_smf_: would you recommend it over SA in production at this point?
_smf_
No - I'm not using it in production yet myself.
But then for your likely volumes - I don't recommend SA either.
baudehlo
wtf is going on on the haraka mailing list. lol.
_smf_
baudehlo: LMAO - looks like the blind leading the blind.
EyePulp
_smf_: heh - if not SA and not rspamd... Are there other options? MessageSniffer?
_smf_
MessageSniffer is what I would go with.
EyePulp
hmmm....
unrelated - I run across the commits for not cuddling else statements, and I'm like okay, weird, but purely an opinion. But then I see a bunch of If (foo) do_whatever() single line if statements, and think "that's messed up"
embrace the brace.
=)
girishr joined the channel
DragonPunch has quit
darkpixel1 joined the channel
girishr
hi guys
been digging through the haraka code yesteday, i had some basic questions
did i understand correctly that 'relaying' means whether to relay or not (and not that relaying is in progress)
from what i can tell, relaying is set via the relay plugins or auth. these plugins give haraka the permission to relay the mail
is that a good way to think about the flag ?
_smf_
girishr: yes
When connection.relaying = true; the connection is allowed to relay.
girishr
_smf_: is there also a notion of inbound mail vs outbound mail somehow ?
specifically for plugins, let's say i have a dkim checker plugin
how does it know if this mail is coming in via port 25 (say) or it came via the mail submission port ?
i cannot find the logic in dkim_verifier.js which makes me think that maybe plugins are not aware of this
as in, one should not add dkim_verifier if haraka is meant for outbound mail
is that correct :-) ?
_smf_
No
dkim_verifier is for verifying incoming signatures - if a message is being sent out, then there's no harm in verifying a signature in if (if it exists).
And dkim_sign only runs on hook_queue_outbound which is only run if connection.relaying = true.
hook_queue is run for when connection.relaying = false (e.g. the message is inbound).
godsflaw joined the channel
girishr
ok thanks, got that part
but dkim was a bad example
what i am trying to do is to make sure that a the user has authenticated before relaying
how does a plugin stop the connection if relaying is false and not authenticated
girishr: if you're not relaying (i.e. outbound) then it's assumed to be inbound mail, and something has to approve the recipients - some kind of rcpt hook. A lot of people use rcpt_to.in_host_list for that.
chazomaticus
baudehlo, did you see my questions about the TLS plugin ... 18 hours ago?
i think i understand now. so in my plugin, if i wanted to check if the client has auth'ed, i would simply look into connection.results.get('auth')
baudehlo
If you know you're only using AUTH to set connection.relaying, then you can just use that.
chazomaticus
baudehlo, that's a fine workaround, I'm just wondering if we could obviate the need for a workaround here
baudehlo
chazomaticus: we could, but is it necessary?
chazomaticus
¯\_(ツ)_/¯
it would put haraka in line with many other pieces of software that do TLS, in that most servers I've ever configured let you specify where the certs live
right now it seems to strike our systems people as an oversight on haraka's part
baudehlo
have your systems people never used symlinks? ;-)
EyePulp
zing!
chazomaticus
man, I don't want to talk about it ;)
baudehlo
Anyway it's fine to do a PR for it - but it won't go into 2.8
bear in mind tls.ini is used in more than just plugins/tls
chazomaticus
cool, cool
baudehlo
(outbound and smtp_client too)
girishr
baudehlo: sorry, still not getting one part. if haraka listens on port 25 and port 587. my plugin has rcpt_to hook. if relaying is false, this could mean the mail is a) incoming or b) auth was never done in 587. how do i distinguish ?
chazomaticus
thx baudehlo
baudehlo
girishr: you wouldn't. Why would you care?
if relaying is false on 587 it'll tell you to FOAD anyway.
girishr
baudehlo: so i want to enforce auth is done before relaying. the current auth plugins don't enforce it
baudehlo
"auth is done before relaying" - that phrase makes no sense.
EyePulp
baudehlo: is there a method for enforcing mandatory TLS from certain hosts already built in, or is that something I'd need to check via a plugin/whitelist I build.
girishr
right, so the other tangential issue is i don't run on port 587 and there is this hardcoded check in connection.js
EyePulp: you have to write that yourself - I did that for emailitin
girishr: so why is that check an issue?
It's just there to enforce the RFCs.
EyePulp
baudehlo: roger that. What hook do you check at if I can ask?
baudehlo
rcpt.
EyePulp
danke
baudehlo
It's literally this:
if (user.require_tls && !connection.using_tls) {
return next(DENY, "This email address requires that email is sent over a secure connection");
}
girishr
baudehlo: so let me explain it like this. let's say i have haraka on port 25 (incoming) and port 2500 (relay). for the relay port i have an auth plugin setup
EyePulp
heh
I'll need weeks to study and digest that.
baudehlo
I know right.
I'm giving away my private secret sauce. Emailitin is going to go out of business.
girishr
baudehlo: it also turned out (maybe bad config from my side), that i allowed relaying via relay_acl from 172.x.x.x. this relay plugin ended up setting the relaying flag based on the IP
the end result was that: clients from 172.x.x.x were able to relay without auth despite auth_ldap
baudehlo
girishr: why not just run two Harakas?
girishr
of course, that is what the confg says and haraka is doing what i told it :-)
baudehlo
so don't use relay_acl. Lol.
girishr
yes, i removed acl and now it works
but i am just trying to understand here what the design of haraka is :-)
i think the confusion for me was that haraka allows email to be sent if even _one_ of the plugins allowed it