npm - mailauth - Versions diffs - 3.0.1 → 4.0.0 - Mend

mailauth 3.0.1 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md CHANGED Viewed

@@ -10,10 +10,10 @@
 -   ARC sealing
     -   Sealing on authentication
     -   Sealing after modifications
--   **BIMI** resolving
+-   **BIMI** resolving and **VMC** validation
 -   **MTA-STS** helpers
-Pure JavaScript implementation, no external applications or compilation needed. It runs on any server/device that has Node 14+ installed.
+Pure JavaScript implementation, no external applications or compilation needed. It runs on any server/device that has Node 16+ installed.
 ## Command line usage
@@ -48,7 +48,8 @@ Where
         -   **selector** (_string_) ARC key selector
         -   **privateKey** (_string_ or _buffer_) Private key for signing. Either an RSA or an Ed25519 key
     -   **resolver** (_async function_) is an optional async function for DNS requests. Defaults to [dns.promises.resolve](https://nodejs.org/api/dns.html#dns_dnspromises_resolve_hostname_rrtype)
-    -   **maxResolveCount** (_number_ defaults to _50_) is the DNS lookup limit for SPF. [RFC7208](https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4) requires this limit to be 10. Mailauth is less strict and defaults to 50.
+    -   **maxResolveCount** (_number_ defaults to _10_) is the DNS lookup limit for SPF. [RFC7208](https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4) requires this limit to be 10.
+    -   **maxVoidCount** (_number_ defaults to _2_) is the DNS lookup limit for SPF that produce an empty result. [RFC7208](https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4) requires this limit to be 2.
 **Example**
@@ -403,7 +404,6 @@ The function returns a boolean. If it is `true`, then MX hostname is allowed to
 [OpenSPF test suite](http://www.openspf.org/Test_Suite) ([archive.org mirror](https://web.archive.org/web/20190130131432/http://www.openspf.org/Test_Suite)) with the following differences:
--   No PTR support in `mailauth`. All PTR related tests are ignored
 -   Less strict whitespace checks (`mailauth` accepts multiple spaces between tags etc.)
 -   Some macro tests are skipped (macro expansion is supported _in most parts_)
 -   Some tests where the invalid component is listed after a matching part (mailauth processes from left to right and returns on the first match found)

package/bin/mailauth.js CHANGED Viewed

@@ -52,7 +52,13 @@ const argv = yargs(hideBin(process.argv))
                     alias: 'x',
                     type: 'number',
                     description: 'Maximum allowed DNS lookups',
-                    default: 50
+                    default: 10
+                })
+                .option('max-void-lookups', {
+                    alias: 'z',
+                    type: 'number',
+                    description: 'Maximum allowed empty DNS lookups',
+                    default: 2
                 });
             yargs.positional('email', {
                 describe: 'Path to the email message file in EML format. If not specified then content is read from stdin'
@@ -275,7 +281,13 @@ const argv = yargs(hideBin(process.argv))
                     alias: 'x',
                     type: 'number',
                     description: 'Maximum allowed DNS lookups',
-                    default: 50
+                    default: 10
+                })
+                .option('max-void-lookups', {
+                    alias: 'z',
+                    type: 'number',
+                    description: 'Maximum allowed empty DNS lookups',
+                    default: 2
                 });
         },
         argv => {

package/cli.md CHANGED Viewed

@@ -26,14 +26,6 @@ Download `mailauth` for your platform:
 -   [Windows](https://github.com/postalsys/mailauth/releases/latest/download/mailauth.exe)
 -   Or install from the NPM registry: `npm install -g mailauth`
-> **NB!** Downloadable files are quite large because these are packaged Node.js applications
-Alternatively you can install `mailauth` from [npm](https://npmjs.com/package/mailauth).
-```
-npm install -g mailauth
-```
 ## Help
 ```
@@ -67,7 +59,8 @@ Where
 -   `--mta hostname` or `-m hostname` is the server hostname doing the validation checks. Defaults to `os.hostname()`
 -   `--dns-cache /path/to/dns.json` or `-n path` is the path to a file with cached DNS query responses. If this file is provided then no actual DNS requests are performed, only cached values from this file are used.
