haraka 0.0.32 → 3.3.0

package/smtp_client.js

@@ -0,0 +1,504 @@
+'use strict'
+// SMTP client object and class. This allows every part of the client
+// protocol to be hooked for different levels of control, such as
+// smtp_forward and smtp_proxy queue plugins.
+// It can use HostPool to get a connection to a pool of
+// possible hosts in the configuration value "forwarding_host_pool", rather
+// than a bunch of connections to a single host from the configuration values
+// in "host" and "port" (see host_pool.js).
+
+const events = require('node:events')
+
+const ipaddr = require('ipaddr.js')
+const net_utils = require('haraka-net-utils')
+const utils = require('haraka-utils')
+
+const tls_socket = require('./tls_socket')
+const logger = require('./logger')
+const HostPool = net_utils.HostPool
+
+const smtp_regexp = /^(\d{3})([ -])(.*)/
+const STATE = {
+    IDLE: 1,
+    ACTIVE: 2,
+    RELEASED: 3,
+    DESTROYED: 4,
+}
+
+class SMTPClient extends events.EventEmitter {
+    constructor(opts = {}) {
+        super()
+        this.uuid = utils.uuid()
+        this.connect_timeout = parseInt(opts.connect_timeout) || 30
+        this.socket = opts.socket || this.get_socket(opts)
+        this.socket.setTimeout(this.connect_timeout * 1000)
+        this.socket.setKeepAlive(true)
+        this.state = STATE.IDLE
+        this.command = 'greeting'
+        this.response = []
+        this.connected = false
+        this.authenticating = false
+        this.authenticated = false
+        this.auth_capabilities = []
+        this.host = opts.host
+        this.port = opts.port
+        this.smtputf8 = false
+
+        const client = this
+
+        client.socket.on('line', (line) => {
+            client.emit('server_protocol', line)
+            const matches = smtp_regexp.exec(line)
+            if (!matches) {
+                client.emit('error', `${client.uuid}: Unrecognized response from upstream server: ${line}`)
+                client.destroy()
+                return
+            }
+
+            const code = matches[1]
+            const cont = matches[2]
+            const msg = matches[3]
+
+            client.response.push(msg)
+            if (cont !== ' ') return
+
+            if (client.command === 'auth' || client.authenticating) {
+                logger.info(
+                    `SERVER RESPONSE, CLIENT ${client.command}, authenticating=${client.authenticating},code=${code},cont=${cont},msg=${msg}`,
+                )
+                if (
+                    /^3/.test(code) &&
+                    (msg === 'VXNlcm5hbWU6' || msg === 'dXNlcm5hbWU6') // Workaround ill-mannered SMTP servers (namely smtp.163.com)
+                ) {
+                    client.emit('auth_username')
+                    return
+                }
+                if (/^3/.test(code) && msg === 'UGFzc3dvcmQ6') {
+                    client.emit('auth_password')
+                    return
+                }
+                if (/^2/.test(code) && client.authenticating) {
+                    logger.info('AUTHENTICATED')
+                    client.authenticating = false
+                    client.authenticated = true
+                    client.emit('auth')
+                    return
+                }
+            }
+
+            if (client.command === 'ehlo') {
+                if (code.match(/^5/)) {
+                    // Handle fallback to HELO if EHLO is rejected
+                    client.emit('greeting', 'HELO')
+                    return
+                }
+                client.emit('capabilities')
+                if (client.command !== 'ehlo') {
+                    return
+                }
+            }
+
+            if (client.command === 'xclient' && /^5/.test(code)) {
+                // XCLIENT command was rejected (no permission?)
+                // Carry on without XCLIENT
+                client.command = 'helo'
+            } else if (/^[45]/.test(code)) {
+                client.emit('bad_code', code, client.response.join(' '))
+                if (client.state !== STATE.ACTIVE) {
+                    return
+                }
+            }
+
+            if (/^441/.test(code)) {
+                if (/Connection timed out/i.test(msg)) {
+                    client.destroy()
+                }
+            }
+
+            switch (client.command) {
+                case 'xclient':
+                    client.xclient = true
+                    client.emit('xclient', 'EHLO')
+                    break
+                case 'starttls':
+                    client.upgrade(client.tls_options)
+                    break
+                case 'greeting':
