haraka 0.0.33 → 3.3.0

package/plugins/auth/auth_base.js

@@ -0,0 +1,261 @@
+// Base authentication plugin.
+// This cannot be used on its own. You need to inherit from it.
+// See plugins/auth/flat_file.js for an example.
+
+// Note: You can disable setting `connection.notes.auth_passwd` by `plugin.blankout_password = true`
+
+const crypto = require('node:crypto')
+
+const tlds = require('haraka-tld')
+const utils = require('haraka-utils')
+
+const AUTH_COMMAND = 'AUTH'
+const AUTH_METHOD_CRAM_MD5 = 'CRAM-MD5'
+const AUTH_METHOD_PLAIN = 'PLAIN'
+const AUTH_METHOD_LOGIN = 'LOGIN'
+const LOGIN_STRING1 = 'VXNlcm5hbWU6' //Username: base64 coded
+const LOGIN_STRING2 = 'UGFzc3dvcmQ6' //Password: base64 coded
+
+exports.hook_capabilities = (next, connection) => {
+    // Don't offer AUTH capabilities unless session is encrypted
+    if (!connection.tls.enabled) return next()
+
+    const methods = ['PLAIN', 'LOGIN', 'CRAM-MD5']
+    connection.capabilities.push(`AUTH ${methods.join(' ')}`)
+    connection.notes.allowed_auth_methods = methods
+    next()
+}
+
+// Override this at a minimum. Run cb(passwd) to provide a password.
+exports.get_plain_passwd = (user, connection, cb) => cb()
+
+exports.hook_unrecognized_command = function (next, connection, params) {
+    if (params[0].toUpperCase() === AUTH_COMMAND && params[1]) {
+        return this.select_auth_method(next, connection, params.slice(1).join(' '))
+    }
+    if (!connection.notes.authenticating) return next()
+
+    const am = connection.notes.auth_method
+    if (am === AUTH_METHOD_CRAM_MD5 && connection.notes.auth_ticket) {
+        return this.auth_cram_md5(next, connection, params)
+    }
+    if (am === AUTH_METHOD_LOGIN) {
+        return this.auth_login(next, connection, params)
+    }
+    if (am === AUTH_METHOD_PLAIN) {
+        return this.auth_plain(next, connection, params)
+    }
+    next()
+}
+
+exports.check_plain_passwd = function (connection, user, passwd, cb) {
+    function callback(plain_pw) {
+        cb(plain_pw === null ? false : plain_pw === passwd)
+    }
+    if (this.get_plain_passwd.length == 2) {
+        this.get_plain_passwd(user, callback)
+    } else if (this.get_plain_passwd.length == 3) {
+        this.get_plain_passwd(user, connection, callback)
+    } else {
+        throw 'Invalid number of arguments for get_plain_passwd'
+    }
+}
+
+exports.check_cram_md5_passwd = function (connection, user, passwd, cb) {
+    function callback(plain_pw) {
+        if (plain_pw == null) return cb(false)
+
+        const hmac = crypto.createHmac('md5', plain_pw.toString())
+        hmac.update(connection.notes.auth_ticket)
+
+        if (hmac.digest('hex') === passwd) return cb(true)
+
+        cb(false)
+    }
+    if (this.get_plain_passwd.length == 2) {
+        this.get_plain_passwd(user, callback)
+    } else if (this.get_plain_passwd.length == 3) {
+        this.get_plain_passwd(user, connection, callback)
+    } else {
+        throw 'Invalid number of arguments for get_plain_passwd'
+    }
+}
+
+exports.check_user = function (next, connection, credentials, method) {
+    const plugin = this
+    connection.notes.authenticating = false
+    if (!(credentials[0] && credentials[1])) {
+        connection.respond(504, 'Invalid AUTH string', () => {
+            connection.reset_transaction(() => next(OK))
+        })
+        return
+    }
+
+    // valid: (true|false)
+    // opts: ({ message, code }|String)
+    function passwd_ok(valid, opts) {
+        const status_code = (typeof opts === 'object' && opts.code) || (valid ? 235 : 535)
+        const status_message =
+            (typeof opts === 'object' ? opts.message : opts) ||
+            (valid ? '2.7.0 Authentication successful' : '5.7.8 Authentication failed')
+
+        // The AUTH username is attacker-controlled (base64-decoded). Strip
+        // control chars before it is stored in notes or emitted into the
+        // Authentication-Results header (header injection).