 -   `--verbose` or `-v` if this flag is set then mailauth writes some debugging info to standard error
--   `--max-lookups nr` or `-x nr` defines the allowed DNS lookup limit for SPF checks. Defaults to 50.
+-   `--max-lookups nr` or `-x nr` defines the allowed DNS lookup limit for SPF checks. Defaults to 10.
+-   `--max-void-lookups nr` or `-z nr` defines the allowed DNS lookup limit for SPF checks. Defaults to 2.
 **Example**
@@ -195,14 +188,15 @@ Where
 -   `--dns-cache /path/to/dns.json` or `-n path` is the path to a file with cached DNS query responses. If this file is provided then no actual DNS requests are performed, only cached values from this file are used.
 -   `--verbose` or `-v` if this flag is set then mailauth writes some debugging info to standard error
 -   `--headers-only` or `-o` If set return SPF authentication header only. Default is to return a JSON structure.
--   `--max-lookups nr` or `-x nr` defines the allowed DNS lookup limit for SPF checks. Defaults to 50.
+-   `--max-lookups nr` or `-x nr` defines the allowed DNS lookup limit for SPF checks. Defaults to 10.
+-   `--max-void-lookups nr` or `-z nr` defines the allowed DNS lookup limit for SPF checks. Defaults to 2.
 **Example**
 ```
 $ mailauth spf --verbose -f andris@wildduck.email -i 217.146.76.20
 Checking SPF for andris@wildduck.email
-Maximum DNS lookups: 50
+Maximum DNS lookups: 10
 --------
 DNS query for TXT wildduck.email: [["v=spf1 mx a -all"]]
 DNS query for MX wildduck.email: [{"exchange":"mail.wildduck.email","priority":1}]
@@ -246,9 +240,6 @@ $ mailauth vmc -a https://amplify.valimail.com/bimi/time-warner/yV3KRIg4nJW-cnn.
     "logoFile": "<2300B base64 encoded file>",
     "validHash": true,
     "certificate": {
-      "subjectAltName": [
-        "cnn.com"
-      ],
       "subject": {
         "businessCategory": "Private Organization",
         "jurisdictionCountryName": "US",
@@ -263,8 +254,13 @@ $ mailauth vmc -a https://amplify.valimail.com/bimi/time-warner/yV3KRIg4nJW-cnn.
         "trademarkCountryOrRegionName": "US",
         "trademarkRegistration": "5817930"
       },
+      "subjectAltName": [
+        "cnn.com"
+      ],
       "fingerprint": "17:B3:94:97:E6:6B:C8:6B:33:B8:0A:D2:F0:79:6B:08:A2:A6:84:BD",
       "serialNumber": "0821B8FE0A9CBC3BAC10DA08C088EEF4",
+      "validFrom": "2021-08-12T00:00:00.000Z",
+      "validTo": "2022-08-12T23:59:59.000Z",
       "issuer": {
         "countryName": "US",
         "organizationName": "DigiCert, Inc.",
@@ -275,7 +271,7 @@ $ mailauth vmc -a https://amplify.valimail.com/bimi/time-warner/yV3KRIg4nJW-cnn.
 }
 ```
-If the certificate verification fails, then the contents are not returned.
+If the certificate verification fails, then the logo contents are not returned.
 ```
 $ mailauth vmc -p /path/to/random/cert-bundle.pem
@@ -284,17 +280,46 @@ $ mailauth vmc -p /path/to/random/cert-bundle.pem
   "error": {
     "message": "Self signed certificate in certificate chain",
     "details": {
-      "subject": "CN=postal.vmc.local\nO=Postal Systems OU.\nC=EE",
-      "fingerprint": "CC:49:83:ED:3F:6B:77:45:5B:A5:3B:9E:EC:99:0E:A1:EF:D7:FF:97",
-      "fingerprint235": "D4:36:6F:B4:EF:2B:4F:9E:84:23:3D:F2:3A:F7:13:21:C6:C3:CF:CB:03:5F:BB:54:5B:69:A4:AC:6A:43:61:7D",
-      "validFrom": "Jul  9 06:13:33 2022 GMT",
-      "validTo": "Jul  9 06:13:33 2023 GMT"
+      "certificate": {
+        "subject": {
+          "commonName": "postal.vmc.local",
+          "organizationName": "Postal Systems OU.",
+          "countryName": "EE"
+        },
+        "subjectAltName": [],
+        "fingerprint": "CC:49:83:ED:3F:6B:77:45:5B:A5:3B:9E:EC:99:0E:A1:EF:D7:FF:97",
+        "serialNumber": "B61FBFBA917B15D9",
+        "validFrom": "2022-07-09T06:13:33.000Z",
+        "validTo": "2023-07-09T06:13:33.000Z",
+        "issuer": {
+          "commonName": "postal.vmc.local",
+          "organizationName": "Postal Systems OU.",
+          "countryName": "EE"
+        }
+      }
     },
     "code": "SELF_SIGNED_CERT_IN_CHAIN"
   }
 }
 ```
+The embedded SVG file is also validated.
