haraka 0.0.33 → 3.3.1

package/plugins/queue/smtp_proxy.js

@@ -0,0 +1,142 @@
+'use strict'
+// Proxy to an SMTP server
+// Opens the connection to the ongoing SMTP server at MAIL FROM time
+// and passes back any errors seen on the ongoing server to the
+// originating server.
+
+const smtp_client_mod = require('../../smtp_client')
+const tls_socket = require('../../tls_socket')
+
+exports.register = function () {
+    this.load_smtp_proxy_ini()
+
+    if (this.cfg.main.enable_outbound) {
+        this.register_hook('queue_outbound', 'hook_queue')
+    }
+}
+
+exports.load_smtp_proxy_ini = function () {
+    this.cfg = this.config.get(
+        'smtp_proxy.ini',
+        {
+            booleans: [
+                '-main.enable_tls',
+                '+main.enable_outbound',
+                '+tls.requestCert',
+                '+tls.honorCipherOrder',
+                '-tls.rejectUnauthorized',
+            ],
+        },
+        () => {
+            this.load_smtp_proxy_ini()
+        },
+    )
+
+    // Build backend TLS options from tls.ini [main] + this plugin's [tls] section.
+    // Re-derived on every (re)load so SIGHUP picks up edits.
+    this.tls_options = tls_socket.load_plugin_tls_options(this.cfg.tls || {})
+
+    if (this.cfg.main.enable_outbound) {
+        this.lognotice('outbound enabled, will default to disabled in Haraka v3 (see #1472)')
+    }
+}
+
+exports.hook_mail = function (next, connection) {
+    const c = this.cfg.main
+    connection.loginfo(
+        this,
+        `forwarding to ${c.forwarding_host_pool ? 'configured forwarding_host_pool' : `${c.host}:${c.port}`}`,
+    )
+    smtp_client_mod.get_client_plugin(this, connection, c, (err, smtp_client) => {
+        connection.notes.smtp_client = smtp_client
+        smtp_client.next = next
+
+        smtp_client.on('mail', smtp_client.call_next)
+        smtp_client.on('rcpt', smtp_client.call_next)
+        smtp_client.on('data', smtp_client.call_next)
+
+        smtp_client.on('dot', () => {
+            if (smtp_client.is_dead_sender(this, connection)) {
+                delete connection.notes.smtp_client
+                return
+            }
+
+            smtp_client.call_next(OK, smtp_client.response)
+            smtp_client.release()
+            delete connection.notes.smtp_client
+        })
+
+        smtp_client.on('error', () => {
+            delete connection.notes.smtp_client
+        })
+
+        smtp_client.on('bad_code', (code) => {
+            smtp_client.call_next(code.match(/^4/) ? DENYSOFT : DENY, smtp_client.response.slice())
+
+            if (smtp_client.command !== 'rcpt') {
+                // errors are OK for rcpt, but nothing else
+                // this can also happen if the destination server
+                // times out, but that is okay.
+                connection.loginfo(this, 'message denied, proxying failed')
+                smtp_client.release()
+                delete connection.notes.smtp_client
+            }
+        })
+    })
+}
+
+exports.hook_rcpt_ok = (next, connection, recipient) => {
+    const { smtp_client } = connection.notes
+    if (!smtp_client) return next()
+    if (smtp_client.is_dead_sender(this, connection)) {
+        delete connection.notes.smtp_client
+        return
+    }
+    smtp_client.next = next
+    smtp_client.send_command('RCPT', `TO:${recipient.format(!smtp_client.smtputf8)}`)
+}
+
+exports.hook_data = (next, connection) => {
+    const { smtp_client } = connection.notes
+    if (!smtp_client) return next()
+
+    if (smtp_client.is_dead_sender(this, connection)) {
+        delete connection.notes.smtp_client
+        return
+    }
+    smtp_client.next = next
+    smtp_client.send_command('DATA')
+}
+
+exports.hook_queue = function (next, connection) {
+    if (!connection?.transaction || !connection?.notes) return next()
+
+    const { smtp_client } = connection.notes
+    if (!smtp_client) return next()
+
+    if (smtp_client.is_dead_sender(this, connection)) {
+        delete connection.notes.smtp_client
+        return
+    }
+    smtp_client.next = next
+    smtp_client.start_data(connection.transaction.message_stream)
+}
+
+exports.hook_rset = (next, connection) => {
+    const { smtp_client } = connection.notes
+    if (!smtp_client) return next()
+    smtp_client.release()
+    delete connection.notes.smtp_client
+    next()
+}
+
+exports.hook_quit = exports.hook_rset
+
+exports.hook_disconnect = (next, connection) => {
+    const { smtp_client } = connection.notes
+    if (!smtp_client) return next()
+    smtp_client.release()
+    delete connection.notes.smtp_client
+    smtp_client.call_next()
+    next()
+}