+                    client.connected = true
+                    client.emit('greeting', 'EHLO')
+                    break
+                case 'ehlo':
+                    client.emit('helo')
+                    break
+                case 'helo':
+                case 'mail':
+                case 'rcpt':
+                case 'data':
+                case 'dot':
+                case 'rset':
+                case 'auth':
+                    client.emit(client.command)
+                    break
+                case 'quit':
+                    client.emit('quit')
+                    client.destroy()
+                    break
+                default:
+                    throw new Error(`Unknown command: ${client.command}`)
+            }
+        })
+
+        client.socket.on('connect', () => {
+            // Replace connection timeout with idle timeout
+            client.socket.setTimeout((opts.idle_timeout || 300) * 1000)
+            if (!client.socket.remoteAddress) {
+                // "Value may be undefined if the socket is destroyed"
+                logger.debug('socket.remoteAddress undefined')
+                return
+            }
+            client.remote_ip = ipaddr.process(client.socket.remoteAddress).toString()
+        })
+
+        function closed(msg) {
+            return (error) => {
+                if (!error) error = ''
+
+                // error is e.g. "Error: connect ECONNREFUSED"
+                const errMsg = `${client.uuid}: [${client.host}:${client.port}] SMTP connection ${msg} ${error}`
+
+                /* eslint-disable no-fallthrough */
+                switch (client.state) {
+                    case STATE.ACTIVE:
+                        client.emit('error', errMsg)
+                    case STATE.IDLE:
+                    case STATE.RELEASED:
+                        client.destroy()
+                        break
+                    case STATE.DESTROYED:
+                        if (msg === 'errored' || msg === 'timed out') {
+                            client.emit('connection-error', errMsg)
+                        }
+                        break
+                    default:
+                }
+
+                logger.debug(`[smtp_client] ${errMsg} (state=${client.state})`)
+            }
+        }
+
+        client.socket.on('error', closed('errored'))
+        client.socket.on('timeout', closed('timed out'))
+        client.socket.on('close', closed('closed'))
+        client.socket.on('end', closed('ended'))
+    }
+
+    load_tls_options(opts = {}) {
+        this.tls_options = { servername: this.host, ...opts }
+    }
+
+    send_command(command, data) {
+        const line = command === 'dot' ? '.' : command + (data ? ` ${data}` : '')
+        this.emit('client_protocol', line)
+        this.command = command.toLowerCase()
+        this.response = []
+        this.socket.write(`${line}\r\n`)
+    }
+
+    start_data(data) {
+        this.response = []
+        this.command = 'dot'
+        data.pipe(this.socket, {
+            dot_stuffed: false,
+            ending_dot: true,
+            end: false,
+        })
+    }
+
+    release() {
+        if (this.state === STATE.DESTROYED) return
+        const listeners = [
+            'auth',
+            'bad_code',
+            'capabilities',
+            'client_protocol',
+            'connection-error',
+            'data',
+            'dot',
+            'error',
+            'greeting',
+            'helo',
+            'mail',
+            'rcpt',
+            'rset',
+            'server_protocol',
+            'xclient',
+        ]
+        logger.debug(`[smtp_client] ${this.uuid} releasing, state=${this.state}`)
+        for (const l of listeners) {
+            this.removeAllListeners(l)
+        }
+
+        if (this.connected) this.send_command('QUIT')
+        this.destroy()
+    }
+
+    destroy() {
+        if (this.state === STATE.DESTROYED) return
+        this.state = STATE.DESTROYED
+        this.socket.destroy()
+    }
+
+    upgrade(tls_options) {
+        this.socket.upgrade(tls_options, (verified, verifyError, cert, cipher) => {
+            logger.info(
+                `secured:${
+                    cipher ? ` cipher=${cipher.name} version=${cipher.version}` : ''
+                } verified=${verified}${verifyError ? ` error="${verifyError}"` : ''}${
+                    cert?.subject ? ` cn="${cert.subject.CN}" organization="${cert.subject.O}"` : ''
+                }${cert?.issuer ? ` issuer="${cert.issuer.O}"` : ''}${
+                    cert?.valid_to ? ` expires="${cert.valid_to}"` : ''
