You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm one of the Haraka committers and I just stumbled across your plugin.
In your plugin you're setting connection.relaying = true to force the use of Haraka's outbound module to deliver the mail to the aliases destination address. Whilst this might work, it's wrong to do it like this because you can easily create a security hole if your hook_rcpt function return's next() for any reason.
Your plugin is OK because it does a next(DENY) if the alias doesn't match, but if someone customized this, they could easily create this issue.
connection.relaying is a connection level variable, meaning once it is set - it persists across the lifetime of the connection.
The 'correct' way to do this is to remove the connection.relaying = true line and then add yourself a custom queue hook which does this:
var outbound = require('./outbound');
var constants = require('./constants');
exports.hook_queue = function (next, connection) {
var txn = connection.transaction;
outbound.send_email(txn, function(retval, msg) {
switch(retval) {
case constants.ok:
return next(OK, msg);
break;
case constants.deny:
return next(DENY, msg);
break;
default:
return next(DENYSOFT, msg);
}
});
}
That way you can safely fall through hook_rcpt with next() without creating an open relay.
The text was updated successfully, but these errors were encountered:
I'm one of the Haraka committers and I just stumbled across your plugin.
In your plugin you're setting
connection.relaying = trueto force the use of Haraka's outbound module to deliver the mail to the aliases destination address. Whilst this might work, it's wrong to do it like this because you can easily create a security hole if your hook_rcpt function return's next() for any reason.Your plugin is OK because it does a
next(DENY)if the alias doesn't match, but if someone customized this, they could easily create this issue.connection.relayingis a connection level variable, meaning once it is set - it persists across the lifetime of the connection.The 'correct' way to do this is to remove the
connection.relaying = trueline and then add yourself a custom queue hook which does this:That way you can safely fall through hook_rcpt with next() without creating an open relay.
The text was updated successfully, but these errors were encountered: