nodemailer 6.6.0 → 6.6.4

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # CHANGELOG
 
+## 6.6.4 2021-09-22
+
+-   Better compatibility with IPv6-only SMTP hosts (oxzi)
+-   Fix ses verify for sdk v3 (hannesvdvreken)
+-   Added SECURITY.txt for contact info
+
+## 6.6.3 2021-07-14
+
+-   Do not show passwords in SMTP transaction logs. All passwords used in logging are replaced by `"/* secret */"`
+
+## 6.6.1 2021-05-23
+
+-   Fixed address formatting issue where newlines in an email address, if provided via address object, were not properly removed. Reported by tmazeika (#1289)
+
 ## 6.6.0 2021-04-28
 
 -   Added new option `newline` for MailComposer

package/README.md

@@ -2,8 +2,6 @@
 
 [![Nodemailer](https://raw.githubusercontent.com/nodemailer/nodemailer/master/assets/nm_logo_200x136.png)](https://nodemailer.com/about/)
 
-> Sponsored by [Forward Email](https://forwardemail.net/?ref=nodemailer) – free email forwarding + custom domains + 100% open-source!
-
 Send e-mails from Node.js – easy as cake! 🍰✉️
 
 [![NPM](https://nodei.co/npm/nodemailer.png?downloads=true&downloadRank=true&stars=true)](https://nodemailer.com/about/)
@@ -30,8 +28,8 @@ Check your firewall settings. Timeout usually occurs when you try to open a conn
 
 #### I get TLS errors
 
-* If you are running the code in your own machine, then check your antivirus settings. Antiviruses often mess around with email ports usage. Node.js might not recognize the MITM cert your antivirus is using.
-* Latest Node versions allow only TLS versions 1.2 and higher, some servers might still use TLS 1.1 or lower. Check Node.js docs how to get correct TLS support for your app.
+-   If you are running the code in your own machine, then check your antivirus settings. Antiviruses often mess around with email ports usage. Node.js might not recognize the MITM cert your antivirus is using.
+-   Latest Node versions allow only TLS versions 1.2 and higher, some servers might still use TLS 1.1 or lower. Check Node.js docs how to get correct TLS support for your app.
 
 #### I have a different problem
 

package/SECURITY.txt

@@ -0,0 +1,22 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+Contact: mailto:andris@reinman.eu
+Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/5D952A46E1D8C931F6364E01DC6C83F4D584D364
+Preferred-Languages: en, et
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEXZUqRuHYyTH2Nk4B3GyD9NWE02QFAmFDnUgACgkQ3GyD9NWE
+02RqUA/+MM3afmRYq874C7wp+uN6dTMCvUX5g5zqBZ2yKpFr46L+PYvM7o8TMm5h
+hmLT2I1zZmi+xezOL3zHFizaw0tKkZIz9cWl3Jrgs0FLp0zOsSz1xucp9Q2tYM/Q
+vbiP6ys0gbim4tkDGRmZOEiO23s0BuRnmHt7vZg210O+D105Yd8/Ohzbj6PSLBO5
+W1tA7Xw5t0FQ14NNH5+MKyDIKoCX12n0FmrC6qLTXeojf291UgKhCUPda3LIGTmx
+mTXz0y68149Mw+JikRCYP8HfGRY9eA4XZrYXF7Bl2T9OJpKD3JAH+69P3xBw19Gn
+Csaw3twu8P1bxoVGjY4KRrBOp68W8TwZYjWVWbqY6oV8hb/JfrMxa+kaSxRuloFs
+oL6+phrDSPTWdOj2LlEDBJbPOMeDFzIlsBBcJ/JHCEHTvlHl7LoWr3YuWce9PUwl
+4r3JUovvaeuJxLgC0vu3WCB3Jeocsl3SreqNkrVc1IjvkSomn3YGm5nCNAd/2F0V
+exCGRk/8wbkSjAY38GwQ8K/VuFsefWN3L9sVwIMAMu88KFCAN+GzVFiwvyIXehF5
+eogP9mIXzdQ5YReQjUjApOzGz54XnDyv9RJ3sdvMHosLP+IOg+0q5t9agWv6aqSR
+2HzCpiQnH/gmM5NS0AU4Koq/L7IBeLu1B8+61/+BiHgZJJmPdgU=
+=BUZr
+-----END PGP SIGNATURE-----

package/lib/mime-node/index.js

@@ -1147,9 +1147,9 @@ class MimeNode {
                 address.address = this._normalizeAddress(address.address);
 
                 if (!address.name) {
-                    values.push(address.address);
+                    values.push(address.address.indexOf(' ') >= 0 ? `<${address.address}>` : `${address.address}`);
                 } else if (address.name) {
-                    values.push(this._encodeAddressName(address.name) + ' <' + address.address + '>');
+                    values.push(`${this._encodeAddressName(address.name)} <${address.address}>`);
                 }
 
                 if (address.address) {
@@ -1158,9 +1158,8 @@ class MimeNode {
                     }
                 }
             } else if (address.group) {
-                values.push(
-                    this._encodeAddressName(address.name) + ':' + (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim() + ';'
-                );
+                let groupListAddresses = (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim();
+                values.push(`${this._encodeAddressName(address.name)}:${groupListAddresses};`);
             }
         });
 
