haraka 0.0.33 → 3.3.0

package/plugins/auth/flat_file.js

@@ -0,0 +1,44 @@
+// Auth against a flat file
+
+exports.register = function () {
+    this.inherits('auth/auth_base')
+    this.load_flat_ini()
+
+    if (this.cfg.core.constrain_sender) {
+        this.register_hook('mail', 'constrain_sender')
+    }
+}
+
+exports.load_flat_ini = function () {
+    this.cfg = this.config.get(
+        'auth_flat_file.ini',
+        {
+            booleans: ['+core.constrain_sender'],
+        },
+        () => {
+            this.load_flat_ini()
+        },
+    )
+
+    if (this.cfg.users === undefined) this.cfg.users = {}
+}
+
+exports.hook_capabilities = function (next, connection) {
+    if (!connection.remote.is_private && !connection.tls.enabled) {
+        connection.logdebug(this, 'Auth disabled for insecure public connection')
+        return next()
+    }
+
+    const methods = this.cfg.core?.methods ? this.cfg.core.methods.split(',') : null
+    if (methods && methods.length > 0) {
+        connection.capabilities.push(`AUTH ${methods.join(' ')}`)
+        connection.notes.allowed_auth_methods = methods
+    }
+    next()
+}
+
+exports.get_plain_passwd = function (user, connection, cb) {
+    if (this.cfg.users[user]) return cb(this.cfg.users[user].toString())
+
+    cb()
+}

package/plugins/block_me.js

@@ -0,0 +1,88 @@
+// Plugin which registers mail received to a certain address
+// and extracts a From: address from the mail and puts that address
+// in the mail_from.blocklist file. You need to be running the
+// mail_from.blocklist plugin for this to work fully.
+
+const fs = require('node:fs')
+const path = require('node:path')
+const utils = require('haraka-utils')
+
+exports.hook_data = (next, connection) => {
+    // enable mail body parsing
+    connection.transaction.parse_body = true
+    next()
+}
+
+exports.hook_data_post = function (next, connection) {
+    if (!connection?.relaying || !connection?.transaction) return next()
+
+    const recip = (this.config.get('block_me.recipient') || '').toLowerCase()
+    const senders = this.config.get('block_me.senders', 'list')
+
+    // Make sure only 1 recipient
+    if (connection.transaction.rcpt_to.length != 1) {
+        return next()
+    }
+
+    // Check recipient is the right one
+    if (connection.transaction.rcpt_to[0].address.toLowerCase() != recip) {
+        return next()
+    }
+
+    // Check sender is in list
+    const sender = connection.transaction.mail_from.address
+    if (!utils.in_array(sender, senders)) {
+        return next(DENY, `You are not allowed to block mail, ${sender}`)
+    }
+
+    // Now extract the "From" from the body...
+    const to_block = extract_from_line(connection.transaction.body)
+    if (!to_block) {
+        connection.logerror(this, 'No sender found in email')
+        return next()
+    }
+
+    connection.loginfo(this, `Blocking new sender: ${to_block}`)
+
+    connection.transaction.notes.block_me = 1
+
+    // add to mail_from.blocklist, in the same config dir the plugin reads from
+    const blocklist = path.join(this.config.root_path, 'mail_from.blocklist')
+    fs.open(blocklist, 'a', (err, fd) => {
+        if (err) {
+            connection.logerror(this, `Unable to append to mail_from.blocklist: ${err}`)
+            return
+        }
+        fs.write(fd, `${to_block}\n`, null, 'UTF-8', () => {
+            fs.close(fd)
+        })
+    })
+
+    next()
+}
+
+exports.hook_queue = (next, connection) => {
+    if (connection.transaction.notes.block_me) {
+        // pretend we queued this mail
+        return next(OK)
+    }
+
+    next()
+}
+
+// Example: From: 	Site Tucano Gold <contato@tucanogold.com.br>
+function extract_from_line(body) {
+    const matches = body.bodytext.match(/\bFrom:[^<\n]*<([^>\n]*)>/)
+    if (matches) {
+        return matches[1]
+    }
+
+    for (let i = 0, l = body.children.length; i < l; i++) {
+        const from = extract_from_line(body.children[i])
+        if (from) {
+            return from
+        }
+    }
+
+    return null
+}