+                }${cert?.fingerprint ? ` fingerprint=${cert.fingerprint}` : ''}`,
+            )
+        })
+    }
+
+    is_dead_sender(plugin, connection) {
+        if (connection?.transaction) return false
+
+        // This likely means the sender went away on us, cleanup.
+        connection.logwarn(plugin, 'transaction went away, releasing smtp_client')
+        this.release()
+        return true
+    }
+
+    get_socket(opts) {
+        const socket = tls_socket.connect({
+            host: opts.host,
+            port: opts.port,
+            timeout: this.connect_timeout,
+        })
+        net_utils.add_line_processor(socket)
+        return socket
+    }
+}
+
+exports.smtp_client = SMTPClient
+
+// Get a smtp_client for the given attributes.
+// used only in testing
+exports.get_client = (server, callback, opts = {}) => {
+    const smtp_client = new SMTPClient(opts)
+    logger.debug(`[smtp_client] uuid=${smtp_client.uuid} host=${opts.host} port=${opts.port} created`)
+    callback(smtp_client)
+}
+
+exports.onCapabilitiesOutbound = (smtp_client, secured, connection, config, on_secured) => {
+    for (const line in smtp_client.response) {
+        if (/^XCLIENT/.test(smtp_client.response[line])) {
+            if (!smtp_client.xclient) {
+                smtp_client.send_command('XCLIENT', `ADDR=${connection.remote.ip}`)
+                return
+            }
+        }
+
+        if (/^SMTPUTF8/.test(smtp_client.response[line])) {
+            smtp_client.smtputf8 = true
+        }
+
+        if (/^STARTTLS/.test(smtp_client.response[line]) && !secured) {
+            let hostBanned = false
+            let serverBanned = false
+
+            // Check if there are any banned TLS hosts
+            if (smtp_client.tls_options.no_tls_hosts) {
+                // If there are check if these hosts are in the blacklist
+                hostBanned = net_utils.ip_in_list(smtp_client.tls_options.no_tls_hosts, config.host)
+                serverBanned = net_utils.ip_in_list(smtp_client.tls_options.no_tls_hosts, smtp_client.remote_ip)
+            }
+
+            if (!hostBanned && !serverBanned && config.enable_tls) {
+                smtp_client.socket.on('secure', on_secured)
+                smtp_client.secured = false // have to wait in forward plugin before we can do auth, even if capabilities are there on first EHLO
+                smtp_client.send_command('STARTTLS')
+                return
+            }
+        }
+
+        let auth_matches = smtp_client.response[line].match(/^AUTH (.*)$/)
+        if (auth_matches) {
+            smtp_client.auth_capabilities = []
+            auth_matches = auth_matches[1].split(' ')
+            for (const authMatch of auth_matches) {
+                smtp_client.auth_capabilities.push(authMatch.toLowerCase())
+            }
+        }
+    }
+}
+
+// Get a smtp_client for the given attributes and set up the common
+// config and listeners for plugins. This is what smtp_proxy and
+// smtp_forward have in common.
+exports.get_client_plugin = (plugin, connection, c, callback) => {
+    // c = config
+    // Merge in authentication settings from smtp_forward/proxy.ini if present
+    // FIXME: config.auth could be changed when API isn't frozen
+    if (c.auth_type || c.auth_user || c.auth_pass) {
+        c.auth = {
+            type: c.auth_type,
+            user: c.auth_user,
+            pass: c.auth_pass,
+        }
+    }
+
+    const hostport = get_hostport(connection, c)
+    const smtp_client = new SMTPClient(hostport)
+    logger.info(`[smtp_client] uuid=${smtp_client.uuid} host=${hostport.host} port=${hostport.port} created`)
+
+    connection.logdebug(plugin, `Got smtp_client: ${smtp_client.uuid}`)
+
+    let secured = false
+
+    smtp_client.load_tls_options(plugin.tls_options)
+
+    smtp_client.call_next = function (retval, msg) {
+        if (this.next) {
+            const { next } = this
+            delete this.next
+            next(retval, msg)
+        }
+    }
+
+    smtp_client.on('client_protocol', (line) => {
+        // Don't leak SASL credentials (e.g. AUTH PLAIN <base64>) into
+        // protocol logs.
+        const safe = String(line).replace(/^(AUTH\s+\S+\s+).+$/i, '$1[redacted]')
+        connection.logprotocol(plugin, `C: ${safe}`)
+    })
+
+    smtp_client.on('server_protocol', (line) => {
+        connection.logprotocol(plugin, `S: ${line}`)
+    })
+
+    function helo(command) {
+        if (smtp_client.xclient) {
+            smtp_client.send_command(command, connection.hello.host)
+        } else {
+            smtp_client.send_command(command, connection.local.host)
+        }
+    }
