search

haraka / Haraka

A fast, highly extensible, and event driven SMTP server
https://haraka.github.io
MIT License
5.02k stars 662 forks source link

'rcpt to' accepted, I disagree #1424

Closed darkpixel closed 8 years ago

darkpixel commented 8 years ago

Haraka version

2.8.0-alpha.9

Expected behavior

Recipient should be rejected

Observed behavior

[PROTOCOL] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] C: RCPT TO:<doesnotexist1231234@utilizeit.com> state=1
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt hooks
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt hook in relay plugin
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [relay] dest_domain = utilizeit.com
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [relay] found config for utilizeit.com: continue
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt plugin=relay function=dest_domains params="<doesnotexist1231234@utilizeit.com>" retval=CONT msg=""

^ I am set up to accept mail for 'utilizeit.com' and relay it off to the box that actually stores the mail.

[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt hook in access plugin
[DEBUG] [-] [access] empty file: rcpt_to.access.whitelist_regex
[DEBUG] [-] [access] empty file: rcpt_to.access.blacklist_regex

^ There is no rcpt_to.access.whitelist_regex or rcpt_to.access.whitelist_regex, but I *do* have rcpt_to.access.witelist (containing test@utilizeit.com) and rcpt_to.access.blacklist (containing testblock@utilizeit.com).

[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt plugin=access function=rcpt_to_access params="<doesnotexist1231234@utilizeit.com>" retval=CONT msg=""

^ If I understand correctly, retval=CONT tells the system to continue processing and NOT make an accept/reject decision.

[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt hook in karma plugin
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [karma] applied relaying:6
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt plugin=karma function=hook_rcpt params="<doesnotexist1231234@utilizeit.com>" retval=CONT msg=""
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt_ok hooks
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt_ok hook in greylist plugin
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [greylist] skipping GL for relaying host
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt_ok plugin=greylist function=hook_rcpt_ok params="undefined" retval=CONT msg=""
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt_ok hook in greylist plugin
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [greylist] skipping GL for relaying host
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt_ok plugin=greylist function=hook_rcpt_ok params="undefined" retval=CONT msg=""
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt_ok hook in karma plugin
[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt_ok plugin=karma function=hook_rcpt_ok params="undefined" retval=CONT msg=""

^ All these checks return CONT, so if I understand it correctly, the message should default to being rejected because no RCPT_TO plugin specifically returned ACCEPT, right?

[NOTICE] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] recipient <doesnotexist1231234@utilizeit.com> code=OK msg="" sender="adebruyn@-redacted-"
[PROTOCOL] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] S: 250 recipient <doesnotexist1231234@utilizeit.com> OK

^ The server accepts the message

Steps to reproduce

I have the following rcpt plugins enabled:

Hook: rcpt ---------------------------------------------------------------------
Plugin                              Method                              Prio T/O
--------------------------------------------------------------------------------
relay                               dest_domains                           0  30
access                              rcpt_to_access                         0  30
karma                               hook_rcpt                              0  30
relay.ini
[relay]
acl=true
force_routing=true
dest_domains=true
relay_dest_domains.ini
[domains]
utilizeit.com = { "action": "continue", "nexthop": "internal.ip.addr.ess" }
relay_acl_allow contains
127.0.0.1/32
-CIDR of internal subnet-
-my home IP for testing-

Am I way off base?

baudehlo commented 8 years ago

Yes off base - your Haraka is setup to authenticate recipients based on domain, not actual users. There are many ways you can do the latter.

On Apr 27, 2016, at 8:18 PM, Aaron C. de Bruyn notifications@github.com wrote:

Haraka version

2.8.0-alpha.9

Expected behavior

Recipient should be rejected

Observed behavior

[PROTOCOL] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] C: RCPT TO:doesnotexist1231234@utilizeit.com state=1 [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt hooks [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt hook in relay plugin [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [relay] dest_domain = utilizeit.com [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [relay] found config for utilizeit.com: continue [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt plugin=relay function=dest_domains params="doesnotexist1231234@utilizeit.com" retval=CONT msg=""

^ I am set up to accept mail for 'utilizeit.com' and relay it off to the box that actually stores the mail.

[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt hook in access plugin [DEBUG] [-] [access] empty file: rcpt_to.access.whitelist_regex [DEBUG] [-] [access] empty file: rcpt_to.access.blacklist_regex

^ There is no rcpt_to.access.whitelist_regex or rcpt_to.access.whitelist_regex, but I do have rcpt_to.access.witelist (containing test@utilizeit.com) and rcpt_to.access.blacklist (containing testblock@utilizeit.com).

[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt plugin=access function=rcpt_to_access params="doesnotexist1231234@utilizeit.com" retval=CONT msg=""

^ If I understand correctly, retval=CONT tells the system to continue processing and NOT make an accept/reject decision.

[DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt hook in karma plugin [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [karma] applied relaying:6 [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt plugin=karma function=hook_rcpt params="doesnotexist1231234@utilizeit.com" retval=CONT msg="" [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt_ok hooks [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt_ok hook in greylist plugin [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [greylist] skipping GL for relaying host [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt_ok plugin=greylist function=hook_rcpt_ok params="undefined" retval=CONT msg="" [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt_ok hook in greylist plugin [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [greylist] skipping GL for relaying host [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt_ok plugin=greylist function=hook_rcpt_ok params="undefined" retval=CONT msg="" [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] running rcpt_ok hook in karma plugin [DEBUG] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] hook=rcpt_ok plugin=karma function=hook_rcpt_ok params="undefined" retval=CONT msg=""

^ All these checks return CONT, so if I understand it correctly, the message should default to being rejected because no RCPT_TO plugin specifically returned ACCEPT, right?

[NOTICE] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] recipient doesnotexist1231234@utilizeit.com code=OK msg="" sender="adebruyn@-redacted-" [PROTOCOL] [002810EE-3886-4CC4-BAB1-881E82DDA1DC.1] [core] S: 250 recipient doesnotexist1231234@utilizeit.com OK

^ The server accepts the message

Steps to reproduce

I have the following rcpt plugins enabled:

Hook: rcpt ---------------------------------------------------------------------

Plugin Method Prio T/O

relay dest_domains 0 30 access rcpt_to_access 0 30 karma hook_rcpt 0 30 relay.ini [relay] acl=true force_routing=true dest_domains=true relay_dest_domains.ini [domains] utilizeit.com = { "action": "continue", "nexthop": "internal.ip.addr.ess" } relay_acl_allow contains 127.0.0.1/32 -CIDR of internal subnet- -my home IP for testing- Am I way off base?

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub

msimerson commented 8 years ago

Your assumptions are almost correct. If you didn't have relaying set up for that connection, then the rcpt would be rejected. But with relaying enabled, any recipient is valid.

darkpixel commented 8 years ago

Try as I might, I couldn't get it to relay in to my exchange server using a list of accepted senders and a specific transport path while still allowing outbound mail from an ACL list. Maybe I'm missing something, but an easier solution was to simply set up an incoming server using the SMTP Proxy, and a second server for outbound mail using an ACL.

I'm still blown away by the logging. 8 years ago, I would have given my right kidney for Postfix to prefix all syslog entries from one transaction with a single UUID. ;)