+```
+$ mailauth vmc -p /path/to/vmc-with-invalid-svg.pem
+{
+  "success": false,
+  "error": {
+    "message": "VMC logo SVG validation failed",
+    "details": {
+      "message": "Not a Tiny PS profile",
+      "code": "INVALID_BASE_PROFILE"
+    },
+    "code": "SVG_VALIDATION_FAILED"
+  }
+}
+```
 ### license
 Display licenses for `mailauth` and included modules.

package/lib/bimi/index.js CHANGED Viewed

@@ -12,6 +12,7 @@ const httpsSchema = Joi.string().uri({
 const https = require('https');
 const http = require('http');
 const { vmc } = require('@postalsys/vmc');
+const { validateSvg } = require('./validate-svg');
 const lookup = async data => {
     let { dmarc, headers, resolver } = data;
@@ -303,6 +304,12 @@ const validateVMC = async bimiData => {
             try {
                 let vmcData = await vmc(authorityValue);
+                if (!vmcData.logoFile) {
+                    let error = new Error('VMC does not contain a log file');
+                    error.code = 'MISSING_VMC_LOGO';
+                    throw error;
+                }
                 if (vmcData?.mediaType?.toLowerCase() !== 'image/svg+xml') {
                     let error = new Error('Invalid media type for the logo file');
                     error.details = {
@@ -312,6 +319,33 @@ const validateVMC = async bimiData => {
                     throw error;
                 }
+                if (!vmcData.validHash) {
+                    let error = new Error('VMC hash does not match logo file');
+                    error.details = {
+                        hashAlgo: vmcData.hashAlgo,
+                        hashValue: vmcData.hashValue,
+                        logoFile: vmcData.logoFile
+                    };
+                    error.code = 'INVALID_LOGO_HASH';
+                    throw error;
+                }
+                // throws on invalid logo file
+                try {
+                    validateSvg(Buffer.from(vmcData.logoFile, 'base64'));
+                } catch (err) {
+                    let error = new Error('VMC logo SVG validation failed');
+                    error.details = Object.assign(
+                        {
+                            message: err.message
+                        },
+                        error.details || {},
+                        err.code ? { code: err.code } : {}
+                    );
+                    error.code = 'SVG_VALIDATION_FAILED';
+                    throw error;
+                }
                 if (d) {
                     // validate domain
                     let selectorSet = [];

package/lib/bimi/validate-svg.js ADDED Viewed

@@ -0,0 +1,96 @@
+'use strict';
+const { XMLParser } = require('fast-xml-parser');
+function validateSvg(logo) {
+    const parser = new XMLParser({
+        ignoreAttributes: false,
+        attributeNamePrefix: '@_'
+    });
+    let logoObj;
+    try {
+        logoObj = parser.parse(logo);
+        if (!logoObj) {
+            throw new Error('Emtpy file');
+        }
+    } catch (err) {
+        let error = new Error('Invalid SVG file');
+        error._err = err;
+        error.code = 'INVALID_XML_FILE';
+        throw error;
+    }
+    if (!logoObj.svg) {
+        let error = new Error('Invalid SVG file');
+        error.code = 'INVALID_SVG_FILE';
+        throw error;
+    }
+    if (logoObj.svg['@_baseProfile'] !== 'tiny-ps') {
+        let error = new Error('Not a Tiny PS profile');
+        error.code = 'INVALID_BASE_PROFILE';
+        throw error;
+    }
+    if (!logoObj.svg.title) {
+        let error = new Error('Logo file is missing title');
+        error.code = 'LOGO_MISSING_TITLE';
+        throw error;
+    }
+    if ('@_x' in logoObj.svg || '@_y' in logoObj.svg) {
+        let error = new Error('Logo root includes x/y attributes');
+        error.code = 'LOGO_INVALID_ROOT_ATTRS';
+        throw error;
+    }
+    let walkElm = (node, name, path) => {
+        if (!node) {
+            return;
+        }
+        if (Array.isArray(node)) {
+            for (let entry of node) {
+                walkElm(entry, name, path + '.' + name + '[]');
+            }
+        } else if (typeof node === 'object') {
