haraka 0.0.32 → 3.3.0

package/plugins/queue/qmail-queue.js

@@ -0,0 +1,93 @@
+// Queue to qmail-queue
+
+const childproc = require('node:child_process')
+const fs = require('node:fs')
+
+exports.register = function () {
+    this.queue_exec = this.config.get('qmail-queue.path') || '/var/qmail/bin/qmail-queue'
+    if (!fs.existsSync(this.queue_exec)) {
+        throw new Error(`Cannot find qmail-queue binary (${this.queue_exec})`)
+    }
+
+    this.load_qmail_queue_ini()
+
+    if (this.cfg.main.enable_outbound) {
+        this.register_hook('queue_outbound', 'hook_queue')
+    }
+}
+
+exports.load_qmail_queue_ini = function () {
+    this.cfg = this.config.get(
+        'qmail-queue.ini',
+        {
+            booleans: ['+main.enable_outbound'],
+        },
+        () => {
+            this.load_qmail_queue_ini()
+        },
+    )
+}
+
+// qmail-queue envelope: F<sender>\0 (T<rcpt>\0)* \0
+// Built dynamically, sized to exactly the bytes needed.
+//   doesn't emit zero padding after the terminating NUL.
+//   encodes non-ASCII (SMTPUTF8) addresses correctly
+exports.build_envelope = function (transaction) {
+    const NUL = Buffer.from([0])
+    const parts = [Buffer.from('F'), Buffer.from(transaction.mail_from.address), NUL]
+    for (const rcpt of transaction.rcpt_to) {
+        parts.push(Buffer.from('T'), Buffer.from(rcpt.address), NUL)
+    }
+    parts.push(NUL)
+    return Buffer.concat(parts)
+}
+
+exports.hook_queue = function (next, connection) {
+    const plugin = this
+
+    const txn = connection?.transaction
+    if (!txn) return next()
+
+    const q_wants = txn.notes.get('queue.wants')
+    if (q_wants && q_wants !== 'qmail-queue') return next()
+
+    const qmail_queue = childproc.spawn(
+        this.queue_exec, // process name
+        [], // arguments
+        { stdio: ['pipe', 'pipe', process.stderr] },
+    )
+
+    qmail_queue.on('exit', function finished(code) {
+        if (code !== 0) {
+            connection.logerror(plugin, `Unable to queue message to qmail-queue: ${code}`)
+            next()
+        } else {
+            next(OK, 'Queued!')
+        }
+    })
+
+    connection.transaction.message_stream.pipe(qmail_queue.stdin, {
+        line_endings: '\n',
+    })
+
+    qmail_queue.stdin.on('close', () => {
+        if (!connection?.transaction) {
+            plugin.logerror('Transaction went away while delivering mail to qmail-queue')
+            try {
+                qmail_queue.stdout.end()
+            } catch (err) {
+                if (err.code !== 'ENOTCONN') {
+                    // Ignore ENOTCONN and re throw anything else
+                    throw err
+                }
+            }
+
+            connection.results.add(plugin, { err: 'dead sender' })
+            return
+        }
+        plugin.loginfo('Message Stream sent to qmail. Now sending envelope')
+        const buf = plugin.build_envelope(connection.transaction)
+        qmail_queue.stdout.on('error', () => {}) // stdout throws an error on close
+        qmail_queue.stdout.end(buf)
+    })
+}

package/plugins/queue/quarantine.js

@@ -0,0 +1,133 @@
+// quarantine
+
+const fs = require('node:fs')
+const path = require('node:path')
+
+exports.register = function () {
+    this.load_quarantine_ini()
+
+    this.register_hook('queue', 'quarantine')
+    this.register_hook('queue_outbound', 'quarantine')
+}
+
+exports.hook_init_master = function (next) {
+    this.init_quarantine_dir(() => {
+        this.clean_tmp_directory(next)
+    })
+}
+
+exports.load_quarantine_ini = function () {
+    this.cfg = this.config.get('quarantine.ini', () => {
+        this.load_quarantine_ini()
+    })
+}
+
+const zeroPad = (exports.zeroPad = (n, digits) => {
+    n = n.toString()
+    while (n.length < digits) {
+        n = `0${n}`
+    }
+    return n
+})
+
+exports.clean_tmp_directory = function (next) {
+    const tmp_dir = path.join(this.get_base_dir(), 'tmp')
+
+    if (fs.existsSync(tmp_dir)) {
+        const dirent = fs.readdirSync(tmp_dir)
+        this.loginfo(`Removing temporary files from: ${tmp_dir}`)
+        for (const element of dirent) {
+            fs.unlinkSync(path.join(tmp_dir, element))
+        }
+    }
+    next()
+}
+
+function wants_quarantine(connection) {
+    const { notes, transaction } = connection ?? {}
+
+    if (notes.quarantine) return notes.quarantine
+
+    if (transaction.notes.quarantine) return transaction.notes.quarantine
+
+    return transaction.notes.get('queue.wants') === 'quarantine'
+}
+
+exports.get_base_dir = function () {
+    if (this.cfg.main.quarantine_path) return this.cfg.main.quarantine_path
+    return '/var/spool/haraka/quarantine'