package/plugins/data.signatures.js

@@ -0,0 +1,30 @@
+'use strict'
+// Simple string signatures
+
+exports.hook_data = (next, connection) => {
+    // enable mail body parsing
+    if (connection?.transaction) connection.transaction.parse_body = true
+    next()
+}
+
+exports.hook_data_post = function (next, connection) {
+    if (!connection?.transaction) return next()
+
+    const sigs = this.config.get('data.signatures', 'list')
+
+    if (check_sigs(sigs, connection.transaction.body)) {
+        return next(DENY, 'Mail matches a known spam signature')
+    }
+    next()
+}
+
+function check_sigs(sigs, body) {
+    for (let i = 0, l = sigs.length; i < l; i++) {
+        if (body.bodytext.includes(sigs[i])) return 1
+    }
+
+    for (let i = 0, l = body.children.length; i < l; i++) {
+        if (check_sigs(sigs, body.children[i])) return 1
+    }
+    return 0
+}

package/plugins/delay_deny.js

@@ -0,0 +1,153 @@
+/*
+ ** delay_deny
+ **
+ ** This plugin delays all pre-DATA 'deny' results until the recipients are sent
+ ** and all post-DATA commands until all hook_data_post plugins have run.
+ ** This allows relays and authenticated users to bypass pre-DATA rejections.
+ */
+
+exports.hook_deny = function (next, connection, params) {
+    /* params
+     ** [0] = plugin return value (DENY or DENYSOFT)
+     ** [1] = plugin return message
+     */
+
+    const pi_name = params[2]
+    const pi_function = params[3]
+    // var pi_params   = params[4];
+    const pi_hook = params[5]
+
+    const { transaction } = connection
+
+    // Don't delay ourselves...
+    if (pi_name == 'delay_deny') return next()
+
+    // Load config
+    const cfg = this.config.get('delay_deny.ini')
+    let skip
+    let included
+    if (cfg.main.included_plugins) {
+        included = cfg.main.included_plugins.split(/[;, ]+/)
+    } else if (cfg.main.excluded_plugins) {
+        skip = cfg.main.excluded_plugins.split(/[;, ]+/)
+    }
+
+    // 'included' mode: only delay deny plugins in the included list
+    if (included?.length) {
+        if (
+            !included.includes(pi_name) &&
+            !included.includes(`${pi_name}:${pi_hook}`) &&
+            !included.includes(`${pi_name}:${pi_hook}:${pi_function}`)
+        ) {
+            return next()
+        }
+    } else if (skip?.length) {
+        // 'excluded' mode: delay deny everything except in skip list
+        // Skip by <plugin name>
+        if (skip.includes(pi_name)) {
+            connection.logdebug(this, `not delaying excluded plugin: ${pi_name}`)
+            return next()
+        }
+        // Skip by <plugin name>:<hook>
+        if (skip.includes(`${pi_name}:${pi_hook}`)) {
+            connection.logdebug(this, `not delaying excluded hook: ${pi_hook} in plugin: ${pi_name}`)
+            return next()
+        }
+        // Skip by <plugin name>:<hook>:<function name>
+        if (skip.includes(`${pi_name}:${pi_hook}:${pi_function}`)) {
+            connection.logdebug(
+                this,
+                `not delaying excluded function: ${pi_function} on hook: ${pi_hook} in plugin: ${pi_name}`,
+            )
+            return next()
+        }
+    }
+
+    switch (pi_hook) {
+        // Pre-DATA connection delays
+        case 'lookup_rdns':
+        case 'connect':
+        case 'ehlo':
+        case 'helo':
+            if (!connection.notes.delay_deny_pre) {
+                connection.notes.delay_deny_pre = []
+            }
+            connection.notes.delay_deny_pre.push(params)
+            if (!connection.notes.delay_deny_pre_fail) {
+                connection.notes.delay_deny_pre_fail = {}
+            }
+            connection.notes.delay_deny_pre_fail[pi_name] = 1
+            return next(OK)
+        // Pre-DATA transaction delays
+        case 'mail':
+        case 'rcpt':
+        case 'rcpt_ok':
+            if (!transaction.notes.delay_deny_pre) {
+                transaction.notes.delay_deny_pre = []
+            }
+            transaction.notes.delay_deny_pre.push(params)
+            if (!transaction.notes.delay_deny_pre_fail) {
+                transaction.notes.delay_deny_pre_fail = {}
+            }
+            transaction.notes.delay_deny_pre_fail[pi_name] = 1
+            return next(OK)
+        // Post-DATA delays
+        case 'data':
+        case 'data_post':
+        // fall through
+        default:
+            // No delays
+            next()
+    }
+}
+
+exports.hook_rcpt_ok = function (next, connection) {
+    const transaction = connection?.transaction
+    if (!transaction) return next()
+
+    // Bypass all pre-DATA deny for AUTH/RELAY
+    if (connection.relaying) {
+        connection.loginfo(this, 'bypassing all pre-DATA deny: AUTH/RELAY')
+        return next()
+    }
+
+    // Apply any delayed rejections
+    // Check connection level pre-DATA rejections first
+    if (connection.notes?.delay_deny_pre) {
+        for (const params of connection.notes.delay_deny_pre) {
+            return next(params[0], params[1])
+        }
+    }
+
+    // Then check transaction level pre-DATA
+    if (transaction.notes?.delay_deny_pre) {
+        for (let i = 0; i < transaction.notes.delay_deny_pre.length; i++) {
+            const params = transaction.notes.delay_deny_pre[i]
+
+            // Remove rejection from the array if it was on the rcpt hooks
+            if (params[5] === 'rcpt' || params[5] === 'rcpt_ok') {
+                transaction.notes.delay_deny_pre.splice(i, 1)
+            }
+
+            return next(params[0], params[1])
+        }
+    }
+    next()
+}
+
+exports.hook_data = (next, connection) => {
+    const transaction = connection?.transaction
+    if (!transaction) return next()
+
+    // Add a header showing all pre-DATA rejections
+    const fails = []
+    if (connection.notes?.delay_deny_pre_fail) {
+        fails.push.apply(Object.keys(connection.notes.delay_deny_pre_fail))
+    }
+    if (transaction.notes?.delay_deny_pre_fail) {
+        fails.push.apply(Object.keys(transaction.notes.delay_deny_pre_fail))
+    }
+    if (fails.length) transaction.add_header('X-Haraka-Fail-Pre', fails.join(' '))
+
+    next()
+}