+            if (node['@_xlink:href'] && !/^#/.test(node['@_xlink:href'])) {
+                let error = new Error('External reference found from file');
+                error.details = {
+                    element: name,
+                    link: node['@_xlink:href'],
+                    path
+                };
+                error.code = 'LOGO_INCLUDES_REFERENCE';
+                throw error;
+            }
+            for (let key of Object.keys(node)) {
+                if (['script', 'animate', 'animatemotion', 'animatetransform', 'discard', 'set'].includes(key.toLowerCase())) {
+                    let error = new Error('Unallowed element found from file');
+                    error.details = {
+                        element: key,
+                        path: path + '.' + key
+                    };
+                    error.code = 'LOGO_INVALID_ELEMENT';
+                    throw error;
+                }
+                if (Array.isArray(node[key])) {
+                    for (let entry of node[key]) {
+                        walkElm(entry, key, path + '.' + key + '[]');
+                    }
+                } else if (node[key] && typeof node[key] === 'object') {
+                    walkElm(node[key], key, path + '.' + key);
+                }
+            }
+        }
+    };
+    walkElm(logoObj, 'root', '');
+    // all validations passed
+    return true;
+}
+module.exports = { validateSvg };

package/lib/commands/report.js CHANGED Viewed

@@ -35,6 +35,10 @@ const cmd = async argv => {
         opts.maxResolveCount = argv.maxLookups;
     }
+    if (argv.maxVoidLookups) {
+        opts.maxVoidCount = argv.maxVoidLookups;
+    }
     for (let key of ['mta', 'helo', 'sender']) {
         if (argv[key]) {
             opts[key] = argv[key];

package/lib/commands/spf.js CHANGED Viewed

@@ -28,6 +28,10 @@ const cmd = async argv => {
         opts.maxResolveCount = argv.maxLookups;
     }
+    if (argv.maxVoidLookups) {
+        opts.maxVoidCount = argv.maxVoidLookups;
+    }
     for (let key of ['sender', 'helo', 'mta']) {
         if (argv[key]) {
             opts[key] = argv[key];

package/lib/dkim/body/relaxed.js CHANGED Viewed

@@ -266,27 +266,3 @@ class RelaxedHash {
 }
 module.exports = { RelaxedHash };
-/*
-let fs = require('fs');
-const getBody = message => {
-    message = message.toString('binary');
-    let match = message.match(/\r?\n\r?\n/);
-    if (match) {
-        message = message.substr(match.index + match[0].length);
-    }
-    return Buffer.from(message, 'binary');
-};
-let s = fs.readFileSync(process.argv[2]);
-let k = new RelaxedHash('rsa-sha256', -1);
-for (let byte of getBody(s)) {
-    k.update(Buffer.from([byte]));
-}
-console.error(k.digest('base64'));
-console.error(k.byteLength, k.bodyHashedBytes);
-*/

package/lib/mailauth.js CHANGED Viewed

@@ -5,6 +5,7 @@ const { spf } = require('./spf');
 const { dmarc } = require('./dmarc');
 const { arc, createSeal } = require('./arc');
 const { bimi, validateVMC: validateBimiVmc } = require('./bimi');
+const { validateSvg: validateBimiSvg } = require('./bimi/validate-svg');
 const { parseReceived } = require('./parse-received');
 const { sealMessage } = require('./arc');
 const libmime = require('libmime');
@@ -180,4 +181,9 @@ const authenticate = async (input, opts) => {
     };
 };
-module.exports = { authenticate, sealMessage, validateBimiVmc };
+module.exports = {
+    authenticate,
+    sealMessage,
+    validateBimiVmc,
+    validateBimiSvg
+};

package/lib/spf/index.js CHANGED Viewed

@@ -8,7 +8,8 @@ const Joi = require('joi');
 const domainSchema = Joi.string().domain({ allowUnicode: false, tlds: false });
 const { formatAuthHeaderRow, escapeCommentValue } = require('../tools');
-const MAX_RESOLVE_COUNT = 50;
+const MAX_RESOLVE_COUNT = 10;
+const MAX_VOID_COUNT = 2;
 const formatHeaders = result => {
     let header = `Received-SPF: ${result.status.result}${result.status.comment ? ` (${escapeCommentValue(result.status.comment)})` : ''} client-ip=${
@@ -19,23 +20,24 @@ const formatHeaders = result => {
 };
 // DNS resolver method
-let limitedResolver = (resolver, maxResolveCount) => {
+let limitedResolver = (resolver, maxResolveCount, maxVoidCount, ignoreFirst) => {
