-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.js
333 lines (285 loc) · 12.6 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
'use strict';
const undici = require('undici');
const addressTools = require('zone-mta/lib/address-tools');
const libmime = require('libmime');
const { randomBytes } = require('node:crypto');
const os = require('os');
function decodeHeaderLineIntoKeyValuePair(headerLine) {
let decodedHeaderStr;
let headerSeparatorPos = headerLine.indexOf(':');
if (headerSeparatorPos < 0) {
return headerLine;
}
let headerKey = headerLine.substring(0, headerSeparatorPos);
let headerValue = headerLine.substring(headerSeparatorPos + 1);
try {
decodedHeaderStr = libmime.decodeWords(headerValue);
} catch (err) {
// keep the value as is
decodedHeaderStr = headerValue;
}
return [headerKey.trim(), decodedHeaderStr.trim()];
}
const loggelf = (app, message) => {
Object.keys(message).forEach(key => {
if (!message[key]) {
// remove falsy keys (undefined, null, false, "", 0)
delete message[key];
}
});
app.gelf.emit('gelf.log', message);
};
const loggelfForEveryUser = (app, short_message, data) => {
const timestamp = Date.now() / 1000;
const hostname = os.hostname();
if (data._rcpt.length > 1) {
// send for every recipient
for (const rcpt of data._rcpt) {
loggelf(app, {
short_message,
...data,
_rcpt: rcpt,
timestamp,
host: hostname
});
}
} else {
if (!data.hasOwnProperty('_rcpt')) {
data._rcpt = [];
}
loggelf(app, {
short_message,
...data,
_rcpt: data._rcpt[0] || '', // single recipient
timestamp,
host: hostname
});
}
};
module.exports.title = 'Zilter';
module.exports.init = async app => {
app.addHook('message:queue', async (envelope, messageinfo) => {
// check with zilter
// if incorrect do app.reject()
const SUBJECT_MAX_ALLOWED_LENGTH = 16000;
const { userName, apiKey, serverHost, zilterUrl, logIncomingData } = app.config;
let subjectMaxLength = app.config.subjectMaxLength;
if (!subjectMaxLength || subjectMaxLength > SUBJECT_MAX_ALLOWED_LENGTH) {
subjectMaxLength = SUBJECT_MAX_ALLOWED_LENGTH;
}
if (logIncomingData) {
// log available data
app.logger.info('Incoming data: ', envelope, messageinfo, envelope.headers.getList());
}
if (!userName || !apiKey) {
// if either username or apikey missing skip check
app.loggelf({
short_message: '[WILDDUCK-ZONEMTA-ZILTER] auth missing',
_plugin_status: 'error',
_error: 'Username and/or API key missing from config in order to auth to Zilter.'
});
return;
}
if (!serverHost) {
// log that we are missing serverhost and we're using the originhost instead
app.loggelf({
short_message: '[WILDDUCK-ZONEMTA-ZILTER] serverhost missing',
_plugin_status: 'warning',
_error: 'Serverhost config missing, using envelope originhost instead. Check config.'
});
}
if (!zilterUrl) {
app.loggelf({
short_message: '[WILDDUCK-ZONEMTA-ZILTER] zilter url missing',
_plugin_status: 'error',
_error: 'Zilter URL is missing, add it. Aborting check'
});
return;
}
// check whether we need to resolve for email
let authenticatedUser = envelope.user || '';
let authenticatedUserAddress;
let sender;
const smtpUsernamePatternRegex = /\[([^\]]+)]/;
try {
if (envelope.userId && authenticatedUser) {
// have both userId and user. Probably webmail. Set sender to the userId straight away
// first check though that the userId is a 24 length hex
if (envelope.userId.length === 24) {
sender = envelope.userId.toString();
}
} else if (authenticatedUser.includes('@')) {
if (smtpUsernamePatternRegex.test(authenticatedUser)) {
// SMTP username[email]
let match = authenticatedUser.match(smtpUsernamePatternRegex);
if (match && match[1]) {
authenticatedUser = match[1]; // is email address
}
}
// SMTP email aadress login
// seems to be an email, no need to resolve, straight acquire the user id from addresses
const addressData = await app.db.users.collection('addresses').findOne({ addrview: addressTools.normalizeAddress(authenticatedUser) });
sender = addressData.user.toString();
} else {
// current user authenticated via the username, resolve to email
authenticatedUser = authenticatedUser.replace(/\./g, '').toLowerCase(); // Normalize username to unameview
const userData = await app.db.users.collection('users').findOne({ unameview: authenticatedUser });
authenticatedUserAddress = userData.address; // main address of the user
sender = userData._id.toString(); // ID of the user
}
} catch (err) {
app.loggelf({
short_message: '[WILDDUCK-ZONEMTA-ZILTER] DB error',
_plugin_status: 'error',
_error: 'DB error. Check DB connection, or collection names, or filter params.',
_authenticated_user: authenticatedUser
});
return;
}
// construct Authorization header
const userBase64 = Buffer.from(`${userName}:${apiKey}`).toString('base64'); // authorization header