+        // eslint-disable-next-line no-control-regex
+        const safe_user = String(credentials[0] ?? '').replace(/[\x00-\x1f\x7f]/g, '')
+
+        if (valid) {
+            connection.relaying = true
+            connection.results.add({ name: 'relay' }, { pass: plugin.name })
+
+            connection.results.add(
+                { name: 'auth' },
+                {
+                    pass: plugin.name,
+                    method,
+                    user: safe_user,
+                },
+            )
+
+            connection.respond(status_code, status_message, () => {
+                connection.authheader = '(authenticated bits=0)\n'
+                connection.auth_results(`auth=pass (${method.toLowerCase()})`)
+                connection.notes.auth_user = safe_user
+                if (!plugin.blankout_password) connection.notes.auth_passwd = credentials[1]
+                next(OK)
+            })
+            return
+        }
+
+        if (!connection.notes.auth_fails) connection.notes.auth_fails = 0
+
+        connection.notes.auth_fails++
+        connection.results.add({ name: 'auth' }, { fail: `${plugin.name}/${method}` })
+
+        let delay = Math.pow(2, connection.notes.auth_fails - 1)
+        if (plugin.timeout && delay >= plugin.timeout) {
+            delay = plugin.timeout - 1
+        }
+        connection.lognotice(plugin, `delaying for ${delay} seconds`)
+        // here we include the username, as shown in RFC 5451 example
+        connection.auth_results(`auth=fail (${method.toLowerCase()}) smtp.auth=${safe_user}`)
+        setTimeout(() => {
+            connection.respond(status_code, status_message, () => {
+                connection.reset_transaction(() => next(OK))
+            })
+        }, delay * 1000)
+    }
+
+    if (method === AUTH_METHOD_PLAIN || method === AUTH_METHOD_LOGIN) {
+        plugin.check_plain_passwd(connection, credentials[0], credentials[1], passwd_ok)
+    } else if (method === AUTH_METHOD_CRAM_MD5) {
+        plugin.check_cram_md5_passwd(connection, credentials[0], credentials[1], passwd_ok)
+    }
+}
+
+exports.select_auth_method = function (next, connection, method) {
+    const split = method.split(/\s+/)
+    method = split.shift().toUpperCase()
+    if (!connection.notes.allowed_auth_methods) return next()
+    if (!connection.notes.allowed_auth_methods.includes(method)) return next()
+
+    if (connection.notes.authenticating) return next(DENYDISCONNECT, 'bad protocol')
+
+    connection.notes.authenticating = true
+    connection.notes.auth_method = method
+
+    if (method === AUTH_METHOD_PLAIN) return this.auth_plain(next, connection, split)
+    if (method === AUTH_METHOD_LOGIN) return this.auth_login(next, connection, split)
+    if (method === AUTH_METHOD_CRAM_MD5) return this.auth_cram_md5(next, connection)
+}
+
+exports.auth_plain = function (next, connection, params) {
+    // one parameter given on line, either:
+    //    AUTH PLAIN <param> or
+    //    AUTH PLAIN\n
+    //...
