search

haraka / Haraka

A fast, highly extensible, and event driven SMTP server
https://haraka.github.io
MIT License
5.02k stars 662 forks source link

DENY, DENYSOFT, and DISCONNECT are ignored in ehlo_hook #3269

Closed lnedry closed 4 months ago

lnedry commented 8 months ago

DENY, DENYSOFT, and DISCONNECT are ignored in ehlo_hook. DENYDISCONNECT is not ignored.

I expected that inbound email would be rejected and/or the connection dropped when DENY is passed to next().

After DENY, DENYSOFT, or DISCONNECT in the ehlo_hook, Haraka will continue to run hooks and deliver the email.

This is a new install of Debian 11 and Haraka 3.0.2. Only software necessary for Haraka to operate has been installed along with a few tools for testing.

# cat /etc/haraka/config/plugins
syslog
test
rcpt_to.in_host_list
queue/smtp_forward
# cat /etc/haraka/plugins/test.js
exports.hook_ehlo = function (next, connection, ehlo) {
    return next(DENY, 'DENIED');
}
% ./swaks --server 192.168.1.99 --port 2525 --to test@lab.local --from test@lab.local
=== Trying 192.168.1.99:2525...
=== Connected to 192.168.1.99.
<-  220 lab.local ESMTP Haraka/3.0.2 ready
 -> EHLO imac.local
<** 550 DENIED
 -> HELO imac.local
<-  250 lab.local Hello [192.168.1.250]Haraka is at your service.
 -> MAIL FROM:<test@lab.local>
<-  250 sender <test@lab.local> OK
 -> RCPT TO:<test@lab.local>
<-  250 recipient <test@lab.local> OK
 -> DATA
<-  354 go ahead, make my day
 -> Date: Fri, 19 Jan 2024 15:20:48 -0500
 -> To: test@lab.local
 -> From: test@lab.local
 -> Subject: test Fri, 19 Jan 2024 15:20:48 -0500
 -> Message-Id: <20240119152048.082917@imac.local>
 -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
 -> 
 -> This is a test mailing
 -> 
 -> 
 -> .
<-  250 OK id=1rQvM8-0000c8-Dq (75388EB8-9402-4FB4-8B6C-DFE4796775C5.1)
 -> QUIT
<-  221 lab.local closing connection. Have a jolly good day.
=== Connection closed with remote host.
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5] [core] connect ip=192.168.1.250 port=49961 local_ip=192.168.1.99 local_port=2525
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5] [core]  hook=ehlo plugin=test function=hook_ehlo params=imac.local retval=DENY msg=DENIED
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] sender <test@lab.local> code=CONT msg=""
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core]  hook=rcpt plugin=rcpt_to.in_host_list function=hook_rcpt params=<test@lab.local> retval=OK msg=""
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] recipient <test@lab.local> code=OK msg="" sender=test@lab.local
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] message mid=<20240119152048.082917@imac.local> size=274 rcpts=1/0/0 delay=0 code=CONT msg=""
Jan 19 15:20:48 lab haraka[2263]: [INFO] [-] [core] [smtp_client] uuid=9ABC6307-B5E7-4B74-8CEF-20CB5AF93EE1 host=192.168.1.99 port=25 created
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [queue/smtp_forward] forwarding to 192.168.1.99:25
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core]  hook=queue plugin=queue/smtp_forward function=queue_forward params="" retval=OK msg="OK id=1rQvM8-0000c8-Dq"
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] queue code=OK msg="OK id=1rQvM8-0000c8-Dq (75388EB8-9402-4FB4-8B6C-DFE4796775C5.1)"
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] disconnect ip=192.168.1.250 rdns=NXDOMAIN helo=imac.local relay=N early=N esmtp=N tls=N pipe=N errors=0 txns=1 rcpts=1/0/0 msgs=1/0/0 bytes=274 lr="550 DENIED" time=0.065
Haraka Haraka.js — Version: 3.0.2
Node v20.11.0
OS Linux lab.local 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64 GNU/Linux
openssl OpenSSL 1.1.1w 11 Sep 2023
baudehlo commented 8 months ago

IIRC this is due to what it said in the RFC.

On Fri, Jan 19, 2024 at 3:31 PM lnedry @.***> wrote:

DENY, DENYSOFT, and DISCONNECT are ignored in ehlo_hook. DENYDISCONNECT is not ignored.

I expected that inbound email would be rejected and/or the connection dropped when DENY is passed to next().

After DENY, DENYSOFT, or DISCONNECT in the ehlo_hook, Haraka will continue to run hooks and deliver the email.

