Haraka 3.2.1 → 3.3.1

package/test/server.js

@@ -4,14 +4,33 @@ const { describe, it, beforeEach, afterEach } = require('node:test')
 const assert = require('node:assert/strict')
 const { createHmac } = require('node:crypto')
 const net = require('node:net')
+const { once } = require('node:events')
 const path = require('node:path')
 const tls = require('node:tls')
 const constants = require('haraka-constants')
+const net_utils = require('haraka-net-utils')
 
-const endpoint = require('../endpoint')
+const { endpoint } = require('haraka-net-utils')
 const message = require('haraka-email-message')
 const { get_client } = require('../smtp_client')
 
+function fixtureConfig(name) {
+    const testRoot = path.resolve('test')
+    return require('haraka-config').module_config(testRoot, path.resolve('test/fixtures', name))
+}
+
+function useHaproxyFixture(server, name) {
+    const originalConfig = net_utils.config
+    const originalConnectionCfg = server.connection.cfg
+    const config = fixtureConfig(name)
+    net_utils.config = config
+    server.connection.cfg = config.get('connection.ini', { booleans: ['+haproxy.enabled'] })
+    return () => {
+        net_utils.config = originalConfig
+        server.connection.cfg = originalConnectionCfg
+    }
+}
+
 // ─── CRAM-MD5 helper ──────────────────────────────────────────────────────────
 
 /** Compute a CRAM-MD5 response to a server challenge. */
@@ -124,6 +143,35 @@ const sendMessage = ({
         )
     })
 
+const listen = (server, host = '127.0.0.1') =>
+    new Promise((resolve, reject) => {
+        server.once('error', reject)
+        server.listen(0, host, () => {
+            server.removeListener('error', reject)
+            resolve()
+        })
+    })
+
+const close = (server) =>
+    new Promise((resolve) => {
+        server.close(resolve)
+    })
+
+const withTimeout = (promise, ms, msg) =>
+    new Promise((resolve, reject) => {
+        const timer = setTimeout(() => reject(new Error(msg)), ms)
+        promise.then(
+            (result) => {
+                clearTimeout(timer)
+                resolve(result)
+            },
+            (err) => {
+                clearTimeout(timer)
+                reject(err)
+            },
+        )
+    })
+
 // ─── Tests ────────────────────────────────────────────────────────────────────
 