+    //    <param>
+    if (params[0]) {
+        const credentials = utils.unbase64(params[0]).split(/\0/)
+        credentials.shift() // Discard authid
+        this.check_user(next, connection, credentials, AUTH_METHOD_PLAIN)
+        return
+    }
+
+    if (connection.notes.auth_plain_asked_login) {
+        return next(DENYDISCONNECT, 'bad protocol')
+    }
+
+    connection.respond(334, ' ', () => {
+        connection.notes.auth_plain_asked_login = true
+        next(OK)
+    })
+}
+
+exports.auth_login = function (next, connection, params) {
+    if (
+        (!connection.notes.auth_login_asked_login && params[0]) ||
+        (connection.notes.auth_login_asked_login && !connection.notes.auth_login_userlogin)
+    ) {
+        if (!params[0]) return next(DENYDISCONNECT, 'bad protocol')
+
+        const login = utils.unbase64(params[0])
+        connection.respond(334, LOGIN_STRING2, () => {
+            connection.notes.auth_login_userlogin = login
+            connection.notes.auth_login_asked_login = true
+            next(OK)
+        })
+        return
+    }
+
+    if (connection.notes.auth_login_userlogin) {
+        const credentials = [connection.notes.auth_login_userlogin, utils.unbase64(params[0])]
+
+        connection.notes.auth_login_userlogin = null
+        connection.notes.auth_login_asked_login = false
+
+        return this.check_user(next, connection, credentials, AUTH_METHOD_LOGIN)
+    }
+
+    connection.respond(334, LOGIN_STRING1, () => {
+        connection.notes.auth_login_asked_login = true
+        next(OK)
+    })
+}
+
+exports.auth_cram_md5 = function (next, connection, params) {
+    if (params) {
+        const credentials = utils.unbase64(params[0]).split(' ')
+        return this.check_user(next, connection, credentials, AUTH_METHOD_CRAM_MD5)
+    }
+
+    const ticket = `<${this.hexi(Math.floor(Math.random() * 1000000))}.${this.hexi(Date.now())}@${connection.local.host}>`
+
+    connection.loginfo(this, `ticket: ${ticket}`)
+    connection.respond(334, utils.base64(ticket), () => {
+        connection.notes.auth_ticket = ticket
+        next(OK)
+    })
+}
+
+exports.hexi = (number) => String(Math.abs(parseInt(number)).toString(16))
+
+exports.constrain_sender = function (next, connection, params) {
+    if (this?.cfg?.main?.constrain_sender === false) return next()
+
+    const au = connection.results.get('auth')?.user
+    if (!au) return next()
+
+    const ad = /@/.test(au) ? au.split('@').pop() : null
+    const ed = params[0].host
+
+    if (!ad || !ed) return next()
+
+    const auth_od = tlds.get_organizational_domain(ad)
+    const envelope_od = tlds.get_organizational_domain(ed)
+
+    if (auth_od === envelope_od) return next()
+
+    next(DENY, `Envelope domain '${envelope_od}' doesn't match AUTH domain '${auth_od}'`)
+}

package/plugins/auth/auth_bridge.js

@@ -0,0 +1,20 @@
+// Bridge AUTH requests to SMTP server
+
+exports.register = function () {
+    this.inherits('auth/auth_proxy')
+    this.load_flat_ini()
+}
+
+exports.load_flat_ini = function () {
+    this.cfg = this.config.get('smtp_bridge.ini', () => {
+        this.load_flat_ini()
+    })
+}
+
+exports.check_plain_passwd = function (connection, user, passwd, cb) {
+    let { host } = this.cfg.main
+    if (this.cfg.main.port) {
+        host = `${host}:${this.cfg.main.port}`
+    }
+    this.try_auth_proxy(connection, host, user, passwd, cb)
+}

package/plugins/auth/auth_proxy.js

@@ -0,0 +1,227 @@
+// Proxy AUTH requests selectively by domain
+
+const utils = require('haraka-utils')
+const net_utils = require('haraka-net-utils')
+
+const tls_socket = require('./tls_socket')
+
+const smtp_regexp = /^(\d{3})([ -])(.*)/
+
+exports.register = function () {
+    this.inherits('auth/auth_base')
+    this.load_tls_ini()
+}
+
+exports.load_tls_ini = function () {
+    this.tls_cfg = this.config.get('tls.ini', () => {
+        this.load_tls_ini()
+    })
+}
+
+exports.hook_capabilities = (next, connection) => {
+    if (connection.tls.enabled) {
+        const methods = ['PLAIN', 'LOGIN']
+        connection.capabilities.push(`AUTH ${methods.join(' ')}`)
+        connection.notes.allowed_auth_methods = methods