+    smtp_client.on('greeting', helo)
+    smtp_client.on('xclient', helo)
+
+    function on_secured() {
+        if (secured) return
+        secured = true
+        smtp_client.secured = true
+        smtp_client.emit('greeting', 'EHLO')
+    }
+
+    smtp_client.on('capabilities', () => {
+        exports.onCapabilitiesOutbound(smtp_client, secured, connection, c, on_secured)
+    })
+
+    smtp_client.on('helo', () => {
+        if (!c.auth || smtp_client.authenticated) {
+            if (smtp_client.is_dead_sender(plugin, connection)) return
+
+            smtp_client.send_command('MAIL', `FROM:${connection.transaction.mail_from.format(!smtp_client.smtputf8)}`)
+            return
+        }
+
+        if (c.auth.type === null || typeof c.auth.type === 'undefined') return // Ignore blank
+        const auth_type = c.auth.type.toLowerCase()
+        // This listener runs from the socket line handler; an uncaught
+        // throw here crashes the forwarding worker. Route failures
+        // through the existing smtp_client 'error' flow (logwarn +
+        // call_next) so a misconfigured/hostile upstream degrades to a
+        // normal SMTP error path instead.
+        if (!smtp_client.auth_capabilities.includes(auth_type)) {
+            return smtp_client.emit(
+                'error',
+                `Auth type "${auth_type}" not supported by server (supports: ${smtp_client.auth_capabilities.join(',')})`,
+            )
+        }
+        switch (auth_type) {
+            case 'plain':
+                if (!c.auth.user || !c.auth.pass) {
+                    return smtp_client.emit('error', 'Must include auth.user and auth.pass for PLAIN auth.')
+                }
+                logger.debug(`[smtp_client] uuid=${smtp_client.uuid} authenticating as "${c.auth.user}"`)
+                smtp_client.send_command(
+                    'AUTH',
+                    `PLAIN ${utils.base64(`${c.auth.user}\0${c.auth.user}\0${c.auth.pass}`)}`,
+                )
+                break
+            case 'cram-md5':
+                return smtp_client.emit('error', `AUTH ${auth_type} not implemented`)
+            default:
+                return smtp_client.emit('error', `Unknown AUTH type: ${auth_type}`)
+        }
+    })
+
+    smtp_client.on('auth', () => {
+        // if authentication has been handled by plugin(s)
+        if (smtp_client.authenticating) return
+
+        if (smtp_client.is_dead_sender(plugin, connection)) return
+
+        smtp_client.authenticated = true
+        smtp_client.send_command('MAIL', `FROM:${connection.transaction.mail_from.format(!smtp_client.smtputf8)}`)
+    })
+
+    // these errors only get thrown when the connection is still active
+    smtp_client.on('error', (msg) => {
+        connection.logwarn(plugin, msg)
+        smtp_client.call_next()
+    })
+
+    // these are the errors thrown when the connection is dead
+    smtp_client.on('connection-error', (error) => {
+        // error contains e.g. "Error: connect ECONNREFUSE"
+        logger.error(`backend failure: ${smtp_client.host}:${smtp_client.port} - ${error}`)
+        const { host_pool } = connection.server.notes
+        // only exists for if forwarding_host_pool is set in the config
+        if (host_pool) {
+            host_pool.failed(smtp_client.host, smtp_client.port)
+        }
+        smtp_client.call_next()
+    })
+
+    if (smtp_client.connected) {
+        if (smtp_client.xclient) {
+            smtp_client.send_command('XCLIENT', `ADDR=${connection.remote.ip}`)
+        } else {
+            smtp_client.emit('helo')
+        }
+    }
+
+    callback(null, smtp_client)
+}
+
+function get_hostport(connection, cfg) {
+    const server = connection.server
+    if (cfg.forwarding_host_pool) {
+        if (!server.notes.host_pool) {
+            connection.logwarn(`creating host_pool from ${cfg.forwarding_host_pool}`)
+            server.notes.host_pool = new HostPool(
+                cfg.forwarding_host_pool, // 1.2.3.4:420, 5.6.7.8:420
+                cfg.dead_forwarding_host_retry_secs,
+                { logger },
+            )
+        }
+
+        const host = server.notes.host_pool.get_host()
+        if (host) return host // { host: 1.2.3.4, port: 567 }
+
+        logger.error('[smtp_client] no backend hosts in pool!')
+        throw new Error('no backend hosts found in pool!')
+    }
+
+    if (cfg.host && cfg.port) return { host: cfg.host, port: cfg.port }
+
+    logger.warn('[smtp_client] forwarding_host_pool or host and port were not found in config file')
+    throw new Error('You must specify either forwarding_host_pool or host and port')
+}