+}
+
+exports.init_quarantine_dir = function (done) {
+    const tmp_dir = path.join(this.get_base_dir(), 'tmp')
+    fs.promises
+        .mkdir(tmp_dir, { recursive: true })
+        .then(() => this.loginfo(`created ${tmp_dir}`))
+        .catch(() => this.logerror(`Unable to create ${tmp_dir}`))
+        .finally(done)
+}
+
+exports.quarantine = function (next, connection) {
+    const quarantine = wants_quarantine(connection)
+    this.logdebug(`quarantine: ${quarantine}`)
+    if (!quarantine) return next()
+
+    // Calculate date in YYYYMMDD format
+    const d = new Date()
+    const yyyymmdd = d.getFullYear() + zeroPad(d.getMonth() + 1, 2) + this.zeroPad(d.getDate(), 2)
+
+    let subdir = yyyymmdd
+    // Allow either boolean or a sub-directory to be specified
+
+    if (typeof quarantine !== 'boolean' && quarantine !== 1) {
+        subdir = path.join(quarantine, yyyymmdd)
+    }
+
+    const txn = connection?.transaction
+    if (!txn) return next()
+
+    const base_dir = this.get_base_dir()
+    const msg_dir = path.join(base_dir, subdir)
+    const tmp_path = path.join(base_dir, 'tmp', txn.uuid)
+    const msg_path = path.join(msg_dir, txn.uuid)
+
+    // Create all the directories recursively if they do not exist.
+    // Then write the file to a temporary directory first, once this is
+    // successful we hardlink the file to the final destination and then
+    // remove the temporary file to guarantee a complete file in the
+    // final destination.
+    fs.promises
+        .mkdir(msg_dir, { recursive: true })
+        .catch(() => {
+            connection.logerror(this, `Error creating directory: ${msg_dir}`)
+            next()
+        })
+        .then(() => {
+            const ws = fs.createWriteStream(tmp_path)
+
+            ws.on('error', (err) => {
+                connection.logerror(this, `Error writing quarantine file: ${err.message}`)
+                return next()
+            })
+            ws.on('close', () => {
+                fs.link(tmp_path, msg_path, (err) => {
+                    if (err) {
+                        connection.logerror(this, `Error writing quarantine file: ${err}`)
+                    } else {
+                        // Add a note to where we stored the message
+                        txn.notes.quarantined = msg_path
+                        txn.results.add(this, { pass: msg_path, emit: true })
+                        // Now delete the temporary file
+                        fs.unlink(tmp_path, () => {})
+                    }
+                    // Using notes.quarantine_action to decide what to do after the message is quarantined.
+                    // Format can be either action = [ code, msg ] or action = code
+                    const action = connection.notes.quarantine_action || txn.notes.quarantine_action
+                    if (!action) return next()
+                    if (Array.isArray(action)) return next(action[0], action[1])
+                    return next(action)
+                })
+            })
+            txn.message_stream.pipe(ws, { line_endings: '\n' })
+        })
+}

package/plugins/queue/smtp_bridge.js

@@ -0,0 +1,45 @@
+// Bridge to an SMTP server
+// Overrides the MX and sets the same AUTH user and password
+
+exports.register = function () {
+    this.load_flat_ini()
+}
+
+exports.load_flat_ini = function () {
+    this.cfg = this.config.get('smtp_bridge.ini', () => {
+        this.load_flat_ini()
+    })
+}
+
+exports.hook_data_post = (next, connection) => {
+    const txn = connection?.transaction
+    if (!txn) return next()
+
+    // Copy auth notes to transaction notes so they're available in hmail.todo.notes
+    txn.notes.auth_user = connection.notes.auth_user
+    txn.notes.auth_passwd = connection.notes.auth_passwd
+    return next()
+}
+
+exports.hook_get_mx = function (next, hmail) {
+    let priority = 10
+    if (this.cfg.main.priority) {
+        priority = this.cfg.main.priority
+    }
+    let authType = null
+    if (this.cfg.main.auth_type) {
+        authType = this.cfg.main.auth_type
+    }
+    let port = null
+    if (this.cfg.main.port) {
+        port = this.cfg.main.port
+    }
+    return next(OK, {
+        priority,
+        exchange: this.cfg.main.host,
+        port,
+        auth_type: authType,
+        auth_user: hmail.todo.notes.auth_user,
+        auth_pass: hmail.todo.notes.auth_passwd,
+    })
+}

package/plugins/queue/smtp_forward.js

@@ -0,0 +1,371 @@
+'use strict'
+// Forward to an SMTP server
+// Opens the connection to the ongoing SMTP server at queue time
+// and passes back any errors seen on the ongoing server to the
+// originating server.