 describe('server', () => {
@@ -241,6 +289,382 @@ describe('server', () => {
             const count = await new Promise((res) => server.getConnections((err, n) => res(n)))
             assert.equal(count, 0)
         })
+
+        it('accepts PROXY v1 before the SMTPS TLS handshake', async () => {
+            const restoreHaproxyConfig = useHaproxyFixture(this.server, 'haproxy_allowed')
+            this.server.cfg.main.smtps_port = 0
+
+            // PROXY-before-TLS takes slightly longer than the default 10 ms timeout on Windows,
+            // use 50 ms timeout to avoid flaky tests (default is 300000 ms).
+            const server = await this.server.get_smtp_server(endpoint('127.0.0.1:0'), 50)
+            const tlsErrors = []
+            let raw
+            let client
+
+            server.on('tlsClientError', (err) => {
+                tlsErrors.push(err)
+            })
+
+            try {
+                await listen(server)
+
+                raw = net.connect(server.address().port, '127.0.0.1')
+                await withTimeout(
+                    Promise.race([
+                        once(raw, 'connect'),
+                        once(raw, 'error').then(([err]) => {
+                            throw err
+                        }),
+                    ]),
+                    3000,
+                    'SMTPS TCP connection timed out',
+                )
+
+                raw.write('PROXY TCP4 127.0.0.1 127.0.0.1 42310 465\r\n')
+                client = tls.connect({
+                    socket: raw,
+                    rejectUnauthorized: false,
+                    servername: 'localhost',
+                })
+
+                await withTimeout(
+                    Promise.race([
+                        once(client, 'secureConnect'),
+                        once(client, 'error').then(([err]) => {
+                            throw err
+                        }),
+                    ]),
+                    3000,
+                    'SMTPS PROXY handshake timed out',
+                )
+                const [banner] = await withTimeout(once(client, 'data'), 3000, 'SMTPS PROXY banner timed out')
+                assert.match(banner.toString(), /^220 /)
+                assert.equal(tlsErrors.length, 0)
+            } finally {
+                if (client) client.destroy()
+                else if (raw) raw.destroy()
+                await close(server)
+                restoreHaproxyConfig()
+            }
+        })
+
+        it('accepts direct SMTPS from a PROXY-allowed peer', async () => {
+            const restoreHaproxyConfig = useHaproxyFixture(this.server, 'haproxy_allowed')
+            this.server.cfg.main.smtps_port = 0
+
+            const server = await this.server.get_smtp_server(endpoint('127.0.0.1:0'), 1000)
+            const tlsErrors = []
+            let client
+
+            server.on('tlsClientError', (err) => {
+                tlsErrors.push(err)
+            })
+
+            try {
+                await listen(server)
+
+                client = tls.connect({
+                    port: server.address().port,
+                    host: '127.0.0.1',
+                    rejectUnauthorized: false,
+                    servername: 'localhost',
+                })
+
+                await withTimeout(
+                    Promise.race([
+                        once(client, 'secureConnect'),
+                        once(client, 'error').then(([err]) => {
+                            throw err
+                        }),
+                    ]),
+                    3000,
+                    'direct SMTPS handshake timed out',
+                )
+                const [banner] = await withTimeout(once(client, 'data'), 3000, 'direct SMTPS banner timed out')
+                assert.match(banner.toString(), /^220 /)
+                assert.equal(tlsErrors.length, 0)
+            } finally {
+                if (client) client.destroy()
+                await close(server)
+                restoreHaproxyConfig()
+            }
+        })
+
+        it('preserves TLS server events for SMTPS connections', async () => {
+            this.server.cfg.main.smtps_port = 0
+
+            const server = await this.server.get_smtp_server(endpoint('127.0.0.1:0'), 10)
+            let ocspRequests = 0
+            let first
+            let second
+
+            server.tlsServer.on('OCSPRequest', (cert, issuer, cb) => {
+                ocspRequests++
+                cb()
+            })
+
+            try {
+                await listen(server)
+
+                first = tls.connect({
+                    port: server.address().port,
+                    host: '127.0.0.1',
+                    rejectUnauthorized: false,
+                    requestOCSP: true,
+                    servername: 'localhost',
+                    maxVersion: 'TLSv1.2',
+                })
+
+                await withTimeout(
+                    Promise.race([
+                        once(first, 'secureConnect'),
+                        once(first, 'error').then(([err]) => {
+                            throw err
+                        }),
+                    ]),
+                    3000,
+                    'first SMTPS handshake timed out',
+                )
+                const session = first.getSession()
+                first.destroy()
+                await withTimeout(once(first, 'close'), 3000, 'first SMTPS close timed out')
+
+                second = tls.connect({
+                    port: server.address().port,
+                    host: '127.0.0.1',
+                    rejectUnauthorized: false,
+                    requestOCSP: true,
+                    servername: 'localhost',
+                    maxVersion: 'TLSv1.2',
+                    session,
+                })
+
+                await withTimeout(
+                    Promise.race([
+                        once(second, 'secureConnect'),
+                        once(second, 'error').then(([err]) => {
+                            throw err
+                        }),
+                    ]),
+                    3000,
+                    'resumed SMTPS handshake timed out',
+                )
+
+                assert.equal(ocspRequests, 1)
+                assert.equal(second.isSessionReused(), true)
+            } finally {
+                if (second) second.destroy()
+                if (first) first.destroy()
+                await close(server)
+            }
+        })
+
+        it('uses direct TLS for SMTPS when HAProxy support is disabled', async () => {
+            const restoreHaproxyConfig = useHaproxyFixture(this.server, 'haproxy_disabled')
+            this.server.cfg.main.smtps_port = 0
+
+            let server
+            let client
+
+            try {
+                server = await this.server.get_smtp_server(endpoint('127.0.0.1:0'), 10)
+                assert.equal(server.tlsServer, undefined)
+
+                await listen(server)
+
+                client = tls.connect({
+                    port: server.address().port,
+                    host: '127.0.0.1',
+                    rejectUnauthorized: false,
+                    servername: 'localhost',
+                })
+
+                await withTimeout(
+                    Promise.race([
+                        once(client, 'secureConnect'),