     let resolveCount = 0;
-    maxResolveCount = maxResolveCount || MAX_RESOLVE_COUNT;
+    let voidCount = 0;
-    return async (domain, type) => {
-        if (!domain && type === 'resolveCount') {
-            // special condition to get the counter
-            return resolveCount;
-        }
+    let subResolveCounts = {};
+    let firstCounted = !ignoreFirst;
-        if (!domain && type === 'resolveLimit') {
-            // special condition to get the limit
-            return maxResolveCount;
-        }
+    maxResolveCount = maxResolveCount || MAX_RESOLVE_COUNT;
+    maxVoidCount = maxVoidCount || MAX_VOID_COUNT;
+    let resolverFunc = async (domain, type) => {
         // do not allow to make more that MAX_RESOLVE_COUNT DNS requests per SPF check
-        resolveCount++;
+        if (firstCounted) {
+            resolveCount++;
+        } else {
+            firstCounted = true;
+        }
         if (resolveCount > maxResolveCount) {
             let error = new Error('Too many DNS requests');
@@ -65,8 +67,17 @@ let limitedResolver = (resolver, maxResolveCount) => {
         } catch (err) {
             switch (err.code) {
                 case 'ENOTFOUND':
-                case 'ENODATA':
+                case 'ENODATA': {
+                    voidCount++;
+                    if (voidCount > maxVoidCount) {
+                        err.spfResult = {
+                            error: 'permerror',
+                            text: 'Too many void DNS results'
+                        };
+                        throw err;
+                    }
                     return [];
+                }
                 case 'ETIMEOUT':
                     err.spfResult = {
@@ -80,6 +91,21 @@ let limitedResolver = (resolver, maxResolveCount) => {
             }
         }
     };
+    resolverFunc.updateSubQueries = (type, count) => {
+        if (!subResolveCounts[type]) {
+            subResolveCounts[type] = count;
+        } else {
+            subResolveCounts[type] += count;
+        }
+    };
+    resolverFunc.getResolveCount = () => resolveCount;
+    resolverFunc.getResolveLimit = () => maxResolveCount;
+    resolverFunc.getSubResolveCounts = () => subResolveCounts;
+    resolverFunc.getVoidCount = () => voidCount;
+    return resolverFunc;
 };
 /**
@@ -89,10 +115,11 @@ let limitedResolver = (resolver, maxResolveCount) => {
  * @param {String} opts.ip Client IP address
  * @param {String} opts.helo Client EHLO/HELO hostname
  * @param {String} [opts.mta] Hostname of the MTA or MX server that processes the message
- * @param {String} [opts.maxResolveCount=50] Maximum DNS lookups allowed
+ * @param {String} [opts.maxResolveCount=10] Maximum DNS lookups allowed
+ * @param {String} [opts.maxVoidCount=2] Maximum empty DNS lookups allowed
  */
 const verify = async opts => {
-    let { sender, ip, helo, mta, maxResolveCount, resolver } = opts || {};
+    let { sender, ip, helo, mta, maxResolveCount, maxVoidCount, resolver } = opts || {};
     mta = mta || os.hostname();
@@ -125,7 +152,7 @@ const verify = async opts => {
         }
     };
-    let verifyResolver = limitedResolver(resolver, maxResolveCount);
+    let verifyResolver = limitedResolver(resolver, maxResolveCount, maxVoidCount, true);
     let result;
     try {
@@ -146,7 +173,10 @@ const verify = async opts => {
             helo,
             // generate DNS handler
-            resolver: verifyResolver
+            resolver: verifyResolver,
+            // allow to create sub resolvers
+            createSubResolver: () => limitedResolver(resolver, maxResolveCount, maxVoidCount)
         });
     } catch (err) {
         if (err.spfResult) {
@@ -161,8 +191,10 @@ const verify = async opts => {
     if (result && typeof result === 'object') {
         result.lookups = {
-            limit: await verifyResolver(false, 'resolveLimit'),
-            count: await verifyResolver(false, 'resolveCount')
+            limit: verifyResolver.getResolveLimit(),
+            count: verifyResolver.getResolveCount(),
+            void: verifyResolver.getVoidCount(),
+            subqueries: verifyResolver.getSubResolveCounts()
         };