@@ -1174,13 +1173,17 @@ class MimeNode {
      * @return {String} address string
      */
     _normalizeAddress(address) {
-        address = (address || '').toString().trim();
+        address = (address || '')
+            .toString()
+            .replace(/[\x00-\x1F<>]+/g, ' ') // remove unallowed characters
+            .trim();
 
         let lastAt = address.lastIndexOf('@');
         if (lastAt < 0) {
             // Bare username
             return address;
         }
+
         let user = address.substr(0, lastAt);
         let domain = address.substr(lastAt + 1);
 
@@ -1189,7 +1192,24 @@ class MimeNode {
         // 'jõgeva.ee' will be converted to 'xn--jgeva-dua.ee'
         // non-unicode domains are left as is
 
-        return user + '@' + punycode.toASCII(domain.toLowerCase());
+        let encodedDomain;
+
+        try {
+            encodedDomain = punycode.toASCII(domain.toLowerCase());
+        } catch (err) {
+            // keep as is?
+        }
+
+        if (user.indexOf(' ') >= 0) {
+            if (user.charAt(0) !== '"') {
+                user = '"' + user;
+            }
+            if (user.substr(-1) !== '"') {
+                user = user + '"';
+            }
+        }
+
+        return `${user}@${encodedDomain}`;
     }
 
     /**

package/lib/ses-transport/index.js

@@ -321,7 +321,7 @@ class SESTransport extends EventEmitter {
             Destinations: ['invalid@invalid']
         };
         const cb = err => {
-            if (err && err.code !== 'InvalidParameterValue') {
+            if (err && (err.code || err.Code) !== 'InvalidParameterValue') {
                 return callback(err);
             }
             return callback(null, true);
@@ -335,6 +335,7 @@ class SESTransport extends EventEmitter {
 
         if (typeof ses.send === 'function' && aws.SendRawEmailCommand) {
             // v3 API
+            sesMessage.RawMessage.Data = Buffer.from(sesMessage.RawMessage.Data);
             ses.send(new aws.SendRawEmailCommand(sesMessage), cb);
         } else {
             // v2 API

package/lib/shared/index.js

@@ -8,10 +8,21 @@ const fs = require('fs');
 const fetch = require('../fetch');
 const dns = require('dns');
 const net = require('net');
+const os = require('os');
 
 const DNS_TTL = 5 * 60 * 1000;
 
 const resolver = (family, hostname, callback) => {
+    const familySupported = Object.values(os.networkInterfaces()).
+        flat().
+        filter(i => !i.internal).
+        filter(i => i.family === 'IPv' + family).
+        length > 0;
+
+    if (!familySupported) {
+        return callback(null, []);
+    }
+
     dns['resolve' + family](hostname, (err, addresses) => {
         if (err) {
             switch (err.code) {

package/lib/smtp-connection/index.js

@@ -548,6 +548,16 @@ class SMTPConnection extends EventEmitter {
                                 '\u0000' +
                                 this._auth.credentials.pass,
                             'utf-8'
+                        ).toString('base64'),
+                    // log entry without passwords
+                    'AUTH PLAIN ' +
+                        Buffer.from(
+                            //this._auth.user+'\u0000'+
+                            '\u0000' + // skip authorization identity as it causes problems with some servers
+                                this._auth.credentials.user +
+                                '\u0000' +
+                                '/* secret */',
+                            'utf-8'
                         ).toString('base64')
                 );
                 return;
@@ -873,16 +883,21 @@ class SMTPConnection extends EventEmitter {
         });
 
         this.upgrading = true;
-        this._socket = tls.connect(opts, () => {
-            this.secure = true;
-            this.upgrading = false;
-            this._socket.on('data', this._onSocketData);
+        // tls.connect is not an asynchronous function however it may still throw errors and requires to be wrapped with try/catch
+        try {
+            this._socket = tls.connect(opts, () => {
+                this.secure = true;
+                this.upgrading = false;
+                this._socket.on('data', this._onSocketData);
 
-            socketPlain.removeListener('close', this._onSocketClose);
-            socketPlain.removeListener('end', this._onSocketEnd);
+                socketPlain.removeListener('close', this._onSocketClose);
+                socketPlain.removeListener('end', this._onSocketEnd);
 