+                        once(client, 'error').then(([err]) => {
+                            throw err
+                        }),
+                    ]),
+                    3000,
+                    'direct TLS fallback handshake timed out',
+                )
+            } finally {
+                if (client) client.destroy()
+                if (server) await close(server)
+                restoreHaproxyConfig()
+            }
+        })
+
+        it('accepts direct SMTPS from an untrusted PROXY peer', async () => {
+            const restoreHaproxyConfig = useHaproxyFixture(this.server, 'haproxy_untrusted')
+            this.server.cfg.main.smtps_port = 0
+
+            const server = await this.server.get_smtp_server(endpoint('127.0.0.1:0'), 10)
+            let client
+
+            try {
+                await listen(server)
+
+                client = tls.connect({
+                    port: server.address().port,
+                    host: '127.0.0.1',
+                    rejectUnauthorized: false,
+                    servername: 'localhost',
+                })
+
+                await withTimeout(
+                    Promise.race([
+                        once(client, 'secureConnect'),
+                        once(client, 'error').then(([err]) => {
+                            throw err
+                        }),
+                    ]),
+                    3000,
+                    'untrusted direct SMTPS handshake timed out',
+                )
+            } finally {
+                if (client) client.destroy()
+                await close(server)
+                restoreHaproxyConfig()
+            }
+        })
+
+        it('rejects malformed SMTPS PROXY lines before TLS', async () => {
+            const restoreHaproxyConfig = useHaproxyFixture(this.server, 'haproxy_allowed')
+            this.server.cfg.main.smtps_port = 0
+
+            const server = await this.server.get_smtp_server(endpoint('127.0.0.1:0'), 10)
+            let raw
+
+            try {
+                await listen(server)
+
+                raw = net.connect(server.address().port, '127.0.0.1')
+                await withTimeout(once(raw, 'connect'), 3000, 'malformed PROXY TCP connection timed out')
+                raw.write('PROXY TCP4 nope 127.0.0.1 42310 465\r\n')
+
+                const [response] = await withTimeout(once(raw, 'data'), 3000, 'malformed PROXY response timed out')
+                assert.match(response.toString(), /^421 Invalid PROXY format/)
+            } finally {
+                if (raw) raw.destroy()
+                await close(server)
+                restoreHaproxyConfig()
+            }
+        })
+
+        it('rejects oversized SMTPS PROXY lines before TLS', async () => {
+            const restoreHaproxyConfig = useHaproxyFixture(this.server, 'haproxy_allowed')
+            this.server.cfg.main.smtps_port = 0
+
+            const server = await this.server.get_smtp_server(endpoint('127.0.0.1:0'), 10)
+            let raw
+
+            try {
+                await listen(server)
+
+                raw = net.connect(server.address().port, '127.0.0.1')
+                await withTimeout(once(raw, 'connect'), 3000, 'oversized PROXY TCP connection timed out')
+                raw.write(`PROXY ${'x'.repeat(513)}`)
+
+                const [response] = await withTimeout(once(raw, 'data'), 3000, 'oversized PROXY response timed out')
+                assert.match(response.toString(), /^421 Invalid PROXY format/)
+            } finally {
+                if (raw) raw.destroy()
+                await close(server)
+                restoreHaproxyConfig()
+            }
+        })
+
+        it('times out waiting for SMTPS PROXY from an allowed peer', async () => {
+            const restoreHaproxyConfig = useHaproxyFixture(this.server, 'haproxy_allowed')
+            const originalSetTimeout = global.setTimeout
+            global.setTimeout = (fn, ms, ...args) => originalSetTimeout(fn, ms === 30 * 1000 ? 20 : ms, ...args)
+            this.server.cfg.main.smtps_port = 0
+
+            const server = await this.server.get_smtp_server(endpoint('127.0.0.1:0'), 10)
+            let raw
+
+            try {
+                await listen(server)
+
+                raw = net.connect(server.address().port, '127.0.0.1')
+                await withTimeout(once(raw, 'connect'), 3000, 'PROXY timeout TCP connection timed out')
+
+                const [response] = await withTimeout(once(raw, 'data'), 3000, 'PROXY timeout response timed out')
+                assert.match(response.toString(), /^421 PROXY timeout/)
+            } finally {
+                global.setTimeout = originalSetTimeout
+                if (raw) raw.destroy()
+                await close(server)
+                restoreHaproxyConfig()
+            }
+        })
+
+        it('accepts byte-by-byte direct SMTPS from a PROXY-allowed peer', async () => {
+            const restoreHaproxyConfig = useHaproxyFixture(this.server, 'haproxy_allowed')
+            this.server.cfg.main.smtps_port = 0
+
+            const server = await this.server.get_smtp_server(endpoint('127.0.0.1:0'), 1000)
+            let raw
+            let client
+
+            try {
+                await listen(server)
+
+                raw = net.connect(server.address().port, '127.0.0.1')
+                await withTimeout(once(raw, 'connect'), 3000, 'fragmented direct SMTPS TCP connection timed out')
+
+                const write = raw.write.bind(raw)
+                raw.write = (chunk, encoding, cb) => {
+                    if (typeof encoding === 'function') {
+                        cb = encoding
+                        encoding = undefined
+                    }
+                    const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, encoding)
+                    let pos = 0
+                    const write_next = () => {
+                        if (pos >= buffer.length) {
+                            if (cb) cb()
+                            return
+                        }
+                        write(buffer.subarray(pos, pos + 1))
+                        pos++
+                        setImmediate(write_next)
+                    }
+                    write_next()
+                    return true
+                }
+
+                client = tls.connect({
+                    socket: raw,
+                    rejectUnauthorized: false,
+                    servername: 'localhost',
+                })
+
+                await withTimeout(
+                    Promise.race([
+                        once(client, 'secureConnect'),
+                        once(client, 'error').then(([err]) => {
+                            throw err
+                        }),
+                    ]),
+                    3000,
+                    'fragmented direct SMTPS handshake timed out',
+                )
+                const [banner] = await withTimeout(
+                    once(client, 'data'),
+                    3000,
+                    'fragmented direct SMTPS banner timed out',
+                )
+                assert.match(banner.toString(), /^220 /)
+            } finally {
+                if (client) client.destroy()
+                else if (raw) raw.destroy()
+                await close(server)
+                restoreHaproxyConfig()
+            }
+        })
     })
 
