haraka 0.0.32 → 3.3.0

package/plugins/tls.js

@@ -0,0 +1,164 @@
+'use strict'
+// TLS is built into Haraka. This plugin conditionally advertises STARTTLS.
+// see 'haraka -h tls' for help
+
+/* global server */
+
+const tls_socket = require('../tls_socket')
+
+// exported so tests can override config dir
+exports.net_utils = require('haraka-net-utils')
+
+exports.register = function () {
+    tls_socket.load_tls_ini()
+
+    if (tls_socket.cfg.redis.disable_for_failed_hosts) this.logdebug('Will disable STARTTLS for failing TLS hosts')
+
+    this.register_hook('capabilities', 'advertise_starttls')
+    this.register_hook('unrecognized_command', 'upgrade_connection')
+}
+
+exports.shutdown = () => {
+    if (tls_socket.shutdown) tls_socket.shutdown()
+}
+
+exports.advertise_starttls = function (next, connection) {
+    // if no TLS setup incomplete/invalid, don't advertise
+    if (!tls_socket.tls_valid) {
+        this.logerror('no valid TLS config')
+        return next()
+    }
+
+    /* Caution: do not advertise STARTTLS if already TLS upgraded */
+    if (connection.tls.enabled) return next()
+
+    if (this.net_utils.ip_in_list(tls_socket.cfg.no_tls_hosts, connection.remote.ip)) {
+        return next()
+    }
+
+    function enable_tls() {
+        connection.capabilities.push('STARTTLS')
+        connection.tls.advertised = true
+        next()
+    }
+
+    // check if local port is excluded from starttls advertisement
+    if (tls_socket.cfg.main.no_starttls_ports.includes(connection.local.port)) return next()
+
+    // exclude port 587 from NO-GO
+    if (connection.local.port === 587) return enable_tls()
+
+    if (!tls_socket.cfg.redis || !server.notes.redis) {
+        return enable_tls()
+    }
+
+    const { redis } = server.notes
+    const dbkey = `no_tls|${connection.remote.ip}`
+
+    redis
+        .get(dbkey)
+        .then((dbr) => {
+            if (!dbr) return enable_tls()
+            connection.results.add(this, { msg: 'no_tls' })
+            next(CONT, 'STARTTLS disabled because previous attempt failed')
+        })
+        .catch((err) => {
+            connection.results.add(this, { err })
+            enable_tls()
+        })
+}
+
+exports.set_notls = function (connection) {
+    if (!tls_socket.cfg.redis.disable_for_failed_hosts) return
+    if (!server.notes.redis) return
+
+    const expiry = tls_socket.cfg.redis.disable_inbound_expiry || 3600
+
+    this.lognotice(connection, `STARTTLS failed. Marking ${connection.remote.ip} as non-TLS host for ${expiry} seconds`)
+
+    server.notes.redis.setEx(`no_tls|${connection.remote.ip}`, expiry, new Date().toISOString())
+}
+
+exports.upgrade_connection = function (next, connection, params) {
+    if (!connection.tls.advertised) return next()
+
+    /* Watch for STARTTLS directive from client. */
+    if (params[0].toUpperCase() !== 'STARTTLS') return next()
+
+    // RFC 3207 §4: discard any plaintext the client pipelined after
+    // STARTTLS. Otherwise connection.respond() restores state to CMD and
+    // re-enters _process_data(), parsing and executing those buffered
+    // cleartext commands before the TLS handshake completes (STARTTLS
+    // command injection). Mirrors the buffer-nuke already used for
+    // SSL-over-plaintext detection in connection.process_line().
+    connection.current_data = null
+
+    /* Respond to STARTTLS command. */
+    connection.respond(220, 'Go ahead.')
+
+    const plugin = this
+    let called_next = false
+    // adjust plugin.timeout like so: echo '45' > config/tls.timeout
+    const timeout = plugin.timeout - 1
+
+    function nextOnce(disconnected) {
+        if (called_next) return
+        called_next = true
+        clearTimeout(connection.notes.tls_timer)
+        if (!disconnected) connection.lognotice(plugin, 'timeout setting up TLS')
+        plugin.set_notls(connection)
+        return next(DENYSOFTDISCONNECT)
+    }
+
+    if (timeout && timeout > 0) {
+        connection.notes.tls_timer = setTimeout(nextOnce, timeout * 1000)
+    }
+
+    connection.notes.cleanUpDisconnect = nextOnce
+
+    /* Upgrade the connection to TLS. */
+    connection.client.upgrade((verified, verifyError, cert, cipher) => {
+        if (called_next) return
+        clearTimeout(connection.notes.tls_timer)
+        called_next = true
+        connection.reset_transaction(() => {
+            connection.setTLS({
+                cipher,
+                verified,
+                verifyError,
+                peerCertificate: cert,
+            })
+
+            connection.results.add(plugin, connection.tls)
+            plugin.emit_upgrade_msg(connection, verified, verifyError, cert, cipher)
+            next(OK)
+        })
+    })
+}
+
+exports.hook_disconnect = (next, connection) => {
+    if (connection.notes.cleanUpDisconnect) {
+        connection.notes.cleanUpDisconnect(true)
+    }
+    next()
+}
+
+exports.emit_upgrade_msg = function (conn, verified, verifyError, cert, cipher) {
+    let msg = 'secured:'
+    if (cipher) {
+        msg += ` cipher=${cipher.name} version=${cipher.version}`
+    }
+    msg += ` verified=${verified}`
+    if (verifyError) msg += ` error="${verifyError}"`
+    if (cert) {
+        if (cert.subject) {
+            msg += ` cn="${cert.subject.CN}" organization="${cert.subject.O}"`
+        }
+        if (cert.issuer) msg += ` issuer="${cert.issuer.O}"`
+        if (cert.valid_to) msg += ` expires="${cert.valid_to}"`
+        if (cert.fingerprint) msg += ` fingerprint=${cert.fingerprint}`
+    }
+
+    conn.loginfo(this, msg)
+    return msg
+}

