DENY, DENYSOFT, and DISCONNECT are ignored in ehlo_hook
lnedry opened this issue · comments
DENY, DENYSOFT, and DISCONNECT are ignored in ehlo_hook. DENYDISCONNECT is not ignored.
I expected that inbound email would be rejected and/or the connection dropped when DENY is passed to next().
After DENY, DENYSOFT, or DISCONNECT in the ehlo_hook, Haraka will continue to run hooks and deliver the email.
This is a new install of Debian 11 and Haraka 3.0.2. Only software necessary for Haraka to operate has been installed along with a few tools for testing.
# cat /etc/haraka/config/plugins
syslog
test
rcpt_to.in_host_list
queue/smtp_forward
# cat /etc/haraka/plugins/test.js
exports.hook_ehlo = function (next, connection, ehlo) {
return next(DENY, 'DENIED');
}
% ./swaks --server 192.168.1.99 --port 2525 --to test@lab.local --from test@lab.local
=== Trying 192.168.1.99:2525...
=== Connected to 192.168.1.99.
<- 220 lab.local ESMTP Haraka/3.0.2 ready
-> EHLO imac.local
<** 550 DENIED
-> HELO imac.local
<- 250 lab.local Hello [192.168.1.250]Haraka is at your service.
-> MAIL FROM:<test@lab.local>
<- 250 sender <test@lab.local> OK
-> RCPT TO:<test@lab.local>
<- 250 recipient <test@lab.local> OK
-> DATA
<- 354 go ahead, make my day
-> Date: Fri, 19 Jan 2024 15:20:48 -0500
-> To: test@lab.local
-> From: test@lab.local
-> Subject: test Fri, 19 Jan 2024 15:20:48 -0500
-> Message-Id: <20240119152048.082917@imac.local>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
->
-> This is a test mailing
->
->
-> .
<- 250 OK id=1rQvM8-0000c8-Dq (75388EB8-9402-4FB4-8B6C-DFE4796775C5.1)
-> QUIT
<- 221 lab.local closing connection. Have a jolly good day.
=== Connection closed with remote host.
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5] [core] connect ip=192.168.1.250 port=49961 local_ip=192.168.1.99 local_port=2525
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5] [core] hook=ehlo plugin=test function=hook_ehlo params=imac.local retval=DENY msg=DENIED
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] sender <test@lab.local> code=CONT msg=""
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] hook=rcpt plugin=rcpt_to.in_host_list function=hook_rcpt params=<test@lab.local> retval=OK msg=""
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] recipient <test@lab.local> code=OK msg="" sender=test@lab.local
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] message mid=<20240119152048.082917@imac.local> size=274 rcpts=1/0/0 delay=0 code=CONT msg=""
Jan 19 15:20:48 lab haraka[2263]: [INFO] [-] [core] [smtp_client] uuid=9ABC6307-B5E7-4B74-8CEF-20CB5AF93EE1 host=192.168.1.99 port=25 created
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [queue/smtp_forward] forwarding to 192.168.1.99:25
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] hook=queue plugin=queue/smtp_forward function=queue_forward params="" retval=OK msg="OK id=1rQvM8-0000c8-Dq"
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] queue code=OK msg="OK id=1rQvM8-0000c8-Dq (75388EB8-9402-4FB4-8B6C-DFE4796775C5.1)"
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] disconnect ip=192.168.1.250 rdns=NXDOMAIN helo=imac.local relay=N early=N esmtp=N tls=N pipe=N errors=0 txns=1 rcpts=1/0/0 msgs=1/0/0 bytes=274 lr="550 DENIED" time=0.065
| Haraka | Haraka.js — Version: 3.0.2 |
|---|---|
| Node | v20.11.0 |
| OS | Linux lab.local 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64 GNU/Linux |
| openssl | OpenSSL 1.1.1w 11 Sep 2023 |
IIRC this is due to what it said in the RFC.
…On Fri, Jan 19, 2024 at 3:31 PM lnedry ***@***.***> wrote:
DENY, DENYSOFT, and DISCONNECT are ignored in ehlo_hook. DENYDISCONNECT is
not ignored.
I expected that inbound email would be rejected and/or the connection
dropped when DENY is passed to next().
After DENY, DENYSOFT, or DISCONNECT in the ehlo_hook, Haraka will continue
to run hooks and deliver the email.
This is a new install of Debian 11 and Haraka 3.0.2. Only software
necessary for Haraka to operate has been installed along with a few tools
for testing.