+    }
+    next()
+}
+
+exports.check_plain_passwd = function (connection, user, passwd, cb) {
+    let domain = /@([^@]+)$/.exec(user)
+    if (domain) {
+        domain = domain[1].toLowerCase()
+    } else {
+        // AUTH user not in user@domain.com format
+        connection.logerror(this, `AUTH user="${user}" error="not in required format"`)
+        return cb(false)
+    }
+
+    // Check if domain exists in configuration file
+    const config = this.config.get('auth_proxy.ini')
+    if (!config.domains[domain]) {
+        connection.logerror(this, `AUTH user="${user}" error="domain '${domain}' is not defined"`)
+        return cb(false)
+    }
+
+    this.try_auth_proxy(connection, config.domains[domain].split(/[,; ]/), user, passwd, cb)
+}
+
+exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
+    if (!hosts || (hosts && !hosts.length)) return cb(false)
+    if (typeof hosts !== 'object') {
+        hosts = [hosts]
+    }
+
+    const self = this
+    const ep = net_utils.endpoint(hosts.shift(), 25)
+    if (ep instanceof Error) {
+        connection.logerror(this, `invalid host: ${ep.message}`)
+        return this.try_auth_proxy(connection, hosts, user, passwd, cb)
+    }
+    const { host, port } = ep
+    let methods = []
+    let auth_complete = false
+    let auth_success = false
+    let command = 'connect'
+    let response = []
+    let secure = false
+
+    const socket = tls_socket.connect({ host, port })
+    net_utils.add_line_processor(socket)
+    connection.logdebug(this, `attempting connection to host=${host} port=${port}`)
+    socket.setTimeout(30 * 1000)
+    socket.on('connect', () => {})
+    socket.on('close', () => {
+        if (!auth_complete) {
+            // Try next host
+            return this.try_auth_proxy(connection, hosts, user, passwd, cb)
+        }
+        connection.loginfo(this, `AUTH user="${user}" host="${host}" success=${auth_success}`)
+        cb(auth_success)
+    })
+    socket.on('timeout', () => {
+        connection.logerror(this, 'connection timed out')
+        socket.end()
+        // Try next host
+        this.try_auth_proxy(connection, hosts, user, passwd, cb)
+    })
+    socket.on('error', (err) => {
+        connection.logerror(this, `connection failed to host ${host}: ${err}`)
+        socket.end()
+    })
+    socket.send_command = function (cmd, data) {
+        let line = cmd + (data ? ` ${data}` : '')
+        if (cmd === 'dot') {
+            line = '.'
+        }
+        // Don't leak proxied SASL credentials (AUTH PLAIN <base64>) to logs
+        const safe = line.replace(/^(AUTH\s+\S+\s+).+$/i, '$1[redacted]')
+        connection.logprotocol(self, `C: ${safe}`)
+        command = cmd.toLowerCase()
+        this.write(`${line}\r\n`)
+        // Clear response buffer from previous command
+        response = []
+    }
+    socket.on('line', function (line) {
+        connection.logprotocol(self, `S: ${line}`)
+        const matches = smtp_regexp.exec(line)
+        if (!matches) {
+            connection.logerror(self, `unrecognised response: ${line}`)
+            socket.end()
+            return
+        }
+
+        const code = matches[1]
+        const cont = matches[2]
+        const rest = matches[3]
+        response.push(rest)
+        if (cont !== ' ') return
+
+        let key
+        let cert
+
+        connection.logdebug(self, `command state: ${command}`)
+        if (command === 'ehlo') {
+            if (code.startsWith('5')) {
+                // EHLO command rejected; abort
+                socket.send_command('QUIT')
+                return
+            }
+            // Parse CAPABILITIES
+            for (const i in response) {
+                if (/^STARTTLS/.test(response[i])) {
+                    if (secure) continue // silly remote, we've already upgraded
+                    // Opportunistic TLS: a client does not need its own
+                    // certificate to negotiate TLS, so always STARTTLS when
+                    // the backend offers it. The local key/cert are only
+                    // attached if configured (mutual TLS), not required.