     }

package/lib/spf/spf-verify.js CHANGED Viewed

@@ -5,6 +5,9 @@ const net = require('net');
 const macro = require('./macro');
 const dns = require('dns').promises;
 const ipaddr = require('ipaddr.js');
+const { getPtrHostname, formatDomain } = require('../tools');
+const LIMIT_PTR_RESOLVE_RECORDS = 10;
 const matchIp = (addr, range) => {
     if (/\/\d+$/.test(range)) {
@@ -357,18 +360,27 @@ const spfVerify = async (domain, opts) => {
                         let mxList = await resolver(mxDomain, 'MX');
                         if (mxList) {
-                            mxList = mxList.sort((a, b) => a.priority - b.priority);
-                            for (let mx of mxList) {
-                                if (mx.exchange) {
-                                    let responses = await resolver(mx.exchange, net.isIPv6(opts.ip) ? 'AAAA' : 'A');
-                                    if (responses) {
-                                        for (let a of responses) {
-                                            if (matchIp(addr, a + cidr)) {
-                                                return { type, val: mx.exchange, qualifier };
+                            // MX resolver has separate counter
+                            let subResolver = typeof opts.createSubResolver === 'function' ? opts.createSubResolver() : resolver;
+                            try {
+                                mxList = mxList.sort((a, b) => a.priority - b.priority);
+                                for (let mx of mxList) {
+                                    if (mx.exchange) {
+                                        let responses = await subResolver(mx.exchange, net.isIPv6(opts.ip) ? 'AAAA' : 'A');
+                                        if (responses) {
+                                            for (let a of responses) {
+                                                if (matchIp(addr, a + cidr)) {
+                                                    return { type, val: mx.exchange, qualifier };
+                                                }
                                             }
                                         }
                                     }
                                 }
+                            } finally {
+                                if (typeof resolver.updateSubQueries === 'function') {
+                                    resolver.updateSubQueries('mx', subResolver.getResolveCount());
+                                    resolver.updateSubQueries('mx:void', subResolver.getVoidCount());
+                                }
                             }
                         }
                     }
@@ -391,7 +403,73 @@ const spfVerify = async (domain, opts) => {
                     break;
                 case 'ptr':
-                    // ignore, not supported
+                    {
+                        let { cidr4, cidr6 } = parseCidrValue(val, false, type);
+                        if (cidr4 || cidr6) {
+                            let err = new Error('SPF failure');
+                            err.spfResult = { error: 'permerror', text: `invalid domain-spec definition: ${val}` };
+                            throw err;
+                        }
+                        let ptrDomain;
+                        if (val) {
+                            ptrDomain = macro(val, opts);
+                        } else {
+                            ptrDomain = macro('%{d}', opts);
+                        }
+                        ptrDomain = formatDomain(ptrDomain);
+                        // Step 1. Resolve PTR hostnames
+                        let ptrValues;
+                        if (opts._resolvedPtr) {
+                            ptrValues = opts._resolvedPtr;
+                        } else {
+                            let responses = await resolver(getPtrHostname(addr), 'PTR');
+                            opts._resolvedPtr = ptrValues = responses && responses.length ? responses : [];
+                        }
+                        // PTR resolver has separate counter
+                        let subResolver = typeof opts.createSubResolver === 'function' ? opts.createSubResolver() : resolver;