package/plugins/queue/test.js

@@ -0,0 +1,15 @@
+const fs = require('node:fs')
+const os = require('node:os')
+
+const tempDir = os.tmpdir()
+
+exports.hook_queue = function (next, connection) {
+    const txn = connection?.transaction
+    if (!txn) return next()
+
+    const file_path = `${tempDir}/mail_${txn.uuid}.eml`
+    const ws = fs.createWriteStream(file_path)
+    connection.logdebug(this, `Saving to ${file_path}`)
+    ws.once('close', () => next(OK))
+    connection.transaction.message_stream.pipe(ws)
+}

package/plugins/rcpt_to.host_list_base.js

@@ -0,0 +1,65 @@
+'use strict'
+// Base class for plugins that use config/host_list
+
+exports.load_host_list = function () {
+    const lowered_list = {} // assemble
+    const raw_list = this.config.get('host_list', 'list', () => {
+        this.load_host_list()
+    })
+
+    for (const i in raw_list) {
+        lowered_list[raw_list[i].toLowerCase()] = true
+    }
+
+    this.host_list = lowered_list
+}
+
+exports.load_host_list_regex = function () {
+    this.host_list_regex = this.config.get('host_list_regex', 'list', () => {
+        this.load_host_list_regex()
+    })
+
+    this.hl_re = new RegExp(`^(?:${this.host_list_regex.join('|')})$`, 'i')
+}
+
+exports.hook_mail = function (next, connection, params) {
+    const txn = connection?.transaction
+    if (!txn) return
+
+    const email = params[0].address
+    if (!email) {
+        txn.results.add(this, { skip: 'mail_from.null', emit: true })
+        return next()
+    }
+
+    const domain = params[0].host.toLowerCase()
+
+    const anti_spoof = this.config.get('host_list.anti_spoof') || false
+
+    if (this.in_host_list(domain, connection) || this.in_host_regex(domain, connection)) {
+        if (anti_spoof && !connection.relaying) {
+            txn.results.add(this, { fail: 'mail_from.anti_spoof' })
+            return next(DENY, `Mail from domain '${domain}' is not allowed from your host`)
+        }
+        txn.results.add(this, { pass: 'mail_from' })
+        txn.notes.local_sender = true
+        return next()
+    }
+
+    txn.results.add(this, { msg: 'mail_from!local' })
+    return next()
+}
+
+exports.in_host_list = function (domain, connection) {
+    this.logdebug(connection, `checking ${domain} in config/host_list`)
+    return !!this.host_list[domain]
+}
+
+exports.in_host_regex = function (domain, connection) {
+    if (!this.host_list_regex) return false
+    if (!this.host_list_regex.length) return false
+
+    this.logdebug(connection, `checking ${domain} against config/host_list_regex `)
+
+    return !!this.hl_re.test(domain)
+}