This is a new install of Debian 11 and Haraka 3.0.2. Only software necessary for Haraka to operate has been installed along with a few tools for testing.

cat /etc/haraka/config/plugins

syslog test rcpt_to.in_host_list queue/smtp_forward

cat /etc/haraka/plugins/test.js

exports.hook_ehlo = function (next, connection, ehlo) { return next(DENY, 'DENIED'); }

% ./swaks --server 192.168.1.99 --port 2525 --to @. --from @. === Trying 192.168.1.99:2525... === Connected to 192.168.1.99. <- 220 lab.local ESMTP Haraka/3.0.2 ready -> EHLO imac.local < 550 DENIED -> HELO imac.local <- 250 lab.local Hello [192.168.1.250]Haraka is at your service. -> MAIL **@.> <- 250 sender @.> OK -> RCPT @.> <- 250 recipient @.> OK -> DATA <- 354 go ahead, make my day -> Date: Fri, 19 Jan 2024 15:20:48 -0500 -> To: @. -> From: @. -> Subject: test Fri, 19 Jan 2024 15:20:48 -0500 -> Message-Id: @.***> -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/ -> -> This is a test mailing -> -> -> . <- 250 OK id=1rQvM8-0000c8-Dq (75388EB8-9402-4FB4-8B6C-DFE4796775C5.1) -> QUIT <- 221 lab.local closing connection. Have a jolly good day. === Connection closed with remote host.

Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5] [core] connect ip=192.168.1.250 port=49961 local_ip=192.168.1.99 local_port=2525 Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5] [core] hook=ehlo plugin=test function=hook_ehlo params=imac.local retval=DENY msg=DENIED Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] sender @.> code=CONT msg="" Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] hook=rcpt plugin=rcpt_to.in_host_list function=hook_rcpt @.> retval=OK msg="" Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] recipient @.> code=OK msg="" @. Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] message @.***> size=274 rcpts=1/0/0 delay=0 code=CONT msg="" Jan 19 15:20:48 lab haraka[2263]: [INFO] [-] [core] [smtp_client] uuid=9ABC6307-B5E7-4B74-8CEF-20CB5AF93EE1 host=192.168.1.99 port=25 created Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [queue/smtp_forward] forwarding to 192.168.1.99:25 Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] hook=queue plugin=queue/smtp_forward function=queue_forward params="" retval=OK msg="OK id=1rQvM8-0000c8-Dq" Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] queue code=OK msg="OK id=1rQvM8-0000c8-Dq (75388EB8-9402-4FB4-8B6C-DFE4796775C5.1)" Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] disconnect ip=192.168.1.250 rdns=NXDOMAIN helo=imac.local relay=N early=N esmtp=N tls=N pipe=N errors=0 txns=1 rcpts=1/0/0 msgs=1/0/0 bytes=274 lr="550 DENIED" time=0.065

Haraka Haraka.js — Version: 3.0.2 Node v20.11.0 OS Linux lab.local 5.10.0-27-amd64 #1 https://github.com/haraka/Haraka/pull/1 SMP Debian 5.10.205-2 (2023-12-31) x86_64 GNU/Linux openssl OpenSSL 1.1.1w 11 Sep 2023

— Reply to this email directly, view it on GitHub https://github.com/haraka/Haraka/issues/3269, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFBWYZCBWBDMKXOUWYAD2DYPLJY3AVCNFSM6AAAAABCCP2WFWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA4TCMZWGA3TAOI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

lnedry commented 8 months ago

Am I misunderstanding RFC 5321 4.3.2?

Specific sequences are: EHLO or HELO S: 250 E: 504 (a conforming implementation could return this code only in fairly obscure cases), 550, 502 (permitted only with an old- style server that does not support EHLO)

baudehlo commented 8 months ago

The IIRC was just a guess. Though to be fair I was mostly following 2821.

On Fri, Jan 19, 2024 at 4:37 PM lnedry @.***> wrote:

Am I misunderstanding RFC 5321 4.3.2?

Specific sequences are: EHLO or HELO S: 250 E: 504 (a conforming implementation could return this code only in fairly obscure cases), 550, 502 (permitted only with an old- style server that does not support EHLO)

— Reply to this email directly, view it on GitHub https://github.com/haraka/Haraka/issues/3269#issuecomment-1901147917, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFBWYZHPSTEHQUSW2O3PPLYPLRRNAVCNFSM6AAAAABCCP2WFWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBRGE2DOOJRG4 . You are receiving this because you commented.Message ID: @.***>

msimerson commented 4 months ago

I expected that inbound email would be rejected and/or the connection dropped when DENY is passed to next().

I believe your expectations are incorrect. When configured as you describe above, Haraka does, near as I can tell from reading RFC 5321, The Right Thing:

❯ nc localhost 25
220 home.simerson.net ESMTP Haraka/3.0.3/2e6ff612 ready
ehlo imac27.local
550 DENIED
ehlo matt
550 DENIED
helo matt
250 home.simerson.net Hello mysql [::1]Haraka is at your service.

If you don't ask Haraka to disconnect, then it should not disconnect, right? If you want it to disconnect, you know how to configure that in your plugin.

inbound email would be rejected

Why would you expect this from a HELO/EHLO hook that you didn't disconnect? At this phase in the dialogue, we're not in a transaction, so why would future transactions be affected?