+                        let resolvers = [];
+                        for (let ptrValue of ptrValues) {
+                            if (resolvers.length < LIMIT_PTR_RESOLVE_RECORDS) {
+                                // resolve up to 10 PTR A/AAAA records
+                                // https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4
+                                resolvers.push(subResolver(ptrValue, net.isIPv6(opts.ip) ? 'AAAA' : 'A'));
+                            }
+                        }
+                        // Step 2. Validate PTR hostnames by reverse resolving these
+                        let validatedPtrRecords = [];
+                        let results = await Promise.allSettled(resolvers);
+                        if (typeof resolver.updateSubQueries === 'function') {
+                            resolver.updateSubQueries('ptr', subResolver.getResolveCount());
+                            resolver.updateSubQueries('ptr:void', subResolver.getVoidCount());
+                        }
+                        for (let i = 0; i < results.length; i++) {
+                            let result = results[i];
+                            let ptrHostname = ptrValues[i];
+                            if (
+                                result.status === 'fulfilled' &&
+                                Array.isArray(result.value) &&
+                                result.value.map(val => ipaddr.parse(val).toNormalizedString()).includes(addr.toNormalizedString())
+                            ) {
+                                validatedPtrRecords.push(ptrHostname);
+                            }
+                        }
+                        // Step 3. Check subdomain alignment
+                        for (let ptrRecord of validatedPtrRecords) {
+                            let formattedPtrRecord = formatDomain(ptrRecord);
+                            if (formattedPtrRecord === ptrDomain || formattedPtrRecord.substr(-(ptrDomain.length + 1)) === `.${ptrDomain}`) {
+                                return { type, val: ptrRecord, qualifier };
+                            }
+                        }
+                    }
                     break;
             }
         }

package/lib/tools.js CHANGED Viewed

@@ -470,6 +470,21 @@ const validateAlgorithm = (algorithm, strict) => {
     }
 };
+const getPtrHostname = parsedAddr => {
+    let bytes = parsedAddr.toByteArray();
+    if (bytes.length === 4) {
+        return `${bytes
+            .map(a => a.toString(10))
+            .reverse()
+            .join('.')}.in-addr.arpa`;
+    } else {
+        return `${bytes
+            .flatMap(a => a.toString(16).padStart(2, '0').split(''))
+            .reverse()
+            .join('.')}.ip6.arpa`;
+    }
+};
 module.exports = {
     writeToStream,
     parseHeaders,
@@ -491,5 +506,7 @@ module.exports = {
     getAlignment,
     formatRelaxedLine,
-    formatDomain
+    formatDomain,
+    getPtrHostname
 };

package/licenses.txt CHANGED Viewed

@@ -1,12 +1,12 @@
-name            license type               link                                                       installed version  author
-----            ------------               ----                                                       -----------------  ------
-@fidm/x509      MIT                        git+ssh://git@github.com/fidm/x509.git                     1.2.1
-@postalsys/vmc  MIT                        https://registry.npmjs.org/@postalsys/vmc/-/vmc-1.0.1.tgz  1.0.1              Postal Systems OÜ
-ipaddr.js       MIT                        git://github.com/whitequark/ipaddr.js.git                  2.0.1              whitequark whitequark@whitequark.org
-joi             BSD-3-Clause               git://github.com/sideway/joi.git                           17.6.0
-libmime         MIT                        git://github.com/andris9/libmime.git                       5.1.0              Andris Reinman andris@kreata.ee
-node-forge      (BSD-3-Clause OR GPL-2.0)  git+https://github.com/digitalbazaar/forge.git             1.3.1              Digital Bazaar, Inc. support@digitalbazaar.com http://digitalbazaar.com/