package/plugins/prevent_credential_leaks.js

@@ -0,0 +1,61 @@
+// Prevent a user from sending their AUTH credentials
+// This is a simple, primitive form of anti-phishing.
+
+function escapeRegExp(str) {
+    return str.replace(/[-[\]/{}()*+?.\\^$|]/g, '\\$&')
+}
+
+exports.hook_data = (next, connection) => {
+    const { notes, transaction } = connection ?? {}
+
+    if (transaction && notes?.auth_user && notes.auth_passwd) {
+        transaction.parse_body = true
+    }
+    next()
+}
+
+exports.hook_data_post = (next, connection) => {
+    if (!(connection.notes.auth_user && connection.notes.auth_passwd)) {
+        return next()
+    }
+
+    let user = connection.notes.auth_user
+    let domain
+    const idx = user.indexOf('@')
+    if (idx > 0) {
+        // If the username is qualified (e.g. user@domain.com)
+        // then we make the @domain.com part optional in the regexp.
+        // (idx === -1 is "no @"; idx === 0 is a leading @ — neither is
+        // a qualified user@domain, so don't split.)
+        domain = user.substring(idx)
+        user = user.substring(0, idx)
+    }
+    const passwd = connection.notes.auth_passwd
+    const bound_regexp = '(?:\\b|\\B)'
+    const passwd_regexp = new RegExp(bound_regexp + escapeRegExp(passwd) + bound_regexp, 'm')
+    const user_regexp = new RegExp(
+        bound_regexp + escapeRegExp(user) + (domain ? `(?:${escapeRegExp(domain)})?` : '') + bound_regexp,
+        'im',
+    )
+
+    if (look_for_credentials(user_regexp, passwd_regexp, connection?.transaction?.body)) {
+        return next(DENY, 'Credential leak detected: never give out your username/password to anyone!')
+    }
+
+    next()
+}
+
+function look_for_credentials(user_regexp, passwd_regexp, body) {
+    if (user_regexp.test(body.bodytext) && passwd_regexp.test(body.bodytext)) {
+        return true
+    }
+
+    // Check all child parts
+    for (let i = 0, l = body.children.length; i < l; i++) {
+        if (look_for_credentials(user_regexp, passwd_regexp, body.children[i])) {
+            return true
+        }
+    }
+
+    return false
+}