# cat /etc/haraka/config/plugins
syslog
test
rcpt_to.in_host_list
queue/smtp_forward
# cat /etc/haraka/plugins/test.js
exports.hook_ehlo = function (next, connection, ehlo) {
return next(DENY, 'DENIED');
}
% ./swaks --server 192.168.1.99 --port 2525 --to ***@***.*** --from ***@***.***
=== Trying 192.168.1.99:2525...
=== Connected to 192.168.1.99.
<- 220 lab.local ESMTP Haraka/3.0.2 ready
-> EHLO imac.local
<** 550 DENIED
-> HELO imac.local
<- 250 lab.local Hello [192.168.1.250]Haraka is at your service.
-> MAIL ***@***.***>
<- 250 sender ***@***.***> OK
-> RCPT ***@***.***>
<- 250 recipient ***@***.***> OK
-> DATA
<- 354 go ahead, make my day
-> Date: Fri, 19 Jan 2024 15:20:48 -0500
-> To: ***@***.***
-> From: ***@***.***
-> Subject: test Fri, 19 Jan 2024 15:20:48 -0500
-> Message-Id: ***@***.***>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
->
-> This is a test mailing
->
->
-> .
<- 250 OK id=1rQvM8-0000c8-Dq (75388EB8-9402-4FB4-8B6C-DFE4796775C5.1)
-> QUIT
<- 221 lab.local closing connection. Have a jolly good day.
=== Connection closed with remote host.
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5] [core] connect ip=192.168.1.250 port=49961 local_ip=192.168.1.99 local_port=2525
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5] [core] hook=ehlo plugin=test function=hook_ehlo params=imac.local retval=DENY msg=DENIED
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] sender ***@***.***> code=CONT msg=""
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] hook=rcpt plugin=rcpt_to.in_host_list function=hook_rcpt ***@***.***> retval=OK msg=""
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] recipient ***@***.***> code=OK msg="" ***@***.***
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] message ***@***.***> size=274 rcpts=1/0/0 delay=0 code=CONT msg=""
Jan 19 15:20:48 lab haraka[2263]: [INFO] [-] [core] [smtp_client] uuid=9ABC6307-B5E7-4B74-8CEF-20CB5AF93EE1 host=192.168.1.99 port=25 created
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [queue/smtp_forward] forwarding to 192.168.1.99:25
Jan 19 15:20:48 lab haraka[2263]: [INFO] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] hook=queue plugin=queue/smtp_forward function=queue_forward params="" retval=OK msg="OK id=1rQvM8-0000c8-Dq"
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] queue code=OK msg="OK id=1rQvM8-0000c8-Dq (75388EB8-9402-4FB4-8B6C-DFE4796775C5.1)"
Jan 19 15:20:48 lab haraka[2263]: [NOTICE] [75388EB8-9402-4FB4-8B6C-DFE4796775C5.1] [core] disconnect ip=192.168.1.250 rdns=NXDOMAIN helo=imac.local relay=N early=N esmtp=N tls=N pipe=N errors=0 txns=1 rcpts=1/0/0 msgs=1/0/0 bytes=274 lr="550 DENIED" time=0.065
Haraka Haraka.js — Version: 3.0.2
Node v20.11.0
OS Linux lab.local 5.10.0-27-amd64 #1
<#1> SMP Debian 5.10.205-2
(2023-12-31) x86_64 GNU/Linux
openssl OpenSSL 1.1.1w 11 Sep 2023
—
Reply to this email directly, view it on GitHub
<#3269>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFBWYZCBWBDMKXOUWYAD2DYPLJY3AVCNFSM6AAAAABCCP2WFWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA4TCMZWGA3TAOI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
Am I misunderstanding RFC 5321 4.3.2?
Specific sequences are:
EHLO or HELO
S: 250
E: 504 (a conforming implementation could return this code only
in fairly obscure cases), 550, 502 (permitted only with an old-
style server that does not support EHLO)
The IIRC was just a guess. Though to be fair I was mostly following 2821.
…On Fri, Jan 19, 2024 at 4:37 PM lnedry ***@***.***> wrote:
Am I misunderstanding RFC 5321 4.3.2?
Specific sequences are:
EHLO or HELO
S: 250
E: 504 (a conforming implementation could return this code only
in fairly obscure cases), 550, 502 (permitted only with an old-
style server that does not support EHLO)
—
Reply to this email directly, view it on GitHub
<#3269 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFBWYZHPSTEHQUSW2O3PPLYPLRRNAVCNFSM6AAAAABCCP2WFWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBRGE2DOOJRG4>
.
You are receiving this because you commented.Message ID:
***@***.***>