Merge pull request #541 from msimerson/relay

Relay

Author: baudehlo

TODO

@@ -34,6 +34,9 @@ Remove the following deprecated plugins
  - mail_from.access     (replaced by access.js)
  - rcpt_to.access                 ""
  - connect.rdns_access            ""
+ - relay_acl
+ - relay_all
+ - relay_force_routing
 
 Rename the following plugins
  - toobusy      -> connect.toobusy

docs/plugins/relay.md

@@ -0,0 +1,157 @@
+# relay
+
+[MTAs](http://en.wikipedia.org/wiki/Mail_transfer_agent) generally only accept mail for _local_ domains they can deliver to. In Haraka, the `rcpt_to.*` plugins usually decide which domains and/or email addresses are deliverable. By default, everything else is rejected.
+
+**Relaying** is when a MTA accepts mail that is destined elsewhere. Back in the day (1980s), most MTAs permitted open relaying. Soon spammers abused our open relays (1990s) and left us with soiled mail queues. Now nearly all MTAs have relaying disabled and [MUAs](http://en.wikipedia.org/wiki/Mail_user_agent) are required to use a [MSA](http://en.wikipedia.org/wiki/Message_submission_agent) to relay. Most MTAs (including Haraka) have MSA features and can serve both purposes.
+
+This **relay** plugin provides Haraka with options for managing relay permissions.
+
+## Authentication
+
+One way to enable relaying is [authentication](http://haraka.github.io/manual.html) via the auth plugins. Successful authentication enables relaying during _that_ SMTP connection. To securely offer SMTP AUTH, the [tls](http://haraka.github.io/manual/plugins/tls.html) plugin and at least one auth plugin must be enabled and properly configured. When that requirement is met, the AUTH SMTP extension will be advertised to SMTP clients.
+
+    % nc mail.example.com 587
+    220 mail.example.com ESMTP Haraka 2.4.0 ready
+    ehlo client.example.com
+    250-mail.example.com Hello client.example.com [192.168.0.1], Haraka is at your service.
+    250-PIPELINING
+    250-8BITMIME
+    250-SIZE 10000000
+    250 STARTTLS
+    quit
+    221 mail.example.com closing connection. Have a jolly good day.
+
+Notice that there's no AUTH advertised. We only permit authentication when the
+connection is secured with TLS:
+
+    % openssl s_client -connect mail.example.com:587 -starttls smtp
+    CONNECTED(00000003)
+    <snip long SSL certificate details>
+    ---
+    250 STARTTLS
+    ehlo client.example.com
+    250-mail.example.com Hello client.example.com [192.168.1.1], Haraka is at your service.
+    250-PIPELINING
+    250-8BITMIME
+    250-SIZE 10000000
+    250 AUTH PLAIN LOGIN
+    quit
+    221 mail.example.com closing connection. Have a jolly good day.
+    closed
+
+To avoid port 25 restrictions, in 1998 we developed [SMTP submission](http://tools.ietf.org/html/rfc2476) on port 587. For optimal security and reliability, [MUAs](http://en.wikipedia.org/wiki/Mail_user_agent) should be configured to send mail to port 587 with TLS/SSL and AUTH enabled.
+
+## ACL (Access Control List)
+
+ACL processing is enabled by setting acl=true in the [relay] section of
+relay.ini:
+
+    [relay]
+    acl=true
+
+With the Access Control List feature, relaying can be enabled for IPv4 and
+IPv6 networks. IP ranges listed in the ACL file are allowed to send mails
+without furthur checks.
+
+* `config/relay_acl_allow`
+
+    Allowed IP ranges in CIDR notation, one per line.
+
+Back in the day, ISPs enabled all of their IP space to relay. That proved
+problematic for users who took their laptops and mobile phones elsewhere and
+then couldn't send mail. For end users therefore, use SMTP AUTH described
+above. If you reside somewhere technology evolves more slowly, you can still