+                    /* eslint no-useless-assignment: 0 */
+                    key = self.config.get(self.tls_cfg.main.key || 'tls_key.pem', 'binary')
+                    cert = self.config.get(self.tls_cfg.main.cert || 'tls_cert.pem', 'binary')
+                    this.on('secure', () => {
+                        if (secure) return
+                        secure = true
+                        socket.send_command('EHLO', connection.local.host)
+                    })
+                    socket.send_command('STARTTLS')
+                    return
+                } else if (/^AUTH /.test(response[i])) {
+                    // Parse supported AUTH methods
+                    const parse = /^AUTH (.+)$/.exec(response[i])
+                    methods = parse[1].split(/\s+/)
+                    connection.logdebug(self, `found supported AUTH methods: ${methods}`)
+                    // Prefer PLAIN as it's easiest
+                    if (methods.includes('PLAIN')) {
+                        socket.send_command('AUTH', `PLAIN ${utils.base64(`\0${user}\0${passwd}`)}`)
+                        return
+                    } else if (methods.includes('LOGIN')) {
+                        socket.send_command('AUTH', 'LOGIN')
+                        return
+                    } else {
+                        // No compatible methods; abort...
+                        connection.logdebug(self, 'no compatible AUTH methods')
+                        socket.send_command('QUIT')
+                        return
+                    }
+                }
+            }
+        }
+        if (command === 'auth') {
+            // Handle LOGIN
+            if (code.startsWith('3') && response[0] === 'VXNlcm5hbWU6') {
+                // Write to the socket directly to keep the state at 'auth'
+                this.write(`${utils.base64(user)}\r\n`)
+                response = []
+                return
+            } else if (code.startsWith('3') && response[0] === 'UGFzc3dvcmQ6') {
+                this.write(`${utils.base64(passwd)}\r\n`)
+                response = []
+                return
+            }
+            if (code.startsWith('5')) {
+                // Initial attempt failed; strip domain and retry.
+                const u = /^([^@]+)@.+$/.exec(user)
+                if (u) {
+                    user = u[1]
+                    if (methods.includes('PLAIN')) {
+                        socket.send_command('AUTH', `PLAIN ${utils.base64(`\0${user}\0${passwd}`)}`)
+                    } else if (methods.includes('LOGIN')) {
+                        socket.send_command('AUTH', 'LOGIN')
+                    }
+                    return
+                } else {
+                    // Don't attempt any other hosts
+                    auth_complete = true
+                }
+            }
+        }
+        if (/^[345]/.test(code)) {
+            // Got an unhandled error
+            connection.logdebug(self, `error: ${line}`)
+            socket.send_command('QUIT')
+            return
+        }
+        switch (command) {
+            case 'starttls':
+                this.upgrade({ key, cert })
+                break
+            case 'connect':
+                socket.send_command('EHLO', connection.local.host)
+                break
+            case 'auth':
+                // AUTH was successful
+                auth_complete = true
+                auth_success = true
+                socket.send_command('QUIT')
+                break
+            case 'ehlo':
+            case 'helo':
+            case 'quit':
+                socket.end()
+                break
+            default:
+                throw new Error(`[auth/auth_proxy] unknown command: ${command}`)
+        }
+    })
+}

package/plugins/auth/auth_vpopmaild.js

@@ -0,0 +1,162 @@
+// Auth against vpopmaild
+
+const net = require('node:net')
+
+exports.register = function () {
+    this.inherits('auth/auth_base')
+    this.blankout_password = true
+
+    this.load_vpopmaild_ini()
+
+    if (this.cfg.main.constrain_sender) {
+        this.register_hook('mail', 'constrain_sender')
+    }
+}
+
+exports.load_vpopmaild_ini = function () {
+    this.cfg = this.config.get(
+        'auth_vpopmaild.ini',