package/test/.eslintrc.yaml

@@ -0,0 +1,11 @@
+globals:
+  test: true
+  OK: true
+  CONT: true
+  DENY: true
+  DENYSOFT: true
+  DENYDISCONNECT: true
+  DENYSOFTDISCONNECT: true
+  HMailItem: true
+  TODOItem: true
+  test_queue_dir: true

package/test/config/auth_flat_file.ini

@@ -0,0 +1,5 @@
+[core]
+methods=CRAM-MD5
+
+[users]
+matt=goodPass

package/test/config/block_me.recipient

@@ -0,0 +1 @@
+blocklist@example.com

package/test/config/block_me.senders

@@ -0,0 +1 @@
+sender@example.com

package/test/config/dhparams.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA5u0Bg9gCrKvYbkCmUe7cZUjZYFbqvbo9UPaR27K5yPklpy2Fy7bT
++Jbzb/C0zHRD3mx3hoapa/3jB1Zhw31cxNmmwGvblpWNjToBoSydVDAY2BphJxHn
+CMEz3VGqiA4FXKx0R+jLeq5p5rTEuMbXTyxnj/hJesquORc2sy8L410Kw+6UvbPE
+tw9WKwzrpdMxwVSme2voHlpLZuvGqE/paxxnp0kmFp/esda2Aj8xVMEtAMh8lw8v
+fPaeTO94I4/SKJtzLl8j9J6mrq+aTYjljMryt2GJwZNrH41CPuOZYb5MyGAGPCWW
+l/RlqtnAit2IQ4VA1MrITAzoepC144w5CwIBAg==
+-----END DH PARAMETERS-----

package/test/config/host_list

@@ -0,0 +1,2 @@
+# tests hosts to accept mail for
+haraka.local

package/test/config/outbound_tls_cert.pem

@@ -0,0 +1 @@
+OutboundTlsCertLoaded

package/test/config/outbound_tls_key.pem

@@ -0,0 +1 @@
+OutboundTlsKeyLoaded

package/test/config/plugins

@@ -0,0 +1,7 @@
+tls
+
+auth/flat_file
+
+rcpt_to.in_host_list
+
+queue/discard

package/test/config/smtp.ini

@@ -0,0 +1,11 @@
+listen=0.0.0.0:2500
+
+ignore_bad_plugins=0
+
+show_version=true
+
+nodes=0
+
+daemonize=false
+
+spool_dir=test/tmp/queue