+add IP allocations to `relay_acl_allow` like so:
+
+    echo 'N.N.N.N/24' >> /path/to/haraka/config/relay_acl_allow
+
+A common use case for IP based relaying is to relay messages on behalf of
+another mail server. If your organization has an Exchange server, using Haraka
+to filter inbound messages is a great choice. You might also want to relay
+outbound messages via Haraka as well, so they can be DKIM signed on their way
+to the internet. For such a use case, you would set 'acl=true' (the default)
+in the [relay] section of `access.ini` and then add the external IP address
+of the corporate firewall to `config/relay_acl_allow`:
+
+    echo 'N.N.N.N/32' >> /path/to/haraka/config/relay_acl_allow
+
+
+## Force Route / Dest[ination] Domains
+
+Force routes and Destination Domains are enabled by setting in the [relay]
+section of relay.ini:
+
+    [relay]
+    force_routing=false  (default: false)
+    dest_domains=false   (default: false)
+
+These two features share another common config file:
+
+* `config/relay_dest_domains.ini`
+
+The format is ini and entries are within the [domains] section. The key for each entry is the domain and the value is a JSON string. Within the JSON string, the currently supported keys are:
+
+    * action  (Dest Domains)
+    * nexthop (Force Route)
+
+### Force Route
+
+Think of force route as the equivalent of the transport map in Postfix or the smtproutes file in Qmail. Rather than looking up the MX for a host, the *nexthop* value from the entry in the config file is used.
+
+The value of "nexthop": can be a hostname or an IP, optionally follow by :port.
+
+Example:
+
+    [domains]
+    test.com = { "action": "continue", "nexthop": "127.0.0.1:2525" }
+
+### Destination Domains
+
+Allowed destination/recipient domains. The field within the JSON value used
+by Dest Domains is "action": and the possible values are accept, continue, or
+deny.
+
+    * accept   (accept the mail without further checks)
+
+Example:
+
+    [domains]
+    test.com = { "action": "accept" }
+
+I think of *accept* as the equivalent of qmail's *rcpthosts*, or a misplaced Haraka `rcpt_to.*` plugin. The *accept* mechanism is another way to tell Haraka that a particular domain is one we accept mail for. The difference between this and and the [rcpt_to.in_host_list](http://haraka.github.io/manual/plugins/rcpt_to.in_host_list.html) plugin is that this one also enables relaying.
+
+    * continue (mails are subject to further checks)
+
+Example:
+
+    [domains]
+    test.com = { "action": "continue" }
+
+Because the default behavior of Dest Routes is to deny, the *continue* option provides an escape, permitting another Haraka plugin to validate the recipient. Like the *accept* option, it too enables relaying.
+
+    * deny    (mails are rejected)
+
+This deny option baffles me. The default behavior of Haraka is to reject emails for
+which a recipient validation plugin hasn't vouched. Adding it here prevents
+any subsequent recipient validation plugin from getting a chance. It also
+necessitates the continue option.
+
+
+## all
+
+Relay all is enabled by setting all=true in the [relay] section of
+relay.ini:
+
+    [relay]
+    all=true     (default: false)
+
+Relay all is useful for spamtraps to accept all mail.
+
+Do NOT use this on a real mail server, unless you really know what you are
+doing. If you use the all feature with anything that relays mail (such
+as forwarding to a real mail server, or the `deliver` plugin), your mail
+server is now an open relay.
+
+This is BAD. Hence the big letters. In short: DO NOT USE THIS FEATURE.
+
+It is useful for testing and spamtraps, hence its presence.