+        {
+            booleans: ['+main.constrain_sender'],
+        },
+        () => {
+            this.load_vpopmaild_ini()
+        },
+    )
+}
+
+exports.hook_capabilities = function (next, connection) {
+    if (!connection.tls.enabled) return next()
+
+    const methods = ['PLAIN', 'LOGIN']
+    if (this.cfg.main.sysadmin) methods.push('CRAM-MD5')
+
+    connection.capabilities.push(`AUTH ${methods.join(' ')}`)
+    connection.notes.allowed_auth_methods = methods
+
+    next()
+}
+
+exports.check_plain_passwd = function (connection, user, passwd, cb) {
+    let chunk_count = 0
+    let auth_success = false
+
+    const socket = this.get_vpopmaild_socket(user)
+    socket.setEncoding('utf8')
+
+    socket.on('data', (chunk) => {
+        chunk_count++
+        if (chunk_count === 1) {
+            if (/^\+OK/.test(chunk)) {
+                socket.write(`slogin ${user} ${passwd}\n\r`)
+                return
+            }
+            socket.end()
+        }
+        if (chunk_count === 2) {
+            if (/^\+OK/.test(chunk)) {
+                // slogin reply
+                auth_success = true
+                socket.write('quit\n\r')
+            }
+            socket.end() // disconnect
+        }
+    })
+
+    socket.on('end', () => {
+        connection.loginfo(this, `AUTH user="${user}" success=${auth_success}`)
+        cb(auth_success)
+    })
+}
+
+exports.get_sock_opts = function (user) {
+    this.sock_opts = {
+        port: 89,
+        host: '127.0.0.1',
+        sysadmin: undefined,
+    }
+
+    const domain = user.split('@')[1]
+    let sect = this.cfg.main
+    if (domain && this.cfg[domain]) sect = this.cfg[domain]
+
+    if (sect.port) this.sock_opts.port = sect.port
+    if (sect.host) this.sock_opts.host = sect.host
+    if (sect.sysadmin) this.sock_opts.sysadmin = sect.sysadmin
+
+    this.logdebug(`sock: ${this.sock_opts.host}:${this.sock_opts.port}`)
+    return this.sock_opts
+}
+
+exports.get_vpopmaild_socket = function (user) {
+    this.get_sock_opts(user)
+
+    const socket = new net.Socket()
+    socket.connect(this.sock_opts.port, this.sock_opts.host)
+    socket.setTimeout(300 * 1000)
+    socket.setEncoding('utf8')
+
+    socket.on('timeout', () => {
+        this.logerror('vpopmaild connection timed out')
+        socket.end()
+    })
+    socket.on('error', (err) => {
+        this.logerror(`vpopmaild connection failed: ${err}`)
+        socket.end()
+    })
+    socket.on('connect', () => {
+        this.logdebug('vpopmail connected')
+    })
+    return socket
+}
+
+exports.get_plain_passwd = function (user, connection, cb) {
+    const socket = this.get_vpopmaild_socket(user)
+    if (!this.sock_opts.sysadmin) {
+        this.logerror('missing sysadmin credentials')
+        return cb(null)
+    }
+
+    const sys = this.sock_opts.sysadmin.split(':')
+    let plain_pass = null
+    let chunk_count = 0
+
+    socket.on('data', (chunk) => {
+        chunk_count++
+        this.logdebug(`${chunk_count}\t${chunk}`)
+        if (chunk_count === 1) {
+            if (/^\+OK/.test(chunk)) {
+                socket.write(`slogin ${sys[0]} ${sys[1]}\n\r`)
+                return
+            }
+            this.logerror('no ok to start')
+            socket.end() // disconnect
+        }
+        // slogin reply
+        if (chunk_count === 2) {
+            if (/^\+OK/.test(chunk)) {
+                this.logdebug('login success, getting user info')
+                socket.write(`user_info ${user}\n\r`)
+                return
+            }
+            this.logerror('syadmin login failed')
+            socket.end() // disconnect
+        }
+        if (chunk_count > 2) {
+            if (/^-ERR/.test(chunk)) {
+                this.lognotice(`get_plain failed: ${chunk}`)
+                socket.end() // disconnect
+                return
+            }
+            if (!/clear_text_password/.test(chunk)) {
+                return // pass might be in the next chunk
+            }
+            const pass = chunk.match(/clear_text_password\s(\S+)\s/)
+            plain_pass = pass[1]
+            socket.write('quit\n\r')
+        }
+    })
+    socket.on('end', () => {
+        cb(plain_pass ? plain_pass.toString() : plain_pass)
+    })
+}