Haraka icon indicating copy to clipboard operation
Haraka copied to clipboard
verified publisher icon haraka

Make Haraka more configurable and secure

Open AprilGrimoire opened this issue 1 month ago • 9 comments

Changes proposed in this pull request:

  • Add config option in smtp.ini for ports to enable STARTTLS
  • Make authentication required on ports with a whitelist for authentication-exemption; add config option for this exemption

Checklist:

  • [y] docs updated
  • [n] tests updated (Needs help)
  • [y] Changes updated

AprilGrimoire avatar Nov 12 '25 11:11 AprilGrimoire

It breaks server/nodemailer/accpets SMTP message, but that is by design. Should I add more testing code with a new server instance for this?

AprilGrimoire avatar Nov 12 '25 12:11 AprilGrimoire

(btw why are there many certificate errors? Are those related to me?

AprilGrimoire avatar Nov 12 '25 12:11 AprilGrimoire

It breaks server/nodemailer/accpets SMTP message, but that is by design.

Presumably because you believe that makes it more secure? How, exactly? Please explain why you believe this.

Should I add more testing code with a new server instance for this?

Why? The existing testing code is doing its job of preventing well intentioned PRs from breaking existing and useful functionality.

(btw why are there many certificate errors? Are those related to me?

There errors are spat out because there are broken (in unique ways) TLS certificates in the test configs. Broken TLS certs can make it into production and we prefer to handle the inability to load a TLS certificate gracefully.

msimerson avatar Nov 12 '25 23:11 msimerson

It's on a remote VPS, so traffic goes through many untrusted parties. Since I use AUTH method PLAIN, having STARTTLS NO-GO allowed might result in user credentials transferred without encryption.

It will not. if you read the code in the provided auth plugins, you'll find that we don't present the SMTP AUTH option unless the connection is encrypted (whether via TLS or STARTTLS).

msimerson avatar Nov 13 '25 02:11 msimerson

It will not. if you read the code in the provided auth plugins, you'll find that we don't present the SMTP AUTH option unless the connection is encrypted (whether via TLS or STARTTLS).

Oh! Sorry for bothering, but then what's the purpose of the line about 587?

AprilGrimoire avatar Nov 13 '25 02:11 AprilGrimoire

It prevents email delivery on those ports unless the connection is authenticated. It was added long ago when we observed spam software attempting to evade filters on port 25 by connecting to those ports instead.

msimerson avatar Nov 13 '25 02:11 msimerson

It prevents email delivery on those ports unless the connection is authenticated. It was added long ago when we observed spam software attempting to evade filters on port 25 by connecting to those ports instead.

Is it still helpful now? I think you had the same thing in mind: Here you used the name 2874-constrain-nogo-to-port-25.

AprilGrimoire avatar Nov 13 '25 03:11 AprilGrimoire

Is it still helpful now?

I'd have to go log spelunking to answer that for certain but I'd wager yes. Spammers are always and forever looking for ways to bypass filters.

Perhaps the way to make it configurable is add a config setting such as no_tls_ports[]=25 ? Then it's configurable for where it applies, instead of excluding ports 465 and 587.

msimerson avatar Nov 13 '25 05:11 msimerson

Weird. I tried to modify test/config/smtp.ini, however I couldn't get the tests to work. I found when Connection.cmd_call is called during tests, this.server.cfg is undefined. This week I won't have much time to figure it out on myself. Maybe later I'll have more time.

AprilGrimoire avatar Nov 13 '25 17:11 AprilGrimoire