plugins/relay.js

@@ -0,0 +1,202 @@
+// relay
+//
+// documentation via: haraka -h relay
+
+var ipaddr = require('ipaddr.js'),
+    net    = require('net');
+
+exports.register = function() {
+    var plugin = this;
+    plugin.refresh_config();
+    if (plugin.cfg.relay.acl          ) { plugin.register_hook('connect',  'acl'   ); }
+    if (plugin.cfg.relay.dest_domains ) { plugin.register_hook('rcpt',     'dest_domains'); }
+    if (plugin.cfg.relay.all          ) { plugin.register_hook('rcpt',     'all'   ); }
+    if (plugin.cfg.relay.force_routing) { plugin.register_hook('get_mx',   'force_routing'); }
+};
+
+exports.refresh_config = function() {
+    var plugin = this;
+
+    var load_relay_ini = function () {
+        plugin.cfg = plugin.config.get('relay.ini', {
+            booleans: [
+                '+relay.acl',
+                '+relay.force_routing',
+                '-relay.all',
+                '-relay.dest_domains',
+            ],
+        }, function () {
+            load_relay_ini();
+        });
+    };
+
+    var load_dest_domains = function () {
+        plugin.loginfo(plugin, "loading relay_dest_domain.ini");
+        plugin.dest = plugin.config.get('relay_dest_domains.ini', 'ini', function() {
+            load_dest_domains();
+        });
+    };
+
+    var load_acls = function () {
+        var file_name = 'relay_acl_allow';
+        plugin.loginfo(plugin, "loading " + file_name);
+
+        // load with a self-referential callback
+        plugin.acl_allow = plugin.config.get(file_name, 'list', function () {
+            load_acls();
+        });
+
+        for (var i=0; i<plugin.acl_allow.length; i++) {
+            var cidr = plugin.acl_allow[i].split('/');
+            if (!net.isIP(cidr[0])) {
+                plugin.logerror(plugin, "invalid entry in " + file_name + ": " + cidr[0]);
+            }
+            if (!cidr[1]) {
+                plugin.logerror(plugin, "appending missing CIDR suffix in: " + file_name);
+                plugin.acl_allow[i] = cidr[0] + '/32';
+            }
+        }
+    };
+
+    load_relay_ini();             // plugin.cfg = { }
+
+    if (plugin.cfg.relay.acl) {
+         load_acls();             // plugin.acl_allow = [..]
+    }
+
+    if (plugin.cfg.relay.force_routing || plugin.cfg.relay.dest_domains) {
+        load_dest_domains();      // plugin.dest.domains = { }
+    }
+};
+
+exports.acl = function (next, connection) {
+    var plugin = this;
+    if (!plugin.cfg.relay.acl) { return next(); }
+
+    connection.logdebug(this, 'checking ' + connection.remote_ip + ' in relay_acl_allow');
+
+    if (!plugin.is_acl_allowed(connection)) {
+        connection.results.add(plugin, {skip: 'acl(unlisted)'});
+        return next();
+    }
+
+    connection.results.add(plugin, {pass: 'acl'});
+    connection.relaying = true;
+    return next(OK);
+};
+
+exports.is_acl_allowed = function (connection) {
+    var plugin = this;
+    if (!plugin.acl_allow) { return false; }
+    if (!plugin.acl_allow.length) { return false; }
+
+    var ip = connection.remote_ip;
+
+    for (var i=0; i < plugin.acl_allow.length; i++) {
+        var item = plugin.acl_allow[i];
+        connection.logdebug(plugin, 'checking if ' + ip + ' is in ' + item);
+        var cidr = plugin.acl_allow[i].split('/');
+        var c_net  = cidr[0];
+        var c_mask = cidr[1] || 32;
+
+        if (!net.isIP(c_net)) continue;  // bad config entry
+        if (net.isIPv4(ip) && net.isIPv6(c_net)) continue;
+        if (net.isIPv6(ip) && net.isIPv4(c_net)) continue;
+
+        if (ipaddr.parse(ip).match(ipaddr.parse(c_net), c_mask)) {
+            connection.logdebug(plugin, 'checking if ' + ip + ' is in ' + item + ": yes");
+            return true;
+        }
+    }
+    return false;
+};
+