package/plugins/rcpt_to.in_host_list.js

@@ -0,0 +1,56 @@
+'use strict'
+// Check RCPT TO domain is in config/host_list
+
+// Previous versions of this plugin (Haraka <= 2.4.0) did not account for
+// relaying users. This plugin now permits relaying clients to send if
+// the message is destined to or originating from a local domain.
+//
+// The mail hook always checks the MAIL FROM address and when detected, sets
+// connection.transaction.notes.local_sender=true. During RCPT TO, if relaying
+// is enabled and the sending domain is local, the receipt is OK.
+
+exports.register = function () {
+    this.inherits('rcpt_to.host_list_base')
+
+    this.load_host_list()
+    this.load_host_list_regex()
+}
+
+exports.hook_rcpt = function (next, connection, params) {
+    const txn = connection?.transaction
+    if (!txn) return
+
+    const rcpt = params[0]
+
+    // Check for RCPT TO without an @ first - ignore those here
+    if (!rcpt.host) {
+        txn.results.add(this, { fail: 'rcpt!domain' })
+        return next()
+    }
+
+    connection.logdebug(this, `Checking if ${rcpt} host is in host_list`)
+
+    const domain = rcpt.host.toLowerCase()
+
+    if (this.in_host_list(domain, connection)) {
+        txn.results.add(this, { pass: 'rcpt_to' })
+        return next(OK)
+    }
+
+    if (this.in_host_regex(domain, connection)) {
+        txn.results.add(this, { pass: 'rcpt_to' })
+        return next(OK)
+    }
+
+    // in this case, a client with relaying privileges is sending FROM a local
+    // domain. For them, any RCPT address is accepted.
+    if (connection.relaying && txn.notes.local_sender) {
+        txn.results.add(this, { pass: 'relaying local_sender' })
+        return next(OK)
+    }
+
+    // the MAIL FROM domain is not local and neither is the RCPT TO
+    // Another RCPT plugin may yet vouch for this recipient.
+    txn.results.add(this, { msg: 'rcpt!local' })
+    return next()
+}

package/plugins/record_envelope_addresses.js

@@ -0,0 +1,17 @@
+// record_envelope_addresses
+
+// documentation via: haraka -h plugins/record_envelope_addresses
+
+exports.hook_rcpt = (next, connection, params) => {
+    if (connection?.transaction) {
+        connection.transaction.add_header('X-Envelope-To', params[0].address)
+    }
+    next()
+}
+
+exports.hook_mail = (next, connection, params) => {
+    if (connection?.transaction) {
+        connection.transaction.add_header('X-Envelope-From', params[0].address)
+    }
+    next()
+}

package/plugins/reseed_rng.js

@@ -0,0 +1,7 @@
+const crypto = require('node:crypto')
+
+exports.hook_init_child = function (next) {
+    Math.seedrandom(crypto.randomBytes(256).toString('hex'))
+    this.logdebug('reseeded rng')
+    next()
+}