package/plugins/toobusy.js

@@ -0,0 +1,47 @@
+// Stop accepting new connections when we are too busy
+
+let toobusy
+let was_busy = false
+
+exports.register = function () {
+    try {
+        toobusy = require('toobusy-js')
+    } catch (e) {
+        this.logerror(e)
+        this.logerror("try: 'npm install -g toobusy-js'")
+        return
+    }
+
+    this.loadConfig()
+
+    this.register_hook('connect', 'check_busy', -100)
+}
+
+exports.loadConfig = function () {
+    let maxLag = this.config.get('toobusy.maxlag', 'value', () => {
+        this.loadConfig()
+    })
+
+    maxLag = parseInt(maxLag)
+    if (maxLag) {
+        // This will throw an exception on error
+        toobusy.maxLag(maxLag)
+    }
+}
+
+exports.check_busy = function (next) {
+    if (!toobusy()) {
+        was_busy = false
+        return next()
+    }
+
+    if (!was_busy) {
+        was_busy = true
+        // Log a CRIT error at the first occurrence
+        const currentLag = toobusy.lag()
+        const maxLag = toobusy.maxLag()
+        this.logcrit(`deferring connections: lag=${currentLag} max=${maxLag}`)
+    }
+
+    return next(DENYSOFTDISCONNECT, 'Too busy; please try again later')
+}