package/plugins/process_title.js

@@ -0,0 +1,197 @@
+// process_title
+
+const outbound = require('../outbound')
+
+function setupInterval(title, server) {
+    // Set up a timer to update title
+    return setInterval(() => {
+        // Connections per second
+        const av_cps = Math.round((server.notes.pt_connections / process.uptime()) * 100) / 100
+        const cps = server.notes.pt_connections - server.notes.pt_cps_diff
+        if (cps > server.notes.pt_cps_max) server.notes.pt_cps_max = cps
+        server.notes.pt_cps_diff = server.notes.pt_connections
+        // Recipients per second
+        const av_rps = Math.round((server.notes.pt_recipients / process.uptime()) * 100) / 100
+        const rps = server.notes.pt_recipients - server.notes.pt_rps_diff
+        if (rps > server.notes.pt_rps_max) server.notes.pt_rps_max = rps
+        server.notes.pt_rps_diff = server.notes.pt_recipients
+        // Recipients per message
+        const rpm = Math.round((server.notes.pt_recipients / server.notes.pt_messages) * 100) / 100 || 0
+        // Messages per second
+        const av_mps = Math.round((server.notes.pt_messages / process.uptime()) * 100) / 100
+        const mps = server.notes.pt_messages - server.notes.pt_mps_diff
+        if (mps > server.notes.pt_mps_max) server.notes.pt_mps_max = mps
+        server.notes.pt_mps_diff = server.notes.pt_messages
+        // Messages per connection
+        const mpc = Math.round((server.notes.pt_messages / server.notes.pt_connections) * 100) / 100 || 0
+
+        const out = server.notes.pt_out_stats || outbound.get_stats()
+        if (/\(worker\)/.test(title)) {
+            process.send({ event: 'process_title.outbound_stats', data: out })
+        }
+        // Update title
+        let new_title = `${title} cn=${server.notes.pt_connections} cc=${server.notes.pt_concurrent} cps=${cps}/${av_cps}/${server.notes.pt_cps_max} rcpts=${server.notes.pt_recipients}/${rpm} rps=${rps}/${av_rps}/${server.notes.pt_rps_max} msgs=${server.notes.pt_messages}/${mpc} mps=${mps}/${av_mps}/${server.notes.pt_mps_max} out=${out} `
+        if (/\(master\)/.test(title)) {
+            new_title += `respawn=${server.notes.pt_child_exits} `
+        }
+        process.title = new_title
+    }, 1000)
+}
+
+exports.hook_init_master = function (next, server) {
+    server.notes.pt_connections = 0
+    server.notes.pt_concurrent = 0
+    server.notes.pt_cps_diff = 0
+    server.notes.pt_cps_max = 0
+    server.notes.pt_recipients = 0
+    server.notes.pt_rps_diff = 0
+    server.notes.pt_rps_max = 0
+    server.notes.pt_messages = 0
+    server.notes.pt_mps_diff = 0
+    server.notes.pt_mps_max = 0
+    server.notes.pt_child_exits = 0
+    let title = 'Haraka'
+    if (server.cluster) {
+        title = 'Haraka (master)'
+        process.title = title
+        server.notes.pt_concurrent_cluster = {}
+        server.notes.pt_new_out_stats = [0, 0, 0, 0]
+        const { cluster } = server
+        const recvMsg = (msg) => {
+            let count
+            switch (msg.event) {
+                case 'process_title.connect':
+                    server.notes.pt_connections++
+                    server.notes.pt_concurrent_cluster[msg.wid]++
+                    count = 0
+                    for (const id of Object.keys(server.notes.pt_concurrent_cluster)) {
+                        count += server.notes.pt_concurrent_cluster[id]
+                    }
+                    server.notes.pt_concurrent = count
+                    break
+                case 'process_title.disconnect':
+                    server.notes.pt_concurrent_cluster[msg.wid]--
+                    count = 0
+                    for (const id of Object.keys(server.notes.pt_concurrent_cluster)) {
+                        count += server.notes.pt_concurrent_cluster[id]
+                    }
+                    server.notes.pt_concurrent = count
+                    break
+                case 'process_title.recipient':
+                    server.notes.pt_recipients++