+
+const url = require('node:url')
+
+const smtp_client_mod = require('../../smtp_client')
+const tls_socket = require('../../tls_socket')
+
+exports.register = function () {
+    this.load_errs = []
+
+    this.load_smtp_forward_ini()
+
+    if (this.load_errs.length > 0) return
+
+    if (this.cfg.main.check_sender) {
+        this.register_hook('mail', 'check_sender')
+    }
+
+    if (this.cfg.main.check_recipient) {
+        this.register_hook('rcpt', 'check_recipient')
+    }
+
+    this.register_hook('queue', 'queue_forward')
+
+    if (this.cfg.main.enable_outbound) {
+        // deliver local message via smtp forward when relaying=true
+        this.register_hook('queue_outbound', 'queue_forward')
+    }
+
+    // may specify more specific [per-domain] outbound routes
+    this.register_hook('get_mx', 'get_mx')
+}
+
+exports.load_smtp_forward_ini = function () {
+    this.cfg = this.config.get(
+        'smtp_forward.ini',
+        {
+            booleans: [
+                '-main.enable_tls',
+                '-main.enable_outbound',
+                'main.one_message_per_rcpt',
+                '-main.check_sender',
+                '-main.check_recipient',
+                '*.enable_tls',
+                '*.enable_outbound',
+                '+tls.requestCert',
+                '+tls.honorCipherOrder',
+                '-tls.rejectUnauthorized',
+            ],
+        },
+        () => {
+            this.load_smtp_forward_ini()
+        },
+    )
+
+    // Build backend TLS options from tls.ini [main] + this plugin's [tls] section.
+    // Re-derived on every (re)load so SIGHUP picks up edits.
+    this.tls_options = tls_socket.load_plugin_tls_options(this.cfg.tls || {})
+}
+
+exports.get_config = function (conn) {
+    if (!conn.transaction) return this.cfg.main
+
+    let dom, address
+    if (this.cfg.main.domain_selector === 'mail_from') {
+        if (!conn.transaction.mail_from) return this.cfg.main
+        dom = conn.transaction.mail_from.host
+        address = conn.transaction.mail_from.address
+    } else {
+        if (!conn.transaction.rcpt_to[0]) return this.cfg.main
+        dom = conn.transaction.rcpt_to[0].host
+    }
+
+    if (address && this.cfg[address]) return this.cfg[address]
+    if (!dom) return this.cfg.main
+    if (!this.cfg[dom]) return this.cfg.main // no specific route
+
+    return this.cfg[dom]
+}
+
+exports.is_outbound_enabled = function (dom_cfg) {
+    if ('enable_outbound' in dom_cfg) return dom_cfg.enable_outbound // per-domain flag
+
+    return this.cfg.main.enable_outbound // follow the global configuration
+}
+
+exports.check_sender = function (next, connection, params) {
+    const txn = connection?.transaction
+    if (!txn) return
+
+    const email = params[0].address
+    if (!email) {
+        txn.results.add(this, { skip: 'mail_from.null', emit: true })
+        return next()
+    }
+
+    const domain = params[0].host.toLowerCase()
+    if (!this.cfg[domain]) return next()
+
+    // domain is defined in smtp_forward.ini
+    txn.notes.local_sender = true
+
+    if (!connection.relaying) {
+        txn.results.add(this, { fail: 'mail_from!spoof' })
+        return next(DENY, 'Spoofed MAIL FROM')
+    }
+
+    txn.results.add(this, { pass: 'mail_from' })
+    next()
+}
+
+exports.set_queue = function (connection, queue_wanted, domain) {
+    let dom_cfg = this.cfg[domain]
+    if (dom_cfg === undefined) dom_cfg = {}
+
+    if (!queue_wanted) queue_wanted = dom_cfg.queue || this.cfg.main.queue
+    if (!queue_wanted) return true
+
+    let dst_host = dom_cfg.host || this.cfg.main.host
+    if (dst_host) dst_host = `smtp://${dst_host}`
+
+    const notes = connection?.transaction?.notes
+    if (!notes) return false
+    if (!notes.get('queue.wants')) {
+        notes.set('queue.wants', queue_wanted)
+        if (dst_host) notes.set('queue.next_hop', dst_host)
+        return true
+    }
+