package/plugins/xclient.js

@@ -0,0 +1,124 @@
+// Implementation of XCLIENT protocol
+// See http://www.postfix.org/XCLIENT_README.html
+
+const net = require('node:net')
+
+const utils = require('haraka-utils')
+const DSN = require('haraka-dsn')
+let allowed_hosts = {}
+
+exports.register = function () {
+    this.load_xclient_hosts()
+}
+
+exports.load_xclient_hosts = function () {
+    const cfg = this.config.get('xclient.hosts', 'list', () => {
+        this.load_xclient_hosts()
+    })
+    const ah = {}
+    for (const i in cfg) {
+        ah[cfg[i]] = true
+    }
+    allowed_hosts = ah
+}
+
+function xclient_allowed(ip) {
+    return !!(ip === '127.0.0.1' || ip === '::1' || allowed_hosts[ip])
+}
+
+exports.hook_capabilities = (next, connection) => {
+    if (xclient_allowed(connection.remote.ip)) {
+        connection.capabilities.push('XCLIENT NAME ADDR PROTO HELO LOGIN')
+    }
+    next()
+}
+
+exports.hook_unrecognized_command = function (next, connection, params) {
+    if (params[0] !== 'XCLIENT') return next()
+
+    // XCLIENT is not allowed after transaction start
+    if (connection?.transaction) {
+        return next(DENY, DSN.proto_unspecified('Mail transaction in progress', 503))
+    }
+
+    if (!xclient_allowed(connection?.remote?.ip)) {
+        return next(DENY, DSN.proto_unspecified('Not authorized', 550))
+    }
+
+    // If we get here - the client is allowed to use XCLIENT
+    // Process arguments
+    const args = new String(params[1]).toLowerCase().split(/ /)
+    const xclient = {}
+    for (const arg of args) {
+        const match = /^([^=]+)=([^ ]+)/.exec(arg)
+        if (match) {
+            connection.logdebug(this, `found key=${match[1]} value=${match[2]}`)
+            switch (match[1]) {
+                case 'destaddr':
+                case 'addr': {
+                    // IPv6 is prefixed in the XCLIENT protocol
+                    let ipv6
+                    if ((ipv6 = /^IPV6:(.+)$/i.exec(match[2]))) {
+                        // Validate
+                        if (net.isIPv6(ipv6[1])) {
+                            xclient[match[1]] = ipv6[1]
+                        }
+                    } else if (!/\[UNAVAILABLE\]/i.test(match[2])) {
+                        // IPv4
+                        if (net.isIPv4(match[2])) {
+                            xclient[match[1]] = match[2]
+                        }
+                    }
+                    break
+                }
+                case 'proto':
+                    // SMTP or ESMTP
+                    if (/^e?smtp/i.test(match[2])) {
+                        xclient[match[1]] = match[2]
+                    }
+                    break
+                case 'name':
+                case 'port':
+                case 'helo':
+                case 'login':
+                case 'destport':
+                    if (!/\[(UNAVAILABLE|TEMPUNAVAIL)\]/i.test(match[2])) {
+                        xclient[match[1]] = match[2]
+                    }
+                    break
+                default:
+                    connection.logwarn(this, `unknown argument: ${arg}`)
+            }
+        } else {
+            connection.logwarn(this, `unknown argument: ${arg}`)
+        }
+    }
+
+    // Abort if we don't have a valid IP address
+    if (!xclient.addr) {
+        return next(DENY, DSN.proto_invalid_cmd_args('No valid IP address found', 501))
+    }
+
+    // Apply changes
+    const new_uuid = utils.uuid()
+    connection.loginfo(this, `new uuid=${new_uuid}`)
+    connection.uuid = new_uuid
+    connection.reset_transaction()
+    connection.relaying = false
+    connection.set('remote.ip', xclient.addr)
+    connection.set('remote.host', xclient.name ? xclient.name : undefined)
+    connection.set('remote.login', xclient.login ? xclient.login : undefined)
+    connection.set('hello.host', xclient.helo ? xclient.helo : undefined)
+    connection.set('local.ip', xclient.destaddr ? xclient.destaddr : undefined)
+    // parseInt so downstream numeric checks (e.g. the 587/465 auth-required
+    // gate in connection.cmd_mail) work; matches the PROXY path.
+    connection.set('local.port', xclient.destport ? parseInt(xclient.destport, 10) : undefined)
+    if (xclient.proto) {
+        connection.set('hello', 'verb', xclient.proto === 'esmtp' ? 'EHLO' : 'HELO')
+    }
+    connection.esmtp = xclient.proto === 'esmtp'
+    connection.xclient = true
+    if (!xclient.name) return next(NEXT_HOOK, 'lookup_rdns')
+
+    next(NEXT_HOOK, 'connect')
+}