+exports.dest_domains = function (next, connection, params) {
+    var plugin = this;
+    if (!plugin.cfg.relay.dest_domains) { return next(); }
+    var transaction = connection.transaction;
+
+    // Skip this if the host is already allowed to relay
+    if (connection.relaying) {
+        transaction.results.add(plugin, {skip: 'relay_dest_domain(relay)'});
+        return next();
+    }
+ 
+    if (!plugin.dest) {
+        transaction.results.add(plugin, {err: 'relay_dest_domain(no config!)'});
+        return next();
+    }
+
+    if (!plugin.dest.domains) {
+        transaction.results.add(plugin, {skip: 'relay_dest_domain(config)'});
+        return next();
+    }
+
+    var dest_domain = params[0].host;
+    connection.logdebug(plugin, 'dest_domain = ' + dest_domain);
+
+    var dst_cfg = plugin.dest.domains[dest_domain];
+    if (!dst_cfg) {
+        transaction.results.add(plugin, {fail: 'relay_dest_domain'});
+        return next(DENY, "You are not allowed to relay");
+    }
+
+    var action = JSON.parse(dst_cfg).action;
+    connection.logdebug(plugin, 'found config for ' + dest_domain + ': ' + action);
+
+    switch(action) {
+        case "accept":
+            // why enable relaying here? Returning next(OK) will allow the
+            // address to be considered 'local'. What advantage does relaying
+            // bring?
+            connection.relaying = true;
+            transaction.results.add(plugin, {pass: 'relay_dest_domain'});
+            return next(OK);
+        case "continue":
+            // why oh why? Only reason I can think of is to enable outbound.
+            connection.relaying = true;
+            transaction.results.add(plugin, {pass: 'relay_dest_domain'});
+            return next(CONT);  // same as next()
+        case "deny":
+            transaction.results.add(plugin, {fail: 'relay_dest_domain'});
+            return next(DENY, "You are not allowed to relay");
+    }
+
+    transaction.results.add(plugin, {fail: 'relay_dest_domain'});
+    return next(DENY, "Mail for that recipient is not accepted here.");
+};
+
+exports.force_routing = function (next, hmail, domain) {
+    var plugin = this;
+    if (!plugin.cfg.relay.force_routing) { return next(); }
+    if (!plugin.dest) { return next(); }
+    if (!plugin.dest.domains) { return next(); }
+    var route = plugin.dest.domains[domain];
+
+    if (!route) {
+        plugin.logdebug(plugin, 'using normal MX lookup for: ' + domain);
+        return next();
+    }
+
+    var c = JSON.parse(route);
+    var nexthop = JSON.parse(route).nexthop;
+    if (!nexthop) {
+        plugin.logdebug(plugin, 'using normal MX lookup for: ' + domain);
+        return next();
+    }
+
+    plugin.logdebug(plugin, 'using ' + nexthop + ' for: ' + domain);
+    return next(OK, nexthop);
+};
+
+exports.all = function(next, connection, params) {
+// relay everything - could be useful for a spamtrap
+    var plugin = this;
+    if (!plugin.cfg.relay.all) { return next(); }
+// TODO: This looks like a bug (shortening the recipient array)
+    var recipient = params.shift();
+    connection.loginfo(plugin, "confirming recipient " + recipient);
+    connection.relaying = true;
+    next(OK);
+};
+

plugins/relay_acl.js

@@ -6,6 +6,7 @@ var ipaddr = require('ipaddr.js'),
     net    = require('net');
 
 exports.register = function() {
+    this.logerror(this, "deprecated. see 'haraka -h relay'");
     this.register_hook('lookup_rdns', 'refresh_config');
     this.register_hook('connect',     'relay_acl');
     this.register_hook('rcpt',        'relay_dest_domains');

plugins/relay_all.js

@@ -1,6 +1,7 @@
 // Just relay everything - could be useful for a spamtrap
 
 exports.register = function() {
+    this.logerror(this, "deprecated. see 'haraka -h relay'");
     this.register_hook('rcpt', 'confirm_all');
 };