feat: if AUTH, assure Env From dom matches AUTH dom

related to haraka/haraka-plugin-limit#28

plugins/auth/auth_base.js

@@ -15,7 +15,7 @@ const LOGIN_STRING2 = 'UGFzc3dvcmQ6'; //Password: base64 coded
 
 exports.hook_capabilities = (next, connection) => {
     // Don't offer AUTH capabilities unless session is encrypted
-    if (!connection.tls.enabled) { return next(); }
+    if (!connection.tls.enabled) return next();
 
     const methods = [ 'PLAIN', 'LOGIN', 'CRAM-MD5' ];
     connection.capabilities.push(`AUTH ${methods.join(' ')}`);
@@ -47,9 +47,8 @@ exports.hook_unrecognized_command = function (next, connection, params) {
 
 exports.check_plain_passwd = function (connection, user, passwd, cb) {
     function callback (plain_pw) {
-        if (plain_pw === null  ) return cb(false);
-        if (plain_pw !== passwd) return cb(false);
-        cb(true);
+        const result = plain_pw === null ? false : plain_pw === passwd
+        cb(result);
     }
     if (this.get_plain_passwd.length == 2) {
         this.get_plain_passwd(user, callback);
@@ -71,7 +70,7 @@ exports.check_cram_md5_passwd = function (connection, user, passwd, cb) {
 
         if (hmac.digest('hex') === passwd) return cb(true);
 
-        return cb(false);
+        cb(false);
     }
     if (this.get_plain_passwd.length == 2) {
         this.get_plain_passwd(user, callback);
@@ -117,7 +116,7 @@ exports.check_user = function (next, connection, credentials, method) {
                 connection.auth_results(`auth=pass (${method.toLowerCase()})`);
                 connection.notes.auth_user = credentials[0];
                 if (!plugin.blankout_password) connection.notes.auth_passwd = credentials[1];
-                return next(OK);
+                next(OK);
             });
             return;
         }

plugins/auth/auth_vpopmaild.js

@@ -2,27 +2,32 @@
 
 const net    = require('net');
 
+const tlds   = require('haraka-tld')
+
 exports.register = function () {
     this.inherits('auth/auth_base');
     this.load_vpop_ini();
+
+    this.register_hook('mail', 'env_from_matches_auth_domain')
 }
 
 exports.load_vpop_ini = function () {
     this.cfg = this.config.get('auth_vpopmaild.ini', () => {
         this.load_vpop_ini();
     });
+    this.blankout_password=true
 }
 
 exports.hook_capabilities = function (next, connection) {
     if (!connection.tls.enabled) { return next(); }
 
     const methods = [ 'PLAIN', 'LOGIN' ];
-    if (this.cfg.main.sysadmin) { methods.push('CRAM-MD5'); }
+    if (this.cfg.main.sysadmin) methods.push('CRAM-MD5');
 
     connection.capabilities.push(`AUTH ${methods.join(' ')}`);
     connection.notes.allowed_auth_methods = methods;
 
-    return next();
+    next();
 }
 
 exports.check_plain_passwd = function (connection, user, passwd, cb) {
@@ -49,11 +54,12 @@ exports.check_plain_passwd = function (connection, user, passwd, cb) {
             }
             socket.end();             // disconnect
         }
-    });
+    })
+
     socket.on('end', () => {
         connection.loginfo(this, `AUTH user="${user}" success=${auth_success}`);
-        return cb(auth_success);
-    });
+        cb(auth_success);
+    })
 }
 
 exports.get_sock_opts = function (user) {
@@ -151,3 +157,20 @@ exports.get_plain_passwd = function (user, connection, cb) {
         cb(plain_pass ? plain_pass.toString() : plain_pass);
     });
 }
+
+exports.env_from_matches_auth_domain = function (next, connection, params) {
+    const au = connection.results.get('auth')?.user
+    if (!au) return next()
+
+    const ad = /@/.test(au) ? au.split('@').pop() : au
+    const ed = params[0].host
+
+    if (!ad || !ed) return next()
+
+    const auth_od = tlds.get_organizational_domain(ad)
+    const envelope_od = tlds.get_organizational_domain(ed)
+
+    if (auth_od === envelope_od) return next()
+
+    next(DENY, `Envelope domain '${envelope_od}' doesn't match AUTH domain '${auth_od}'`)
+}