+                    break
+                case 'process_title.message':
+                    server.notes.pt_messages++
+                    break
+                case 'process_title.outbound_stats': {
+                    const out_stats = msg.data.split('/')
+                    for (let i = 0; i < out_stats.length; i++) {
+                        server.notes.pt_new_out_stats[i] += parseInt(out_stats[i], 10)
+                    }
+                    server.notes.pt_new_out_stats[3]++
+                    // Check if we got all results back yet
+                    if (server.notes.pt_new_out_stats[3] === Object.keys(cluster.workers).length) {
+                        server.notes.pt_out_stats = server.notes.pt_new_out_stats.slice(0, 3).join('/')
+                        server.notes.pt_new_out_stats = [0, 0, 0, 0]
+                    }
+                }
+                // fall through
+                default:
+                // Unknown message
+            }
+        }
+        // Register any new workers
+        cluster.on('fork', (worker) => {
+            server.notes.pt_concurrent_cluster[worker.id] = 0
+            cluster.workers[worker.id].on('message', recvMsg)
+        })
+        cluster.on('exit', (worker) => {
+            delete server.notes.pt_concurrent_cluster[worker.id]
+            // Update concurrency
+            let count = 0
+            for (const id of Object.keys(server.notes.pt_concurrent_cluster)) {
+                count += server.notes.pt_concurrent_cluster[id]
+            }
+            server.notes.pt_concurrent = count
+            server.notes.pt_child_exits++
+        })
+    }
+    this._interval = setupInterval(title, server)
+    next()
+}
+
+exports.hook_init_child = function (next, server) {
+    server.notes.pt_connections = 0
+    server.notes.pt_concurrent = 0
+    server.notes.pt_cps_diff = 0
+    server.notes.pt_cps_max = 0
+    server.notes.pt_recipients = 0
+    server.notes.pt_rps_diff = 0
+    server.notes.pt_rps_max = 0
+    server.notes.pt_messages = 0
+    server.notes.pt_mps_diff = 0
+    server.notes.pt_mps_max = 0
+    process.title = 'Haraka (worker)'
+    this._interval = setupInterval(process.title, server)
+    next()
+}
+
+exports.shutdown = function () {
+    this.logdebug(`Shutting down interval: ${this._interval}`)
+    clearInterval(this._interval)
+}
+
+exports.hook_connect_init = (next, connection) => {
+    const { server } = connection
+    connection.notes.pt_connect_run = true
+    if (server.cluster) {
+        const { worker } = server.cluster
+        worker.send({ event: 'process_title.connect', wid: worker.id })
+    }
+    server.notes.pt_connections++
+    server.notes.pt_concurrent++
+    next()
+}
+
+exports.hook_disconnect = (next, connection) => {
+    const { server } = connection
+    // Check that the hook above ran
+    // It might not if the disconnection is immediate
+    // echo "QUIT" | nc localhost 25
+    // will exhibit this behaviour.
+    let worker
+    if (!connection.notes.pt_connect_run) {
+        if (server.cluster) {
+            worker = server.cluster.worker
+            worker.send({ event: 'process_title.connect', wid: worker.id })
+        }
+        server.notes.pt_connections++
+        server.notes.pt_concurrent++
+    }
+    if (server.cluster) {
+        worker = server.cluster.worker
+        worker.send({ event: 'process_title.disconnect', wid: worker.id })
+    }
+    server.notes.pt_concurrent--
+    next()
+}
+
+exports.hook_rcpt = (next, connection) => {
+    const { server } = connection
+    if (server.cluster) {
+        const { worker } = server.cluster
+        worker.send({ event: 'process_title.recipient' })
+    }
+    server.notes.pt_recipients++
+    next()
+}
+
+exports.hook_data = (next, connection) => {
+    const { server } = connection
+    if (server.cluster) {
+        const { worker } = server.cluster
+        worker.send({ event: 'process_title.message' })
+    }
+    server.notes.pt_messages++
+    next()
+}