+    // multiple recipients with same destination
+    if (notes.get('queue.wants') === queue_wanted) {
+        if (!dst_host) return true
+
+        const next_hop = notes.get('queue.next_hop')
+        if (!next_hop) return true
+        if (next_hop === dst_host) return true
+    }
+
+    // multiple recipients with different forward host, soft deny
+    return false
+}
+
+exports.check_recipient = function (next, connection, params) {
+    const txn = connection?.transaction
+    if (!txn) return
+
+    const rcpt = params[0]
+    if (!rcpt.host) {
+        txn.results.add(this, { skip: 'rcpt!domain' })
+        return next()
+    }
+
+    if (connection.relaying && txn.notes.local_sender) {
+        this.set_queue(connection, 'outbound')
+        txn.results.add(this, { pass: 'relaying local_sender' })
+        return next(OK)
+    }
+
+    const domain = rcpt.host.toLowerCase()
+    if (this.cfg[domain] !== undefined) {
+        if (this.set_queue(connection, 'smtp_forward', domain)) {
+            txn.results.add(this, { pass: 'rcpt_to' })
+            return next(OK)
+        }
+        txn.results.add(this, { pass: 'rcpt_to.split' })
+        return next(DENYSOFT, 'Split transaction, retry soon')
+    }
+
+    // the MAIL FROM domain is not local and neither is the RCPT TO
+    // Another RCPT plugin may vouch for this recipient.
+    txn.results.add(this, { msg: 'rcpt!local' })
+    next()
+}
+
+exports.auth = function (cfg, connection, smtp_client) {
+    connection.loginfo(this, `Configuring authentication for SMTP server ${cfg.host}:${cfg.port}`)
+    smtp_client.on('capabilities', () => {
+        connection.loginfo(this, 'capabilities received')
+
+        if ('secured' in smtp_client) {
+            connection.loginfo(this, 'secured is pending')
+            if (smtp_client.secured === false) {
+                connection.loginfo(this, 'Waiting for STARTTLS to complete. AUTH postponed')
+                return
+            }
+        }
+
+        function base64(str) {
+            const buffer = Buffer.from(str, 'UTF-8')
+            return buffer.toString('base64')
+        }
+
+        if (cfg.auth_type === 'plain') {
+            connection.loginfo(this, `Authenticating with AUTH PLAIN ${cfg.auth_user}`)
+            smtp_client.send_command('AUTH', `PLAIN ${base64(`\0${cfg.auth_user}\0${cfg.auth_pass}`)}`)
+            return
+        }
+
+        if (cfg.auth_type === 'login') {
+            smtp_client.authenticating = true
+            smtp_client.authenticated = false
+
+            connection.loginfo(this, `Authenticating with AUTH LOGIN ${cfg.auth_user}`)
+            smtp_client.send_command('AUTH', 'LOGIN')
+            smtp_client.on('auth', () => {
+                // do nothing
+            })
+            smtp_client.on('auth_username', () => {
+                smtp_client.send_command(base64(cfg.auth_user))
+            })
+            smtp_client.on('auth_password', () => {
+                smtp_client.send_command(base64(cfg.auth_pass))
+            })
+        }
+    })
+}
+
+exports.forward_enabled = function (conn, dom_cfg) {
+    const q_wants = conn.transaction.notes.get('queue.wants')
+    if (q_wants && q_wants !== 'smtp_forward') {
+        conn.logdebug(this, `skipping, unwanted (${q_wants})`)
+        return false
+    }
+
+    if (conn.relaying && !this.is_outbound_enabled(dom_cfg)) {
+        conn.logdebug(this, 'skipping, outbound disabled')
+        return false
+    }
+
+    return true
+}
+
+exports.queue_forward = function (next, connection) {
+    const plugin = this
+    if (connection.remote.closed) return
+    const txn = connection?.transaction
+
+    const cfg = plugin.get_config(connection)
+    if (!plugin.forward_enabled(connection, cfg)) return next()
+
+    smtp_client_mod.get_client_plugin(plugin, connection, cfg, (err, smtp_client) => {
+        smtp_client.next = next
+
+        let rcpt = 0
+
+        if (cfg.auth_user) plugin.auth(cfg, connection, smtp_client)