-            return callback(null, true);
-        });
+                return callback(null, true);
+            });
+        } catch (err) {
+            return callback(err);
+        }
 
         this._socket.on('error', this._onSocketError);
         this._socket.once('close', this._onSocketClose);
@@ -940,8 +955,9 @@ class SMTPConnection extends EventEmitter {
      * Send a command to the server, append \r\n
      *
      * @param {String} str String to be sent to the server
+     * @param {String} logStr Optional string to be used for logging instead of the actual string
      */
-    _sendCommand(str) {
+    _sendCommand(str, logStr) {
         if (this._destroyed) {
             // Connection already closed, can't send any more data
             return;
@@ -956,7 +972,7 @@ class SMTPConnection extends EventEmitter {
                 {
                     tnx: 'client'
                 },
-                (str || '').toString().replace(/\r?\n$/, '')
+                (logStr || str || '').toString().replace(/\r?\n$/, '')
             );
         }
 
@@ -1415,18 +1431,21 @@ class SMTPConnection extends EventEmitter {
 
         // Decode from base64
         let base64decoded = Buffer.from(challengeString, 'base64').toString('ascii'),
-            hmac_md5 = crypto.createHmac('md5', this._auth.credentials.pass);
+            hmacMD5 = crypto.createHmac('md5', this._auth.credentials.pass);
 
-        hmac_md5.update(base64decoded);
+        hmacMD5.update(base64decoded);
 
-        let hex_hmac = hmac_md5.digest('hex');
-        let prepended = this._auth.credentials.user + ' ' + hex_hmac;
+        let prepended = this._auth.credentials.user + ' ' + hmacMD5.digest('hex');
 
         this._responseActions.push(str => {
             this._actionAUTH_CRAM_MD5_PASS(str, callback);
         });
 
-        this._sendCommand(Buffer.from(prepended).toString('base64'));
+        this._sendCommand(
+            Buffer.from(prepended).toString('base64'),
+            // hidden hash for logs
+            Buffer.from(this._auth.credentials.user + ' /* secret */').toString('base64')
+        );
     }
 
     /**
@@ -1471,7 +1490,11 @@ class SMTPConnection extends EventEmitter {
             this._actionAUTHComplete(str, callback);
         });
 
-        this._sendCommand(Buffer.from(this._auth.credentials.pass + '', 'utf-8').toString('base64'));
+        this._sendCommand(
+            Buffer.from((this._auth.credentials.pass || '').toString(), 'utf-8').toString('base64'),
+            // Hidden pass for logs
+            Buffer.from('/* secret */', 'utf-8').toString('base64')
+        );
     }
 
     /**
@@ -1701,7 +1724,11 @@ class SMTPConnection extends EventEmitter {
             this._responseActions.push(str => {
                 this._actionAUTHComplete(str, isRetry, callback);
             });
-            this._sendCommand('AUTH XOAUTH2 ' + this._auth.oauth2.buildXOAuth2Token(accessToken));
+            this._sendCommand(
+                'AUTH XOAUTH2 ' + this._auth.oauth2.buildXOAuth2Token(accessToken),
+                //  Hidden for logs
+                'AUTH XOAUTH2 ' + this._auth.oauth2.buildXOAuth2Token('/* secret */')
+            );
         });
     }
 

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "nodemailer",
-    "version": "6.6.0",
+    "version": "6.6.4",
     "description": "Easy as cake e-mail sending from your Node.js applications",
     "main": "lib/nodemailer.js",
     "scripts": {
@@ -20,23 +20,25 @@
     },
     "homepage": "https://nodemailer.com/",
     "devDependencies": {
+        "@aws-sdk/client-ses": "3.33.0",
+        "aws-sdk": "2.993.0",
         "bunyan": "1.8.15",
         "chai": "4.3.4",
         "eslint-config-nodemailer": "1.2.0",
         "eslint-config-prettier": "8.3.0",
-        "grunt": "1.4.0",
-        "grunt-cli": "1.4.2",
+        "grunt": "1.4.1",
+        "grunt-cli": "1.4.3",
         "grunt-eslint": "23.0.0",
         "grunt-mocha-test": "0.13.3",
         "libbase64": "1.2.1",
         "libmime": "5.0.0",
         "libqp": "1.1.0",
-        "mocha": "8.3.2",
+        "mocha": "9.1.1",
         "nodemailer-ntlm-auth": "1.0.1",
         "proxy": "1.0.2",
         "proxy-test-server": "1.0.0",
-        "sinon": "10.0.0",
-        "smtp-server": "3.8.0"
+        "sinon": "11.1.2",
+        "smtp-server": "3.9.0"
     },
     "engines": {
         "node": ">=6.0.0"