Merge branch 'master' of https://github.com/haraka/Haraka

Author: smfreegard

connection.js

@@ -1344,7 +1344,7 @@ Connection.prototype.received_line = function() {
             ' cipher=' + this.notes.tls.cipher.name +
             ' verify=' + ((this.notes.tls.authorized) ? 'OK' :
             ((this.notes.tls.authorizationError &&
-              this.notes.tls.authorizationError.message === 'UNABLE_TO_GET_ISSUER_CERT') ? 'NO' : 'FAIL')) + ')';
+              this.notes.tls.authorizationError.code === 'UNABLE_TO_GET_ISSUER_CERT') ? 'NO' : 'FAIL')) + ')';
     }
     return [
         'from ',

docs/plugins/bounce.md

@@ -38,6 +38,11 @@ for mail servers at domains with frequent spoofing and few or no human users.
 Valid bounces have a single recipient. Assure that the message really is a
 bounce by enforcing bounces to be addressed to a single recipient.
 
+This check is skipped for relays or hosts with a private IP, this is because
+Microsoft Exchange distribution lists will send messages to list members with
+a null return-path when the 'Do not send delivery reports' option is enabled
+(yes, really...).
+
 ### empty\_return\_path
 
 Valid bounces should have an empty return path. Test for the presence of the

mailheader.js

@@ -231,6 +231,11 @@ Header.prototype._add_header_decode = function (key, value, method) {
 Header.prototype.add = function (key, value) {
     if (!key) key = 'X-Haraka-Blank';
     value = value.replace(/(\r?\n)*$/, '');
+    if (/[^\x00-\x7f]/.test(value)) {
+        // Need to QP encode this header value and assume UTF-8
+        value = '=?UTF-8?q?' + utils.encode_qp(value) + '?=';
+        value = value.replace(/\n/g, '\n '); // turn wraps into continuations
+    }
     this._add_header(key.toLowerCase(), value, "unshift");
     this._add_header_decode(key.toLowerCase(), value, "unshift");
     this.header_list.unshift(key + ': ' + value + '\n');
@@ -239,6 +244,11 @@ Header.prototype.add = function (key, value) {
 Header.prototype.add_end = function (key, value) {
     if (!key) key = 'X-Haraka-Blank';
     value = value.replace(/(\r?\n)*$/, '');
+    if (/[^\x00-\x7f]/.test(value)) {
+        // Need to QP encode this header value and assume UTF-8
+        value = '=?UTF-8?q?' + utils.encode_qp(value) + '?=';
+        value = value.replace(/\n/g, ' \n'); // turn wraps into continuations
+    }
     this._add_header(key.toLowerCase(), value, "push");
     this._add_header_decode(key.toLowerCase(), value, "push");
     this.header_list.push(key + ': ' + value + '\n');