+
+        connection.loginfo(
+            plugin,
+            `forwarding to ${cfg.forwarding_host_pool ? 'host_pool' : `${cfg.host}:${cfg.port}`}`,
+        )
+
+        function get_rs() {
+            return txn?.results ?? connection.results
+        }
+
+        function dead_sender() {
+            if (smtp_client.is_dead_sender(plugin, connection)) {
+                get_rs().add(plugin, { err: 'dead sender' })
+                return true
+            }
+            return false
+        }
+
+        function send_rcpt() {
+            if (dead_sender() || !txn) return
+            if (rcpt === txn.rcpt_to.length) {
+                smtp_client.send_command('DATA')
+                return
+            }
+            smtp_client.send_command('RCPT', `TO:${txn.rcpt_to[rcpt].format(!smtp_client.smtputf8)}`)
+            rcpt++
+        }
+
+        smtp_client.on('mail', send_rcpt)
+
+        if (cfg.one_message_per_rcpt) {
+            smtp_client.on('rcpt', () => {
+                smtp_client.send_command('DATA')
+            })
+        } else {
+            smtp_client.on('rcpt', send_rcpt)
+        }
+
+        smtp_client.on('data', () => {
+            if (dead_sender()) return
+            smtp_client.start_data(txn.message_stream)
+        })
+
+        smtp_client.on('dot', () => {
+            if (dead_sender() || !txn) return
+
+            get_rs().add(plugin, { pass: smtp_client.response })
+            if (rcpt < txn.rcpt_to.length) {
+                smtp_client.send_command('RSET')
+                return
+            }
+            smtp_client.call_next(OK, smtp_client.response)
+            smtp_client.release()
+        })
+
+        smtp_client.on('rset', () => {
+            if (dead_sender() || !txn) return
+            smtp_client.send_command('MAIL', `FROM:${txn.mail_from}`)
+        })
+
+        smtp_client.on('bad_code', (code, msg) => {
+            if (dead_sender() || !txn) return
+            smtp_client.call_next(code && code[0] === '5' ? DENY : DENYSOFT, msg)
+            smtp_client.release()
+        })
+    })
+}
+
+exports.get_mx_next_hop = (next_hop) => {
+    // queue.wants && queue.next_hop are mechanisms for fine-grained MX routing.
+    // Plugins can specify a queue to perform the delivery as well as a route. A
+    // plugin that uses this is qmail-deliverable, which can direct email delivery
+    // via smtp_forward, outbound (SMTP), and outbound (LMTP).
+    const dest = new url.URL(next_hop)
+    const mx = {
+        priority: 0,
+        port: dest.port || (dest.protocol === 'lmtp:' ? 24 : 25),
+        exchange: dest.hostname,
+    }
+    if (dest.protocol === 'lmtp:') mx.using_lmtp = true
+    if (dest.username) {
+        mx.auth_type = 'plain'
+        mx.auth_user = dest.username
+        mx.auth_pass = dest.password
+    }
+    return mx
+}
+
+exports.get_mx = function (next, hmail, domain) {
+    const qw = hmail.todo.notes.get('queue.wants')
+    if (qw && !['smtp_forward', 'outbound'].includes(qw)) return next()
+
+    if (qw === 'smtp_forward' && hmail.todo.notes.get('queue.next_hop')) {
+        return next(OK, this.get_mx_next_hop(hmail.todo.notes.get('queue.next_hop')))
+    }
+
+    const dom =
+        this.cfg.main.domain_selector === 'mail_from' ? hmail.todo.mail_from.host.toLowerCase() : domain.toLowerCase()
+    const cfg = this.cfg[dom]
+
+    if (cfg === undefined) {
+        this.logdebug(`using DNS MX for: ${domain}`)
+        return next()
+    }
+
+    const mx_opts = ['auth_type', 'auth_user', 'auth_pass', 'bind', 'bind_helo', 'using_lmtp']
+
+    const mx = {
+        priority: 0,
+        exchange: cfg.host || this.cfg.main.host,
+        port: cfg.port || this.cfg.main.port || 25,
+    }
+
+    // apply auth/mx options
+    for (const o of mx_opts) {
+        if (cfg[o] === undefined) continue
+        mx[o] = this.cfg[dom][o]
+    }
+
+    next(OK, mx)
+}