     // ── get_http_docroot ──────────────────────────────────────────────────────

package/test/smtp_client.js

@@ -5,7 +5,7 @@ const assert = require('node:assert/strict')
 const { PassThrough } = require('node:stream')
 const path = require('node:path')
 
-const { Address } = require('../address')
+const { Address } = require('@haraka/email-address')
 const fixtures = require('haraka-test-fixtures')
 const net_utils = require('haraka-net-utils')
 const message = require('haraka-email-message')
@@ -57,19 +57,18 @@ function restoreTlsConnect() {
 }
 
 function makeConnection(overrides = {}) {
-    const conn = fixtures.connection.createConnection()
+    const conn = fixtures.makeConnection({ ip: '1.2.3.4' })
     conn.server = { notes: {} }
     conn.hello = { host: 'client.example.com' }
     conn.local = { host: 'relay.example.com' }
-    conn.remote = { ip: '1.2.3.4' }
     conn.transaction = null
     return Object.assign(conn, overrides)
 }
 
 function makePlugin() {
-    const p = new fixtures.plugin('queue/smtp_forward')
-    p.config = p.config.module_config(path.resolve('test'))
-    p.register()
+    const p = fixtures.makePlugin('queue/smtp_forward', {
+        configDir: path.resolve('test'),
+    })
     p.tls_options = {}
     return p
 }
@@ -228,7 +227,7 @@ describe('SMTPClient line handler', () => {
         client.command = 'starttls'
         client.tls_options = { servername: 'mx.example.com' }
         let upgradeCalled = false
-        client.socket.upgrade = (opts, cb) => {
+        client.socket.upgrade = () => {
             upgradeCalled = true
         }
         client.socket.emit('line', '220 Go ahead\r\n')
@@ -249,10 +248,7 @@ describe('SMTPClient line handler', () => {
     it('returns early after bad_code when state is not ACTIVE', () => {
         client.command = 'mail'
         client.state = STATE.IDLE
-        let heloFired = false
-        client.on('helo', () => {
-            heloFired = true
-        }) // shouldn't fire
+        client.on('helo', () => {}) // shouldn't fire
         let badCodeFired = false
         client.on('bad_code', () => {
             badCodeFired = true
@@ -344,7 +340,7 @@ describe('SMTPClient socket connect event', () => {
         socket.setTimeout = (ms) => {
             lastTimeout = ms
         }
-        const client = makeClient({ socket, idle_timeout: 120 })
+        makeClient({ socket, idle_timeout: 120 })
         socket.emit('connect')
         assert.equal(lastTimeout, 120_000)
     })
@@ -513,7 +509,7 @@ describe('SMTPClient#start_data', () => {
         const client = makeClient()
         let pipeTarget = null
         const mockStream = {
-            pipe: (dest, opts) => {
+            pipe: (dest) => {
                 pipeTarget = dest
             },
         }
@@ -591,7 +587,7 @@ describe('SMTPClient#upgrade', () => {
     it('delegates to socket.upgrade with tls_options', () => {
         const socket = makeSocket()
         let upgradeOpts = null
-        socket.upgrade = (opts, cb) => {
+        socket.upgrade = (opts) => {
             upgradeOpts = opts
         }
         const client = makeClient({ socket })
@@ -964,7 +960,7 @@ describe('smtp_client.get_client_plugin', () => {
     })
 
