plugin.check_plain_passwd(conn, 'testuser', 'testpass', (result) => {
+                assert.equal(result, true)
+                done()
+            })
+        })
+
+        it('calls try_auth_proxy with host:port when port is configured', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com', port: '587' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                assert.equal(host, 'mail.example.com:587')
+                cb(true)
+            }
+            plugin.check_plain_passwd(conn, 'testuser', 'testpass', (result) => {
+                assert.equal(result, true)
+                done()
+            })
+        })
+
+        it('passes authentication failure through to callback', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                cb(false)
+            }
+            plugin.check_plain_passwd(conn, 'baduser', 'badpass', (result) => {
+                assert.equal(result, false)
+                done()
+            })
+        })
+
+        it('passes the connection object to try_auth_proxy', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                assert.equal(connection, conn)
+                cb(true)
+            }
+            plugin.check_plain_passwd(conn, 'user', 'pass', () => done())
+        })
+    })
+})

package/test/plugins/auth/flat_file.js

@@ -0,0 +1,128 @@
+'use strict'
+
+const assert = require('node:assert')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+
+function makeConnection(opts = {}) {
+    const conn = fixtures.connection.createConnection()
+    conn.capabilities = []
+    conn.notes.allowed_auth_methods = []
+    conn.remote = { is_private: opts.is_private ?? false }
+    conn.tls = { enabled: opts.tls_enabled ?? false }
+    return conn
+}
+
+describe('auth/flat_file', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('auth/flat_file')
+        plugin.inherits('auth/auth_base')
+        plugin.load_flat_ini()
+    })
+
+    describe('load_flat_ini', () => {
+        it('populates cfg.users as an object', () => {
+            assert.ok(typeof plugin.cfg.users === 'object')
+        })
+
+        it('cfg.users defaults to empty object when not configured', () => {
+            // default config has no real users
+            assert.deepEqual(plugin.cfg.users, {})
+        })
+    })
+
+    describe('hook_capabilities', () => {
+        let conn
+
+        beforeEach(() => {
+            conn = makeConnection()
+        })
+
+        it('skips for public non-TLS connection', (t, done) => {
+            plugin.hook_capabilities((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.capabilities.length, 0)
+                done()
+            }, conn)
+        })
+
+        it('adds AUTH methods for private connection (non-TLS)', (t, done) => {
+            conn.remote.is_private = true
+            plugin.cfg.core.methods = 'PLAIN,LOGIN'
+            plugin.hook_capabilities((rc) => {
+                assert.equal(rc, undefined)
+                assert.ok(
+                    conn.capabilities.some((c) => c.startsWith('AUTH ')),
+                    'AUTH capability should be present',
+                )
+                done()
+            }, conn)
+        })
+
+        it('adds AUTH methods when TLS is enabled', (t, done) => {
+            conn.tls.enabled = true
+            plugin.cfg.core.methods = 'PLAIN,LOGIN'
+            plugin.hook_capabilities((rc) => {
+                assert.equal(rc, undefined)
+                assert.ok(conn.capabilities.some((c) => c.startsWith('AUTH ')))
+                done()
+            }, conn)
+        })
+
+        it('sets allowed_auth_methods on connection notes', (t, done) => {
+            conn.tls.enabled = true
+            plugin.cfg.core.methods = 'PLAIN,LOGIN'
+            plugin.hook_capabilities(() => {
+                assert.deepEqual(conn.notes.allowed_auth_methods, ['PLAIN', 'LOGIN'])
+                done()
+            }, conn)
+        })
+
+        it('does not add AUTH when no methods configured', (t, done) => {
+            conn.tls.enabled = true
+            plugin.cfg.core.methods = null
+            plugin.hook_capabilities(() => {
+                assert.equal(conn.capabilities.length, 0)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('get_plain_passwd', () => {
+        beforeEach(() => {
+            plugin.cfg.users = { alice: 'secret', bob: 'hunter2' }
+        })
+
+        it('returns password for known user', (t, done) => {
+            plugin.get_plain_passwd('alice', {}, (pw) => {
+                assert.equal(pw, 'secret')
+                done()
+            })
+        })
+
+        it('calls cb with no args for unknown user', (t, done) => {
+            plugin.get_plain_passwd('unknown', {}, (pw) => {
+                assert.equal(pw, undefined)
+                done()
+            })
+        })
+
+        it('handles multiple users', (t, done) => {
+            plugin.get_plain_passwd('bob', {}, (pw) => {
+                assert.equal(pw, 'hunter2')
+                done()
+            })
+        })
+
+        it('coerces password to string via toString()', (t, done) => {
+            plugin.cfg.users.numericuser = 12345
+            plugin.get_plain_passwd('numericuser', {}, (pw) => {
+                assert.equal(pw, '12345')
+                done()
+            })
+        })
+    })
+})