-nodemailer      MIT                        git+https://github.com/nodemailer/nodemailer.git           6.7.7              Andris Reinman
-psl             MIT                        git+ssh://git@github.com/lupomontero/psl.git               1.9.0              Lupo Montero lupomontero@gmail.com https://lupomontero.com/
-punycode        MIT                        git+https://github.com/bestiejs/punycode.js.git            2.1.1              Mathias Bynens https://mathiasbynens.be/
-yargs           MIT                        git+https://github.com/yargs/yargs.git                     17.5.1
+name             license type               link                                                            installed version  author
+----             ------------               ----                                                            -----------------  ------
+@postalsys/vmc   MIT                        https://registry.npmjs.org/@postalsys/vmc/-/vmc-1.0.5.tgz       1.0.5              Postal Systems OÜ
+fast-xml-parser  MIT                        git+https://github.com/NaturalIntelligence/fast-xml-parser.git  4.0.9              Amit Gupta (https://amitkumargupta.work/)
+ipaddr.js        MIT                        git://github.com/whitequark/ipaddr.js.git                       2.0.1              whitequark <whitequark@whitequark.org>
+joi              BSD-3-Clause               git://github.com/sideway/joi.git                                17.6.0             n/a
+libmime          MIT                        git://github.com/andris9/libmime.git                            5.1.0              Andris Reinman <andris@kreata.ee>
+node-forge       (BSD-3-Clause OR GPL-2.0)  git+https://github.com/digitalbazaar/forge.git                  1.3.1              Digital Bazaar, Inc. support@digitalbazaar.com http://digitalbazaar.com/
+nodemailer       MIT                        git+https://github.com/nodemailer/nodemailer.git                6.7.7              Andris Reinman
+psl              MIT                        git+ssh://git@github.com/lupomontero/psl.git                    1.9.0              Lupo Montero <lupomontero@gmail.com> (https://lupomontero.com/)
+punycode         MIT                        git+https://github.com/bestiejs/punycode.js.git                 2.1.1              Mathias Bynens https://mathiasbynens.be/
+yargs            MIT                        git+https://github.com/yargs/yargs.git                          17.5.1             n/a

package/man/mailauth.1 CHANGED Viewed

@@ -1,4 +1,4 @@
-.TH "MAILAUTH" "1" "July 2022" "v3.0.0" "Mailauth Help"
+.TH "MAILAUTH" "1" "July 2022" "v3.0.3" "Mailauth Help"
 .SH "NAME"
 \fBmailauth\fR
 .QP

package/man/man.md CHANGED Viewed

@@ -103,7 +103,10 @@ content is read from standard input.
     Return signing headers only. By default, the entire message is printed to the console. (`sign`, `seal`, `spf`)
 -   `--max-lookups`, `-x`
-    How many DNS lookups allowed for SPF validation. Defaults to 50. (`report`, `spf`)
+    How many DNS lookups allowed for SPF validation. Defaults to 10. (`report`, `spf`)
+-   `--max-void-lookups`, `-z`
+    How many empty DNS lookups allowed for SPF validation. Defaults to 2. (`report`, `spf`)
 ## DNS CACHE

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "mailauth",
-    "version": "3.0.1",
+    "version": "4.0.0",
     "description": "Email authentication library for Node.js",
     "main": "lib/mailauth.js",
     "scripts": {
@@ -33,19 +33,20 @@
     "homepage": "https://github.com/postalsys/mailauth",
     "devDependencies": {
         "chai": "4.3.6",
-        "eslint": "8.19.0",
+        "eslint": "8.20.0",
         "eslint-config-nodemailer": "1.2.0",
         "eslint-config-prettier": "8.5.0",
         "js-yaml": "4.1.0",
-        "license-report": "5.0.2",
+        "license-report": "6.0.0",
         "marked": "0.7.0",
         "marked-man": "0.7.0",
         "mbox-reader": "1.1.5",
         "mocha": "10.0.0",
-        "pkg": "5.7.0"
+        "pkg": "5.8.0"
     },
     "dependencies": {
-        "@postalsys/vmc": "1.0.3",
+        "@postalsys/vmc": "1.0.5",
+        "fast-xml-parser": "4.0.9",
         "ipaddr.js": "2.0.1",
         "joi": "17.6.0",
         "libmime": "5.1.0",