     it('reuses existing host_pool from server.notes', async () => {
-        const HostPool = require('../host_pool')
+        const { HostPool } = require('haraka-net-utils')
         const pool = new HostPool('10.0.0.3:25')
         conn.server.notes.host_pool = pool
         await getClientPlugin({ forwarding_host_pool: '10.0.0.3:25' })
@@ -1021,7 +1017,6 @@ describe('smtp_client.get_client_plugin', () => {
             return s
         }
 
-        const written = []
         const mockPlugin = makePlugin()
 
         smtp_client_module.get_client_plugin(
@@ -1257,8 +1252,6 @@ describe('smtp_client full session (auth)', () => {
 
 describe('smtp_client', () => {
     it('testUpgradeIsCalledOnSTARTTLS', () => {
-        const plugin = makePlugin()
-
         const cmds = {}
         let upgradeArgs = {}
 

package/test/tls_socket.js

@@ -8,9 +8,6 @@ const tls = require('node:tls')
 const fs = require('node:fs')
 const { EventEmitter } = require('node:events')
 
-// Mock dependencies before requiring the target
-const mock = require('node:test').mock
-
 const tls_socket = require('../tls_socket')
 
 const TEST_CERT = fs.readFileSync(path.join(__dirname, 'config/tls_cert.pem'))
@@ -55,12 +52,12 @@ test('tls_socket', async (t) => {
         })
     })
 
-    await t.test('pluggableStream', async (t) => {
+    await t.test('pluggableStream', async () => {
         // This is a class inside the file, but not exported.
         // We can test it via createServer or connect if we mock net.
     })
 
-    await t.test('connect', async (t) => {
+    await t.test('connect', async () => {
         // Exercise the `new tls.connect` bug
         // We can't easily catch the 'new' keyword usage without proxying tls.connect
         assert.strictEqual(typeof tls_socket.connect, 'function')
@@ -141,7 +138,7 @@ test('tls_socket', async (t) => {
         })
     })
 
-    await t.test('getSocketOpts', async (t) => {
+    await t.test('getSocketOpts', async () => {
         // Exercise the typo path (would requires failing config.getDir)
         assert.strictEqual(typeof tls_socket.getSocketOpts, 'function')
     })

package/tls_socket.js

@@ -95,7 +95,7 @@ class pluggableStream extends stream.Stream {
         }
     }
 
-    clean(data) {
+    clean() {
         if (this.targetsocket?.removeAllListeners) {
             for (const name of ['data', 'secure', 'secureConnect', 'end', 'close', 'error', 'drain']) {
                 this.targetsocket.removeAllListeners(name)
@@ -540,7 +540,7 @@ exports.getSocketOpts = async (name) => {
 function pipe(cleartext, socket) {
     cleartext.socket = socket
 
-    function onError(e) {}
+    function onError() {}
 
     function onClose() {
         socket.removeListener('error', onError)
@@ -570,7 +570,7 @@ exports.ensureDhparams = (done) => {
         log.debug(data)
     })
 
-    o.stderr.on('data', (data) => {
+    o.stderr.on('data', () => {
         // this is the status gibberish `openssl dhparam` spews as it works
     })
 

package/transaction.js

@@ -45,7 +45,7 @@ class Transaction {
         if (this.body) return
 
         this.body = new message.Body(this.header)
-        this.body.on('mime_boundary', (m) => this.incr_mime_count())
+        this.body.on('mime_boundary', () => this.incr_mime_count())
 
         for (const hook of this.attachment_start_hooks) {
             this.body.on('attachment_start', hook)
@@ -226,7 +226,7 @@ class Transaction {
         if (this.found_hb_sep) this.reset_headers()
     }
 
-    attachment_hooks(start, data, end) {
+    attachment_hooks(start) {
         this.parse_body = true
         this.attachment_start_hooks.push(start)
     }
@@ -255,7 +255,7 @@ class Transaction {
         }
     }
 
-    incr_mime_count(line) {
+    incr_mime_count() {
         this.mime_part_count++
     }
 }