plugins/auth/auth_proxy.js

@@ -88,127 +88,128 @@ exports.try_auth_proxy = function (connection, hosts, user, passwd, cb) {
         response = [];
     };
     socket.on('line', function (line) {
-        var matches;
         connection.logprotocol(self, "S: " + line);
-        if (matches = smtp_regexp.exec(line)) {
-            var code = matches[1];
-            var cont = matches[2];
-            var rest = matches[3];
-            response.push(rest);
-            if (cont === ' ') {
-                connection.logdebug(self, 'command state: ' + command);
-                if (command === 'ehlo') {
-                    if (code.match(/^5/)) {
-                        // EHLO command rejected; we have to abort
-                        socket.send_command('QUIT');
+        var matches = smtp_regexp.exec(line);
+        if (!matches) return;
+
+        var code = matches[1];
+        var cont = matches[2];
+        var rest = matches[3];
+        response.push(rest);
+
+        if (cont !== ' ') {
+            // Unrecognised response.
+            connection.logerror(self, "unrecognised response: " + line);
+            socket.end();
+            return;
+        }
+
+        connection.logdebug(self, 'command state: ' + command);
+        if (command === 'ehlo') {
+            if (code[0] === '5') {
+                // EHLO command rejected; abort
+                socket.send_command('QUIT');
+                return;
+            }
+            // Parse CAPABILITIES
+            var i;
+            for (i in response) {
+                if (/^STARTTLS/.test(response[i])) {
+                    if (secure) continue;    // silly remote, we've already upgraded
+                    var key = self.config.get('tls_key.pem', 'binary');
+                    var cert = self.config.get('tls_cert.pem', 'binary');
+                    // Use TLS opportunistically if we found the key and certificate
+                    if (key && cert) {
+                        this.on('secure', function () {
+                            secure = true;
+                            socket.send_command('EHLO', self.config.get('me'));
+                        });
+                        socket.send_command('STARTTLS');
                         return;
                     }
-                    // Parse CAPABILITIES
-                    var i;
-                    for (i in response) {
-                        if (!secure && response[i].match(/^STARTTLS/)) {
-                            var key = self.config.get('tls_key.pem', 'binary');
-                            var cert = self.config.get('tls_cert.pem', 'binary');
-                            // Use TLS opportunistically if we found the key and certificate
-                            if (key && cert) {
-                                this.on('secure', function () {
-                                    secure = true;
-                                    socket.send_command('EHLO', self.config.get('me'));
-                                });
-                                socket.send_command('STARTTLS');
-                                return;
-                            }
-                        }
-                        else if (response[i].match(/^AUTH /)) {
-                            // Parse supported AUTH methods
-                            var parse = /^AUTH (.+)$/.exec(response[i]);
-                            methods = parse[1].split(/\s+/);
-                            connection.logdebug(self, 'found supported AUTH methods: ' + methods);
-                            // Prefer PLAIN as it's easiest
-                            if (methods.indexOf('PLAIN') !== -1) {
-                                socket.send_command('AUTH','PLAIN ' + utils.base64("\0" + user + "\0" + passwd));
-                                return;
-                            }
-                            else if (methods.indexOf('LOGIN') !== -1) {
-                                socket.send_command('AUTH','LOGIN');
-                                return;
-                            }
-                            else {
-                                // No compatible methods; abort...
-                                connection.logdebug(self, 'no compatible AUTH methods');
-                                socket.send_command('QUIT');
-                                return;
-                            }
-                        }
-                    }
                 }
-                if (command === 'auth') {
-                    // Handle LOGIN
-                    if (code[0] === '3' && response[0] === 'VXNlcm5hbWU6') {
-                        // Write to the socket directly to keep the state at 'auth'
-                        this.write(utils.base64(user) + "\r\n");
-                        response = [];
+                else if (/^AUTH /.test(response[i])) {
+                    // Parse supported AUTH methods
+                    var parse = /^AUTH (.+)$/.exec(response[i]);
+                    methods = parse[1].split(/\s+/);
+                    connection.logdebug(self, 'found supported AUTH methods: ' + methods);
+                    // Prefer PLAIN as it's easiest
+                    if (methods.indexOf('PLAIN') !== -1) {
+                        socket.send_command('AUTH','PLAIN ' + utils.base64("\0" + user + "\0" + passwd));
                         return;
                     }
-                    else if (code[0] === '3' && response[0] === 'UGFzc3dvcmQ6') {
-                        this.write(utils.base64(passwd) + "\r\n");
-                        response = [];
+                    else if (methods.indexOf('LOGIN') !== -1) {
+                        socket.send_command('AUTH','LOGIN');
                         return;
                     }
-                    if (code[0] === '5') {
-                        // Initial attempt failed; strip domain and retry.
-                        var u;
-                        if ((u = /^([^@]+)@.+$/.exec(user))) {
-                            user = u[1];
-                            if (methods.indexOf('PLAIN') !== -1) {
-                                socket.send_command('AUTH', 'PLAIN ' + utils.base64("\0" + user + "\0" + passwd));
-                            }
-                            else if (methods.indexOf('LOGIN') !== -1) {
-                                socket.send_command('AUTH', 'LOGIN');
-                            }
-                            return;
-                        }
-                        else {
-                            // Don't attempt any other hosts
-                            auth_complete = true;
-                        }
+                    else {
+                        // No compatible methods; abort...
+                        connection.logdebug(self, 'no compatible AUTH methods');
+                        socket.send_command('QUIT');
+                        return;
                     }
                 }
-                if (/^[345]/.test(code)) {
-                    // Got an unhandled error
-                    connection.logdebug(self, 'error: ' + line);
-                    socket.send_command('QUIT');
+            }
+        }
+        if (command === 'auth') {
+            // Handle LOGIN
+            if (code[0] === '3' && response[0] === 'VXNlcm5hbWU6') {
+                // Write to the socket directly to keep the state at 'auth'
+                this.write(utils.base64(user) + "\r\n");
+                response = [];
+                return;
+            }
+            else if (code[0] === '3' && response[0] === 'UGFzc3dvcmQ6') {
+                this.write(utils.base64(passwd) + "\r\n");
+                response = [];
+                return;
+            }
+            if (code[0] === '5') {
+                // Initial attempt failed; strip domain and retry.
+                var u;
+                if ((u = /^([^@]+)@.+$/.exec(user))) {
+                    user = u[1];
+                    if (methods.indexOf('PLAIN') !== -1) {
+                        socket.send_command('AUTH', 'PLAIN ' + utils.base64("\0" + user + "\0" + passwd));
+                    }
+                    else if (methods.indexOf('LOGIN') !== -1) {
+                        socket.send_command('AUTH', 'LOGIN');
+                    }
                     return;
                 }
-                switch (command) {
-                    case 'starttls':
-                        var tls_options = { key: key, cert: cert };
-                        this.upgrade(tls_options);
-                        break;
-                    case 'connect':
-                        socket.send_command('EHLO', self.config.get('me'));
-                        break;
-                    case 'auth':
-                        // AUTH was successful
-                        auth_complete = true;
-                        auth_success = true;
-                        socket.send_command('QUIT');
-                        break;
-                    case 'ehlo':
-                    case 'helo':
-                    case 'quit':
-                        socket.end();
-                        break;
-                    default:
-                        throw new Error("[auth/auth_proxy] unknown command: " + command);
+                else {
+                    // Don't attempt any other hosts
+                    auth_complete = true;
                 }
             }
         }
-        else {
-            // Unrecognised response.
-            connection.logerror(self, "unrecognised response: " + line);
-            socket.end();
+        if (/^[345]/.test(code)) {
+            // Got an unhandled error
+            connection.logdebug(self, 'error: ' + line);
+            socket.send_command('QUIT');
             return;
         }
+        switch (command) {
+            case 'starttls':
+                var tls_options = { key: key, cert: cert };
+                this.upgrade(tls_options);
+                break;
+            case 'connect':
+                socket.send_command('EHLO', self.config.get('me'));
+                break;
+            case 'auth':
+                // AUTH was successful
+                auth_complete = true;
+                auth_success = true;
+                socket.send_command('QUIT');
+                break;
+            case 'ehlo':
+            case 'helo':
+            case 'quit':
+                socket.end();
+                break;
+            default:
+                throw new Error("[auth/auth_proxy] unknown command: " + command);
+        }
     });
 };