package/test/config/smtp_forward.ini

@@ -0,0 +1,30 @@
+; host to connect to
+host=localhost
+;
+; port to connect to
+port=2555
+;
+; uncomment to enable TLS to the backend SMTP server
+enable_tls=true
+;
+; for messages that have multiple RCPT, send a separate message for each RCPT
+; when forwarding.
+one_message_per_rcpt=true
+;
+; uncomment to use smtp client authorization
+;auth_type=plain
+;auth_user=
+;auth_pass=
+
+[test.com]
+host=1.2.3.4
+enable_tls=true
+auth_user=postmaster@test.com
+auth_pass=superDuperSecret
+
+[test1.com]
+host=1.2.3.4
+enable_tls=false
+
+[test2.com]
+host=2.3.4.5

package/test/config/tls/example.com/_.example.com.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCYpxuOx4M2s6sI
+iOEInjet7AcJddg/3uVoqoKRW6iTwAUKnP4CsU1Xe/rMU3wr/UcCs8zzFm7L6/cq
+nbj2Pg1dnEvd5arYFWN59XhWjI6vua2ubZkTwBEEGSgSvwnBGU/9qdrXKTeuq+8C
+BgV+SJzeEAmHEyhCDDT0M9Z1p5TFx0ynkaChy2yjffC2dbiRtK7RAja0I97MmSZL
+ym+bVpY0ucTBNNwSNNh8UhWvWZSvVP92WGd2L72txCyfT333i0u1+SoexnJI7Wvn
+7YUaMNA3HSJ5/JjTW0/rOIZGyrfnjFEs5UmULCs6RZSE0eeEuJVRL+Kd+ncYCMlC
+pmsqeIlHAgMBAAECggEAO0n8LBJVZjOWJDR1opFA8u4PNZ9tpDEATQyctbQx32Df
+FGYxSf5vGaFvoVhzi+pNYEFRQsDdu5okX4ruwcUMD+Wamc6P8mksP7wVRxhEev/U
+80BiCge5FCxpIg7MzRD1voHwG01I8TCaHeEU1R2Cv8TeznWkVzLChm5zxzKVV9Mc
+08eqSxOg6M7wF3RpFpn1sBKch2ZNypu0IU4sP+NlRwxsRs/GBZqnyE/dmqvjHeCg
+izcaji/ev8UdiYqASNZ2zzti9SME8VQebAWb71T6MMic03S9cfA+p3FZbzoYrnbG
+pWf1AEsXiyclf6jaxd7ZV1ho6JbcaGdIPXzHZ5VIsQKBgQDLqg9M2oUBrBjJ31LN
+6OtjvMj9SO5BA5eMS/xC2j5cbb9bn8PV3Lge4IDlRMafZW/FwpAt3S68f81lHi9Y
+KwK7zid8J16XFIEh+E95d0O5WOtdm1EU3T19ky8MbfCEIwcmurUusRZoyCYV/9cX
+1n9pDA3hXZtN1OcoHgOaubc+WwKBgQC/4Uh/KIz11YDcWgSO3Z37vwjh8JTtkjLg
+DHRY0zOR6lzrUh5dT9nNT7TjeNxRk8ypPW5BET7T7NBTsoblN53d/nI2lI/sikg0
+nOzqauXAlAX7s6tI/5LSsGF9OHZaiw7R2+egquIv4zN2Keq3Eq4WbGtcV0jiWFsC
+oaOCXyCshQKBgDh2YCGFX2R0SrcEs9ckIMYY23vk0TCzBzu9ASWjjbBgOLH1G/zZ
+YS4mPXXSWGJuY8tmwkQE0uUtZUsIUEXYPrzETYwM+htWcupxBc998gebkDz2R0dK
+grairGN8wzZO47eoAXz9WWIZQv3MXNxd+hqsXdjB88FjKeakU4l8vUGLAoGAG7/z
+AiDVMgBsoHGMUzUN0giwuixW/Xy1St3CPc5dmO6x/X5k0c3oi97JJFSoWEvtv1QZ
+C+P4mCGZh2E8TQ4cEKzpy6b0oZrmEmXXhZdsHsvJibtUPDxp+Xp0vu1ZgIK34/XP
+q9bK224aVS5+uXdEIg4QAMzGx6VLlDfYM9SaHxkCgYBOXl6pRe6UNhRKCfcbKH5e
+JxwHbIyv2d9cL7yqy2lsYlXPhp7S8ClXChoaP5c6v1wAmY2RwPxP/7a541dzGxG5
+RtUY78HHzKQGyobH55YNTyJq+qEUrP/DH5nhLJNvyV1SO7cpMnIO1p3dvnYawVzW
+q+4Yrrdi6tWFPXnjWTGSjw==
+-----END PRIVATE KEY-----

