search

haraka / haraka-plugin-redis

redis support for Haraka plugins
https://www.npmjs.com/package/haraka-plugin-redis
MIT License
3 stars 11 forks source link

Allow specifying redis password for pubsub connections #6

Closed andris9 closed 7 years ago

andris9 commented 7 years ago

Currently it is not possible to use password authenticated Redis with Haraka and some redis-aware plugin (like karma) that tries to use pubsub. If the Redis server requires authentication then you end up with the following error:

Jul 31 09:37:11 c20-76 haraka[4023]: [CRIT] [-] [core] ReplyError: NOAUTH Authentication required.
Jul 31 09:37:11 c20-76 haraka[4023]: [CRIT] [-] [core]     at parseError (/opt/mx/node_modules/redis-parser/lib/parser.js:193:12)
Jul 31 09:37:11 c20-76 haraka[4023]: [CRIT] [-] [core]     at parseType (/opt/mx/node_modules/redis-parser/lib/parser.js:303:14)
Jul 31 09:37:11 c20-76 haraka[4023]: [NOTICE] [-] [core] Shutting down

It is possible to provide the password option for normal Redis connections through the opts configuration option but these extra options are not used with subscription config.

This pull request makes it possible to provide the password value also to pubsub settings. The change is a quick fix, you might want to consider something more elegant, like providing the opts values to pubsub settings as well etc.

The following config works with this patch:

[opts]
password = verysecret

[server]
host   = 127.0.0.1
port   = 6379
db     = 7

[pubsub]
host   = 127.0.0.1
port   = 6379
password = verysecret
msimerson commented 7 years ago

Hi @andris9 , thanks for the PR.

I've created an alternative in #7 that goes a step further and permits this config to work:

[opts]
password = verysecret

[server]
host   = 127.0.0.1
port   = 6379
db     = 7

[pubsub]
host   = 127.0.0.1
port   = 6379

Also, should another opt be desired in the future, it may just work automagically.

Thoughts?

andris9 commented 7 years ago

Seems great, thanks!

msimerson commented 7 years ago

If you don't mind, give it a whirl and make sure it works for you. Then I'll merge and kick out a new release.

andris9 commented 7 years ago

@msimerson seems to be working great, no errors anymore. You can test it out yourself by creating a new account at wildduck.email and sending mail to the created address.

msimerson commented 7 years ago

I did create a test account, but my Haraka won't send to your Haraka. So I tried it with openssl just for fun:

# openssl s_client -connect 217.146.76.20:25 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mbox.zone
verify return:1
---
Certificate chain
 0 s:/CN=mbox.zone
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/CN=mbox.zone
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3526 bytes and written 464 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 2C871D3285E4DCC0D394056400D6FBFFA98A71EC4F08100550A40BEDC36CE32E
    Session-ID-ctx: 
    Master-Key: 2C86DF9D0017C9C1CCB0A5D67C9FB2EDBE9549BE29ADE1239030716692F32D8FE3D7B8B18F5CFAF4ED4358186EF77DEC
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 4e 8a e6 cb 15 41 83 31-16 9a 11 6d df ac 57 2d   N....A.1...m..W-
    0010 - 9f 17 65 64 e1 71 8f 7a-7d ed d3 18 40 37 01 fb   ..ed.q.z}...@7..
    0020 - 92 4e 95 4e 79 3b d2 7a-0c e0 47 9f 32 c4 54 0d   .N.Ny;.z..G.2.T.
    0030 - ec 47 7d 32 bb 86 b1 bf-be 55 d3 37 91 ca a5 85   .G}2.....U.7....
    0040 - 0e fc c0 ca e2 47 5d 39-bd 50 64 12 fd 4f 2c 44   .....G]9.Pd..O,D
    0050 - b7 b8 f4 f8 e3 ac 12 ff-74 3f 41 99 bc bc a2 0f   ........t?A.....
    0060 - 63 f6 a2 05 de ce 5f 76-a8 1b 46 1c 38 34 ff 87   c....._v..F.84..
    0070 - 13 18 4a dc 38 dd d8 1e-98 db 6e d8 05 76 00 70   ..J.8.....n..v.p
    0080 - b0 f4 f7 71 3b 23 70 06-fe f6 42 0a d5 fc ea 9b   ...q;#p...B.....
    0090 - 40 b0 94 5d 2b 81 f9 64-26 f9 58 3b 0d 3d 77 e1   @..]+..d&.X;.=w.