package/test/plugins/block_me.js

@@ -0,0 +1,157 @@
+'use strict'
+
+const fs = require('node:fs')
+const path = require('node:path')
+const assert = require('node:assert/strict')
+const { describe, it, beforeEach, after } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+const { Address } = require('@haraka/email-address')
+require('haraka-constants').import(global)
+
+// block_me appends to <config>/mail_from.blocklist when a sender is blocked;
+// remove the artifact the 'sets block_me note' test produces.
+after(() => {
+    fs.rmSync(path.resolve('test/config/mail_from.blocklist'), { force: true })
+})
+
+function makeConnection({
+    relaying = false,
+    mailFrom = 'sender@example.com',
+    rcptTo = ['blocklist@example.com'],
+} = {}) {
+    const conn = fixtures.connection.createConnection()
+    conn.init_transaction()
+    conn.relaying = relaying
+    conn.transaction.mail_from = new Address(`<${mailFrom}>`)
+    conn.transaction.rcpt_to = rcptTo.map((r) => new Address(`<${r}>`))
+    conn.transaction.body = { bodytext: '', children: [] }
+    return conn
+}
+
+describe('block_me', () => {
+    let plugin
+
+    // Read config (block_me.recipient, block_me.senders) from test/config rather
+    // than the real config dir. block_me also appends matched senders to
+    // mail_from.blocklist; with this override that write lands in test/config too.
+    beforeEach(() => {
+        plugin = new fixtures.plugin('block_me')
+        plugin.config = plugin.config.module_config(path.resolve('test'))
+    })
+
+    describe('hook_data', () => {
+        it('enables body parsing and calls next', (t, done) => {
+            const conn = makeConnection()
+            conn.transaction.parse_body = false
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.transaction.parse_body, true)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_data_post', () => {
+        it('calls next when not relaying', (t, done) => {
+            const conn = makeConnection({ relaying: false })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when transaction is missing', (t, done) => {
+            const conn = fixtures.connection.createConnection()
+            conn.relaying = true
+            conn.transaction = null
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when more than one recipient', (t, done) => {
+            const conn = makeConnection({
+                relaying: true,
+                rcptTo: ['blocklist@example.com', 'other@example.com'],
+            })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when recipient does not match configured address', (t, done) => {
+            const conn = makeConnection({ relaying: true, rcptTo: ['other@example.com'] })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('denies when sender is not in the allowed senders list', (t, done) => {
+            const conn = makeConnection({
+                relaying: true,
+                mailFrom: 'notallowed@example.com',
+                rcptTo: ['blocklist@example.com'],
+            })
+            plugin.hook_data_post((rc, msg) => {
+                assert.equal(rc, DENY)
+                assert.ok(msg.includes('not allowed'))
+                done()
+            }, conn)
+        })
+
+        it('calls next when no From header found in body', (t, done) => {
+            const conn = makeConnection({
+                relaying: true,
+                mailFrom: 'sender@example.com',
+                rcptTo: ['blocklist@example.com'],
+            })
+            conn.transaction.body = { bodytext: 'No from header here', children: [] }
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                // note should not be set since no From header
+                assert.equal(conn.transaction.notes.block_me, undefined)
+                done()
+            }, conn)
+        })
+
+        it('sets block_me note and calls next when From is extracted', (t, done) => {
+            const conn = makeConnection({
+                relaying: true,
+                mailFrom: 'sender@example.com',
+                rcptTo: ['blocklist@example.com'],
+            })
+            conn.transaction.body = {
+                bodytext: 'From: Test User <block_target@example.com>',
+                children: [],
+            }
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.transaction.notes.block_me, 1)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_queue', () => {
+        it('returns OK when block_me note is set on transaction', (t, done) => {
+            const conn = makeConnection()
+            conn.transaction.notes.block_me = 1
+            plugin.hook_queue((rc) => {
+                assert.equal(rc, OK)
+                done()
+            }, conn)
+        })
+
+        it('calls next when block_me note is not set', (t, done) => {
+            const conn = makeConnection()
+            plugin.hook_queue((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+    })
+})

package/test/plugins/data.signatures.js

@@ -0,0 +1,114 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+require('haraka-constants').import(global)
+
+function makeConnection(bodytext = '', children = []) {
+    const conn = fixtures.connection.createConnection()
+    conn.init_transaction()
+    conn.transaction.body = { bodytext, children }
+    return conn
+}
+
+describe('data.signatures', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('data.signatures')
+    })
+
+    describe('hook_data', () => {
+        it('enables body parsing', (t, done) => {
+            const conn = makeConnection()
+            conn.transaction.parse_body = false
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.transaction.parse_body, true)
+                done()
+            }, conn)
+        })
+
+        it('calls next when there is no transaction', (t, done) => {
+            const conn = fixtures.connection.createConnection()
+            conn.transaction = null
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_data_post', () => {
+        it('calls next when there is no transaction', (t, done) => {
+            const conn = fixtures.connection.createConnection()
+            conn.transaction = null
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when signature list is empty', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? [] : {})
+            const conn = makeConnection('This is some email body text')
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('denies when body matches a signature', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? ['spam_signature_text'] : {})
+            const conn = makeConnection('Buy cheap meds! spam_signature_text here')
+            plugin.hook_data_post((rc, msg) => {
+                assert.equal(rc, DENY)
+                assert.ok(msg.includes('spam'))
+                done()
+            }, conn)
+        })
+
+        it('calls next when body does not match any signature', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? ['bad_pattern'] : {})
+            const conn = makeConnection('Totally normal email body')
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('denies when a child body part matches a signature', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? ['spam_in_child'] : {})
+            const conn = fixtures.connection.createConnection()
+            conn.init_transaction()
+            conn.transaction.body = {
+                bodytext: 'clean parent text',
+                children: [{ bodytext: 'spam_in_child content here', children: [] }],
+            }
+            plugin.hook_data_post((rc, msg) => {
+                assert.equal(rc, DENY)
+                done()
+            }, conn)
+        })
+
+        it('calls next when multiple signatures do not match', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? ['sig_one', 'sig_two', 'sig_three'] : {})
+            const conn = makeConnection('No matching signatures here at all')
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('matches the first of multiple signatures', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? ['no_match', 'buy_cheap_pills'] : {})
+            const conn = makeConnection('This message has buy_cheap_pills for you')
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, DENY)
+                done()
+            }, conn)
+        })
+    })
+})