package/plugins/profile.js

@@ -0,0 +1,11 @@
+const prof = require('v8-profiler')
+
+exports.hook_connect_init = (next, conn) => {
+    prof.startProfiling(`Connection from: ${conn.remote.ip}`)
+    next()
+}
+
+exports.hook_disconnect = (next, conn) => {
+    prof.stopProfiling(`Connection from: ${conn.remote.ip}`)
+    next()
+}

package/plugins/queue/deliver.js

@@ -0,0 +1,12 @@
+// This plugin is entirely redundant. The core will queue outbound mails
+// automatically just like this. It is kept here for backwards compatibility
+// purposes only.
+
+const outbound = require('./outbound')
+
+exports.hook_queue_outbound = (next, connection) => {
+    // if not relaying, don't deliver outbound
+    if (!connection?.relaying) return next()
+
+    outbound.send_trans_email(connection?.transaction, next)
+}

package/plugins/queue/discard.js

@@ -0,0 +1,27 @@
+// discard
+
+exports.register = function () {
+    this.register_hook('queue', 'discard')
+    this.register_hook('queue_outbound', 'discard')
+}
+
+exports.discard = (next, connection) => {
+    const txn = connection.transaction
+
+    const q_wants = txn.notes.get('queue.wants')
+    if (q_wants && q_wants !== 'discard') return next()
+
+    function discard() {
+        connection.loginfo('discarding message')
+        // Pretend we delivered the message
+        return next(OK)
+    }
+
+    if (connection.notes.discard) return discard()
+    if (txn.notes.discard) return discard()
+    if (q_wants === 'discard') return discard()
+    if (process.env.YES_REALLY_DO_DISCARD) return discard()
+
+    // Allow other queue plugins to deliver
+    next()
+}

package/plugins/queue/lmtp.js

@@ -0,0 +1,45 @@
+//queue/lmtp
+
+'use strict'
+
+let outbound
+
+exports.register = function () {
+    this.load_lmtp_ini()
+    outbound = this.haraka_require('outbound')
+}
+
+exports.load_lmtp_ini = function () {
+    this.cfg = this.config.get('lmtp.ini', () => {
+        this.load_lmtp_ini()
+    })
+}
+
+exports.hook_get_mx = function (next, hmail, domain) {
+    if (!hmail.todo.notes.using_lmtp) return next()
+
+    const section = this.cfg[domain] || this.cfg.main
+
+    const mx = {
+        using_lmtp: true,
+        priority: 0,
+        exchange: section.host ?? '127.0.0.1',
+        port: section.port ?? 24,
+    }
+
+    if (section.path) mx.path = section.path
+
+    next(OK, mx)
+}
+
+exports.hook_queue = (next, connection) => {
+    const txn = connection?.transaction
+    if (!txn) return next()
+
+    const q_wants = txn.notes.get('queue.wants')
+
+    if (q_wants && q_wants !== 'lmtp') return next()
+
+    txn.notes.using_lmtp = true
+    outbound.send_trans_email(txn, next)
+}