    Start Time: 1501514829
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 STARTTLS
EHLO mail.theartfarm.com
250-mail.wildduck.email Hello mail.theartfarm.com [66.128.51.165], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250-SMTPUTF8
250 SIZE 2048576
MAIL FROM: <matt@tnpi.net>
250 sender <matt@tnpi.net> OK
RCPT TO: <matt@wildduck.email>
RENEGOTIATING
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mbox.zone
verify return:1

500 Unrecognized command
RCPT TO: <matt@wildduck.email>
RENEGOTIATING
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mbox.zone
verify return:1
quit
221 mail.wildduck.email closing connection. Have a jolly good day.
closed
smfreegard commented 7 years ago

You need to add -quiet to your s_client arguments to avoid it from interpreting 'R' as a command for it to renegotiate and 'Q' to exit.

msimerson commented 7 years ago

You need to add -quiet to your s_client

oooohhhhhhh. After all these years, that's the furthest I've manually entered a SMTP over a TLS connection. That does solve the renegotiation problem. Thanks Steve!

andris9 commented 7 years ago

This I what I see from my Haraka logs:

Jul 31 18:26:34 c20-76 haraka[4570]: [NOTICE] [BB57E490-BA62-4D50-B607-9FBEF517FE39] [core] connect ip=66.128.51.165 port=50337 local_ip=:: local_port=25
Jul 31 18:27:04 c20-76 haraka[4570]: [CRIT] [BB57E490-BA62-4D50-B607-9FBEF517FE39] [core] Plugin karma timed out on hook connect_init - make sure it calls the callback
Jul 31 18:27:04 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39] [core] hook=connect_init plugin=karma function=ip_history_from_redis params="" retval=DENYSOFT msg="plugin timeout"
Jul 31 18:27:08 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39] [spf] identity=helo ip=66.128.51.165 domain="openssl.client.net" mfrom=<postmaster@openssl.client.net> result=Fail
Jul 31 18:27:08 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39] [spf] scope: helo, result: Fail, domain: openssl.client.net
Jul 31 18:27:09 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39] [tls] secured: cipher=ECDHE-RSA-AES256-GCM-SHA384 version=TLSv1/SSLv3 verified=false
Jul 31 18:27:09 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39] [core] hook=unrecognized_command plugin=tls function=upgrade_connection params="STARTTLS" retval=OK msg=""
Jul 31 18:27:33 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39] [spf] identity=helo ip=66.128.51.165 domain="mail.theartfarm.com" mfrom=<postmaster@mail.theartfarm.com> result=Pass
Jul 31 18:27:33 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39] [spf] scope: helo, result: Pass, domain: mail.theartfarm.com
Jul 31 18:28:17 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39.1] [spf] identity=mfrom ip=66.128.51.165 domain="tnpi.net" mfrom=<matt@tnpi.net> result=Pass
Jul 31 18:28:17 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39.1] [spf] scope: mfrom, result: Pass, domain: tnpi.net
Jul 31 18:28:17 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39.1] [karma] RFC ignorant env addr format: MAIL FROM: <matt@tnpi.net>
Jul 31 18:28:19 c20-76 haraka[4570]: [NOTICE] [BB57E490-BA62-4D50-B607-9FBEF517FE39.1] [core] sender <matt@tnpi.net> code=CONT msg=""
Jul 31 18:29:30 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39.1] [max_unrecognized_commands] max: 10, count: 0, fail:Unrecognized command: ,
Jul 31 18:29:43 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39.1] [karma] score: -6, awards: 150,012, fail:rfc5321.MailFrom, cmd:(,)
Jul 31 18:29:43 c20-76 haraka[4570]: [INFO] [BB57E490-BA62-4D50-B607-9FBEF517FE39.1] [karma] score: -6, awards: 150,012, fail:rfc5321.MailFrom, cmd:(,)
Jul 31 18:29:43 c20-76 haraka[4570]: [NOTICE] [BB57E490-BA62-4D50-B607-9FBEF517FE39.1] [core] disconnect ip=66.128.51.165 rdns="mail.theartfarm.com" helo="mail.theartfarm.com" relay=N early=N esmtp=Y tls=Y pipe=N errors=1 txns=1 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="500 Unrecognized command" time=188.933
msimerson commented 7 years ago

Yeah, that's me with openssl. Haraka is failing from outbound:

Jul 31 08:19:27 haraka haraka: [INFO] [B95A4F66-38D1-4E3C-A172-EBEA3941D199.1.1] [outbound] Looking up A records for: mail.wildduck.email
Jul 31 08:19:27 haraka haraka: [INFO] [B95A4F66-38D1-4E3C-A172-EBEA3941D199.1.1] [outbound] Attempting to deliver to: 217.146.76.20:25 (0) (0)
Jul 31 08:19:57 haraka haraka: [INFO] [B95A4F66-38D1-4E3C-A172-EBEA3941D199.1.1] [outbound] Temp failing 1501514367374_1501514367374_0_38561_0DAOwf_1_haraka for 64 seconds: Tried all MXs
Jul 31 08:19:57 haraka haraka: [ERROR] [B95A4F66-38D1-4E3C-A172-EBEA3941D199.1.1] [outbound] Remote end 217.146.76.20:25 closed connection while we were processing mail. Trying next MX.

But don't put any meaning behind that. I'm running a monkey patched version right now with a bunch of TLS changes related to adding SNI support. It may be related...