package/test/config/tls/example.com/example.com.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEMTCCAxmgAwIBAgIUel2F7YVWKevz0bTFV4mbjr6ZWbIwDQYJKoZIhvcNAQEL
+BQAwgaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMR0wGwYDVQQKDBRFeGFtcGxlIFdpZGdldHMgSW5jLjETMBEGA1UE
+CwwKRW1haWwgVGVhbTEWMBQGA1UEAwwNKi5leGFtcGxlLmNvbTEkMCIGCSqGSIb3
+DQEJARYVaGFyYWthLm1haWxAZ21haWwuY29tMCAXDTI0MDUwMjE4MzMwMVoYDzIw
+NTEwOTE3MTgzMzAxWjCBpjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0
+b24xEDAOBgNVBAcMB1NlYXR0bGUxHTAbBgNVBAoMFEV4YW1wbGUgV2lkZ2V0cyBJ
+bmMuMRMwEQYDVQQLDApFbWFpbCBUZWFtMRYwFAYDVQQDDA0qLmV4YW1wbGUuY29t
+MSQwIgYJKoZIhvcNAQkBFhVoYXJha2EubWFpbEBnbWFpbC5jb20wggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYpxuOx4M2s6sIiOEInjet7AcJddg/3uVo
+qoKRW6iTwAUKnP4CsU1Xe/rMU3wr/UcCs8zzFm7L6/cqnbj2Pg1dnEvd5arYFWN5
+9XhWjI6vua2ubZkTwBEEGSgSvwnBGU/9qdrXKTeuq+8CBgV+SJzeEAmHEyhCDDT0
+M9Z1p5TFx0ynkaChy2yjffC2dbiRtK7RAja0I97MmSZLym+bVpY0ucTBNNwSNNh8
+UhWvWZSvVP92WGd2L72txCyfT333i0u1+SoexnJI7Wvn7YUaMNA3HSJ5/JjTW0/r
+OIZGyrfnjFEs5UmULCs6RZSE0eeEuJVRL+Kd+ncYCMlCpmsqeIlHAgMBAAGjUzBR
+MB0GA1UdDgQWBBSuPzKGYEvrv9ZuBlSbpgUYG2/gSjAfBgNVHSMEGDAWgBSuPzKG
+YEvrv9ZuBlSbpgUYG2/gSjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQCCqek5MhytpmmEjVHxfSrbSBJQ63oDa1AllqpDduWCcZZE60zOZOfrGGRO
+A/JUXlJL5otPuxxJX65dJU57Y+ONbGVp9sFOT2bGrL+uwsqS7L+XyUz281sfgO0o
+wsVZq6NyBVaMvtD5ViXPTZslcIZWygcvDVaUEyQ4ri8wqXNQeCNZiZikfM4U03oH
+9kgW/4IuW28Utmnt9f8vPR5XTHURX20p3Q0xhM74mZRtmldwyO3grfe25S7ZOZ5W
+TFuLfxuftJNl5t1w5CdTZre7BYzbWA+Jg34eNWMiHkHE3lVMCLMqZFb8FY0TOLxw
+7YZFDrLYrA2G/alivbHs7ipj6D7i
+-----END CERTIFICATE-----