const messageSize = envelope.headers.build().length + envelope.bodySize; // RFC822 size (size of Headers + Body)
let passEmail = true; // by default pass email
let isTempFail = true; // by default tempfail
const messageHeadersList = [];
const allHeadersParsed = {};
// Change headers to the format that Zilter will accept
for (const headerObj of envelope.headers.getList()) {
// Get header Key and Value from line
const [headerKey, headerValue] = decodeHeaderLineIntoKeyValuePair(headerObj.line);
allHeadersParsed[headerKey] = headerValue;
messageHeadersList.push({
name: headerKey,
value: headerValue
});
}
const zilterId = randomBytes(8).toString('hex');
const originhost = serverHost || (envelope.originhost || '').replace('[', '').replace(']', '');
const transhost = (envelope.transhost || '').replace('[', '').replace(']', '') || originhost;
let subject = messageinfo.subject || allHeadersParsed.Subject || 'no subject';
subject = subject.substring(0, subjectMaxLength);
const messageIdHeaderVal = allHeadersParsed['Message-ID']?.replace('<', '').replace('>', '');
let zilterResponse;
// Call Zilter with required params
try {
const res = await undici.request(zilterUrl, {
dispatcher: undici.getGlobalDispatcher(),
method: 'POST',
body: JSON.stringify({
host: originhost, // Originhost is a string that includes [] (array as a string literal)
'zilter-id': zilterId, // Random ID
sender, // Sender User ID (uid) in the system
helo: transhost, // Transhost is a string that includes [] (array as a string literal)
'authenticated-sender': authenticatedUserAddress || authenticatedUser, // Sender user email
'queue-id': envelope.id,
'rfc822-size': messageSize,
from: envelope.from,
rcpt: envelope.to,
headers: messageHeadersList
}),
headers: { Authorization: `Basic ${userBase64}`, 'Content-Type': 'application/json' }
});
const resBodyJson = await res.body.json();
const debugJson = { ...resBodyJson };
zilterResponse = resBodyJson;
['SENDER', 'SENDER_GROUP', 'WEBHOOK'].forEach(sym => {
if (debugJson.symbols) {
delete debugJson.symbols[sym];
}
});
['sender', 'action', 'zilter-id', 'client'].forEach(el => delete debugJson[el]);
if (res.statusCode === 401) {
// unauthorized Zilter, default to tempfail error return
loggelfForEveryUser(app, subject, {
_sender: sender,
_authenticated_sender: authenticatedUserAddress || authenticatedUser,
_rfc822_size: messageSize,
_app: 'zilter',
_rcpt: envelope.to,
_from: envelope.from,
_header_from: allHeadersParsed.From,
_header_to: allHeadersParsed.To,
_message_id: messageIdHeaderVal,
_subject: subject,
level: 5,
_zilter_error: 'Unauthorized error 401',
_ip: envelope.origin,
_debug_json: debugJson
});
}
if (resBodyJson.action && resBodyJson.action !== 'accept') {
if (resBodyJson.action !== 'tempfail') {
isTempFail = false; // not a tempfail error
}
// not accepted, email did not pass checks
passEmail = false;
loggelfForEveryUser(app, subject, {
_sender: sender,
_authenticated_sender: authenticatedUserAddress || authenticatedUser,
_rfc822_size: messageSize,
_app: 'zilter',
_rcpt: envelope.to,
_from: envelope.from,
_header_from: allHeadersParsed.From,
_header_to: allHeadersParsed.To,
_message_id: messageIdHeaderVal,
_subject: subject,
level: 5,
_passed: 'N',
_action: resBodyJson.action,
_ip: envelope.origin,
_debug_json: debugJson
});
} else if (resBodyJson.action && resBodyJson.action === 'accept') {
// accepted, so not a tempfail
isTempFail = false;
loggelfForEveryUser(app, subject, {
_sender: sender,
_authenticated_sender: authenticatedUserAddress || authenticatedUser,
_rfc822_size: messageSize,
_app: 'zilter',
_rcpt: envelope.to,
_from: envelope.from,
_header_from: allHeadersParsed.From,
_header_to: allHeadersParsed.To,
_message_id: messageIdHeaderVal,
_subject: subject,
level: 5,
_passed: 'Y',
_ip: envelope.origin,
_debug_json: debugJson
});
}
} catch (err) {
// error, default to tempfail
loggelfForEveryUser(app, subject, {
_sender: sender,
_authenticated_sender: authenticatedUserAddress || authenticatedUser,
_rfc822_size: messageSize,
_app: 'zilter',
_rcpt: envelope.to,
_from: envelope.from,
_header_from: allHeadersParsed.From,
_header_to: allHeadersParsed.To,
_message_id: messageIdHeaderVal,
_subject: subject,
level: 5,
_zilter_error: err.message,
_ip: envelope.origin
});
}
if (!passEmail) {
// sending email rejected
throw app.reject(
envelope,
'banned',
messageinfo,
`550 ${zilterResponse && zilterResponse.symbols ? `SENDING BLOCKED, REASON: ${zilterResponse.symbols.REJECT_REASON}` : 'SENDING BLOCKED'}`
);
}
if (isTempFail) {
throw app.reject(envelope, 'tempfail', messageinfo, 'Temporary error, please try again later.');
}
return;
});
};