plugins/bounce.js

@@ -100,6 +100,22 @@ exports.single_recipient = function(next, connection) {
         return next();
     }
 
+    // Skip this check for relays or private_ips
+    // This is because Microsoft Exchange will send mail
+    // to distribution groups using the null-sender if
+    // the option 'Do not send delivery reports' is
+    // checked (not sure if this is default or not)
+    if (connection.relaying) {
+        transaction.results.add(plugin,
+                {skip: 'single_recipient(relay)', emit: true });
+        return next();
+    }
+    if (net_utils.is_private_ip(connection.remote_ip)) {
+        transaction.results.add(plugin,
+                {skip: 'single_recipient(private_ip)', emit: true });
+        return next();
+    }
+
     connection.loginfo(plugin, "bounce with too many recipients to: " +
         connection.transaction.rcpt_to.join(','));
 

tests/mailheader.js

@@ -0,0 +1,55 @@
+var Header   = require('../mailheader').Header;
+
+var lines = [
+    'Return-Path: <helpme@gmail.com>',
+    'Received: from [1.1.1.1] ([2.2.2.2])\
+            by smtp.gmail.com with ESMTPSA id abcdef.28.2016.03.31.12.51.37\
+            for <foo@bar.com>\
+            (version=TLSv1/SSLv3 cipher=OTHER);\
+            Thu, 31 Mar 2016 12:51:37 -0700 (PDT)',
+    'From: Matt Sergeant <helpme@gmail.com>',
+    'Content-Type: multipart/alternative;\
+        boundary=Apple-Mail-F2C5DAD3-7EB3-409D-9FE0-135C9FD43B69',
+    'Content-Transfer-Encoding: 7bit',
+    'Mime-Version: 1.0 (1.0)',
+    'Subject: Re: Haraka Rocks!',
+    'Message-Id: <616DF75E-D799-4F3C-9901-1642B494C45D@gmail.com>',
+    'Date: Thu, 31 Mar 2016 15:51:36 -0400',
+    'To: The World <world@example.com>',
+    'X-Mailer: iPhone Mail (13E233)',
+];
+
+exports.basic = {
+    parse_basic: function (test) {
+        test.expect(2);
+        var h = new Header();
+        h.parse(lines);
+        test.equal(h.lines().length, 11);
+        test.ok(/multipart\/alternative;\s+boundary=Apple-Mail-F2C5DAD3-7EB3-409D-9FE0-135C9FD43B69/.test(h.get_decoded('content-type')));
+        test.done();
+    }
+}
+
+exports.add_headers = {
+    add_basic: function (test) {
+        test.expect(2);
+        var h = new Header();
+        h.parse(lines);
+        h.add('Foo', 'bar');
+        test.equal(h.lines()[0], 'Foo: bar\n');
+        h.add_end('Fizz', 'buzz');
+        test.equal(h.lines()[12], 'Fizz: buzz\n');
+        test.done();
+    },
+    add_utf8: function (test) {
+        test.expect(2);
+        var h = new Header();
+        h.parse(lines);
+        h.add('Foo', 'bøø');
+        test.equal(h.lines()[0], 'Foo: =?UTF-8?q?b=F8=F8?=\n');
+        // test wrapping
+        h.add('Bar', 'bøø 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890');
+        test.equal(h.lines()[0], 'Bar: =?UTF-8?q?b=F8=F8 1234567890123456789012345678901234567890123456789012345678901234567=\n 890123456789012345678901234567890?=\n');
+        test.done();
+    }
+}