package/plugins/status.js

@@ -0,0 +1,274 @@
+'use strict'
+/* global server */
+
+const fs = require('node:fs')
+const path = require('node:path')
+
+exports.register = function () {
+    this.outbound = require('../outbound')
+    this.queue_dir = require('../outbound/queue').queue_dir
+}
+
+exports.hook_capabilities = (next, connection) => {
+    if (connection.remote.is_local) {
+        connection.capabilities.push('STATUS')
+    }
+
+    next()
+}
+
+exports.hook_unrecognized_command = function (next, connection, params) {
+    if (params[0] !== 'STATUS') return next()
+    if (!connection.remote.is_local) return next(DENY, 'STATUS not allowed remotely')
+
+    this.run(params[1], (err, result) => {
+        if (err) return next(DENY, err.message)
+
+        connection.respond(211, result ? JSON.stringify(result) : 'null', () => next(OK))
+    })
+}
+
+exports.run = function (cmd, cb) {
+    if (server.cluster && !/^QUEUE LIST/.test(cmd)) {
+        this.call_master(cmd, cb)
+    } else {
+        this.command_action(cmd, cb)
+    }
+}
+
+exports.command_action = function (cmd, cb) {
+    const params = cmd.split(' ')
+
+    switch (params.shift()) {
+        case 'POOL':
+            return this.pool_action(params, cb)
+        case 'QUEUE':
+            return this.queue_action(params, cb)
+        default:
+            cb('unknown STATUS command')
+    }
+}
+
+exports.pool_action = function (params, cb) {
+    switch (params.shift()) {
+        case 'LIST':
+            return this.pool_list(cb)
+        default:
+            cb('unknown POOL command')
+    }
+}
+
+exports.queue_action = function (params, cb) {
+    switch (params.shift()) {
+        case 'LIST':
+            return this.queue_list(cb)
+        case 'STATS':
+            return this.queue_stats(cb)
+        case 'INSPECT':
+            return this.queue_inspect(cb)
+        case 'DISCARD':
+            return this.queue_discard(params.shift(), cb)
+        case 'PUSH':
+            return this.queue_push(params.shift(), cb)
+        default:
+            cb('unknown QUEUE command')
+    }
+}
+
+exports.pool_list = (cb) => {
+    const result = {}
+
+    if (server.notes.pool) {
+        for (const name of Object.keys(server.notes.pool)) {
+            const instance = server.notes.pool[name]
+
+            result[name] = {
+                inUse: instance.inUseObjectsCount(),
+                size: instance.getPoolSize(),
+            }
+        }
+    }
+
+    cb(null, result)
+}
+
+exports.queue_list = async function (cb) {
+    try {
+        const qlist = await this.outbound.list_queue()
+        const result = []
+
+        for (const todo of qlist) {
+            result.push({
+                file: todo.file,
+                uuid: todo.uuid,
+                queue_time: todo.queue_time,
+                domain: todo.domain,
+                from: todo.mail_from.toString(),
+                to: todo.rcpt_to.map((r) => r.toString()),
+            })
+        }
+
+        cb(null, result)
+    } catch (err) {
+        cb(err)
+    }
+}
+
+exports.queue_stats = function (cb) {
+    cb(null, this.outbound.get_stats())
+}
+
+exports.queue_inspect = function (cb) {
+    const delivery_queue_items = this.outbound.delivery_queue.tasks
+    const fail_queue_items = this.outbound.temp_fail_queue.queue
+
+    cb(null, {
+        delivery_queue: delivery_queue_items.map((hmail) => ({
+            id: hmail.file,
+        })),
+        temp_fail_queue: fail_queue_items.map((tqtimer) => ({
+            id: tqtimer.id,
+            fire_time: tqtimer.fire_time,
+        })),
+    })
+}
+
+exports.queue_discard = function (file, cb) {
+    try {
+        this.outbound.temp_fail_queue.discard(file)
+    } catch {
+        // ignore not found error
+    }
+
+    fs.unlink(path.join(this.queue_dir || '', file), () => {
+        cb(null, 'OK')
+    })
+}
+
+exports.queue_push = function (file, cb) {
+    const { queue } = this.outbound.temp_fail_queue
+
+    for (let i = 0; i < queue.length; i++) {
+        if (queue[i].id !== file) continue
+
+        const item = queue.splice(i, 1)[0]
+        item.cb()
+
+        break
+    }
+
+    cb(null, 'OK')
+}
+
+// cluster IPC
+
+exports.hook_init_master = function (next) {
+    const plugin = this
+
+    if (!server.cluster) return next()
+
+    function message_handler(sender, msg) {
+        if (msg.event !== 'status.request') return
+
+        plugin.call_workers(msg, (response) => {
+            const valid = response.filter((el) => el != null)
+            msg.result = plugin.merge_worker_responses(msg.params, valid)
+            msg.event = 'status.result'
+            sender.send(msg)
+        })
+    }
+
+    server.cluster.on('message', message_handler)
+    next()
+}
+
+exports.hook_init_child = function (next) {
+    const self = this
+
+    function message_handler(msg) {
+        if (msg.event !== 'status.request') return
+
+        self.command_action(msg.params, (err, result) => {
+            msg.event = 'status.response'
+            msg.result = result
+            process.send(msg)
+        })
+    }
+
+    process.on('message', message_handler)
+    next()
+}
+
+exports.call_master = (cmd, cb) => {
+    function message_handler(msg) {
+        if (msg.event !== 'status.result') return
+
+        process.removeListener('message', message_handler)
+        cb(null, msg.result)
+    }
+
+    process.on('message', message_handler)
+    process.send({ event: 'status.request', params: cmd })
+}
+
+exports.call_workers = function (cmd, cb) {
+    Promise.allSettled(Object.values(server.cluster.workers).map((w) => this.call_worker(w, cmd))).then((r) => {
+        cb(r.filter((s) => s.status === 'fulfilled').map((s) => s.value))
+    })
+}
+
+// Merge per-worker responses into a single result matching non-cluster output shape.
+exports.merge_worker_responses = (params, results) => {
+    const cmd = params.trim().split(/\s+/).slice(0, 2).join(' ').toUpperCase()
+
+    switch (cmd) {
+        case 'POOL LIST': {
+            return Object.assign({}, ...results)
+        }
+        case 'QUEUE INSPECT': {
+            const merged = { delivery_queue: [], temp_fail_queue: [] }
+            for (const r of results) {
+                if (!r) continue
+                if (Array.isArray(r.delivery_queue)) merged.delivery_queue.push(...r.delivery_queue)
+                if (Array.isArray(r.temp_fail_queue)) merged.temp_fail_queue.push(...r.temp_fail_queue)
+            }
+            return merged
+        }
+        case 'QUEUE STATS': {
+            const totals = [0, 0, 0]
+            for (const r of results) {
+                if (!r) continue
+                const parts = String(r).split('/')
+                for (let i = 0; i < 3; i++) totals[i] += parseInt(parts[i] ?? 0, 10)
+            }
+            return totals.join('/')
+        }
+        default:
+            return results
+    }
+}
+
+// sends command to worker and then wait for response or timeout
+exports.call_worker = (worker, cmd) => {
+    return new Promise((resolve) => {
+        let timeout
+
+        function message_handler(sender, msg) {
+            if (sender.id !== worker.id) return
+            if (msg.event !== 'status.response') return
+
+            clearTimeout(timeout)
+            server.cluster.removeListener('message', message_handler)
+
+            resolve(msg.result)
+        }
+
+        timeout = setTimeout(() => {
+            server.cluster.removeListener('message', message_handler)
+            resolve()
+        }, 1000)
+
+        server.cluster.on('message', message_handler)
+        worker.send(cmd)
+    })
+}

package/plugins/tarpit.js

@@ -0,0 +1,45 @@
+// tarpit
+
+let hooks_to_delay = [
+    'connect',
+    'helo',
+    'ehlo',
+    'mail',
+    'rcpt',
+    'rcpt_ok',
+    'data',
+    'data_post',
+    'queue',
+    'unrecognized_command',
+    'vrfy',
+    'noop',
+    'rset',
+    'quit',
+]
+
+exports.register = function () {
+    // Register tarpit function last
+
+    const cfg = this.config.get('tarpit.ini')
+    if (cfg?.main.hooks_to_delay) {
+        hooks_to_delay = cfg.main.hooks_to_delay.split(/[\s,;]+/)
+    }
+
+    for (const hook of hooks_to_delay) {
+        this.register_hook(hook, 'tarpit')
+    }
+}
+
+exports.tarpit = function (next, connection) {
+    const { transaction } = connection
+    if (!transaction) return next()
+
+    let delay = connection.notes.tarpit
+
+    if (!delay) delay = transaction.notes.tarpit
+
+    if (!delay) return next()
+
+    connection.loginfo(this, `tarpitting response for ${delay}s`)
+    setTimeout(() => next(), delay * 1000)
+}