From 7970aeafcce084243f313a4d953ed6d1e8b50662 Mon Sep 17 00:00:00 2001 From: DoobleD Date: Tue, 15 Jun 2021 22:15:33 +0200 Subject: [PATCH 1/6] fix(localhost-loop): avoid localhost outbound loop when target mx is localhost --- outbound/mx_lookup.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/outbound/mx_lookup.js b/outbound/mx_lookup.js index 2e4ca688b..9c45d4111 100644 --- a/outbound/mx_lookup.js +++ b/outbound/mx_lookup.js @@ -33,8 +33,10 @@ exports.lookup_mx = function lookup_mx (domain, cb) { } else if (addresses && addresses.length) { for (let i=0,l=addresses.length; i < l; i++) { - const mx = wrap_mx(addresses[i]); - mxs.push(mx); + if (!net_utils.is_local_ip(addresses[i].exchange)) { + const mx = wrap_mx(addresses[i]); + mxs.push(mx); + } } cb(null, mxs); } From 94f8fe4f4d1cbaf5253dd057574d27da60da3523 Mon Sep 17 00:00:00 2001 From: DoobleD Date: Wed, 16 Jun 2021 12:46:12 +0200 Subject: [PATCH 2/6] fix(localhost-loop): add outbound config local_mx_ok, default to false --- docs/Outbound.md | 6 ++++++ outbound/config.js | 3 +++ outbound/mx_lookup.js | 4 +++- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/Outbound.md b/docs/Outbound.md index 0983cce53..13aeef355 100644 --- a/docs/Outbound.md +++ b/docs/Outbound.md @@ -95,6 +95,12 @@ Set this to `0` to completely disable the pooling code. This value determines how many concurrent connections can be made to a single IP address (destination) in the pool. Default: 10 connections. +* `local_mx_ok` + +Default: false. By default, outbound to a local IP is disabled, to avoid creating +outbound loops. Set this to true if you want to allow outbound to local IPs. +This is be useful if you want to deliver mail to localhost on another port. + ### outbound.bounce\_message See "Bounce Messages" below for details. diff --git a/outbound/config.js b/outbound/config.js index f8dec7a2e..3d49a9354 100644 --- a/outbound/config.js +++ b/outbound/config.js @@ -42,6 +42,9 @@ function load_config () { if (!cfg.received_header) { cfg.received_header = config.get('outbound.received_header') || 'Haraka outbound'; } + if (!cfg.local_mx_ok) { + cfg.local_mx_ok = config.get('outbound.local_mx_ok') || false; + } } load_config(); diff --git a/outbound/mx_lookup.js b/outbound/mx_lookup.js index 9c45d4111..c985191e7 100644 --- a/outbound/mx_lookup.js +++ b/outbound/mx_lookup.js @@ -3,6 +3,8 @@ const dns = require('dns'); const net_utils = require('haraka-net-utils') +const obc = require('./config'); + exports.lookup_mx = function lookup_mx (domain, cb) { const mxs = []; @@ -33,7 +35,7 @@ exports.lookup_mx = function lookup_mx (domain, cb) { } else if (addresses && addresses.length) { for (let i=0,l=addresses.length; i < l; i++) { - if (!net_utils.is_local_ip(addresses[i].exchange)) { + if (obc.cfg.local_mx_ok || !net_utils.is_local_ip(addresses[i].exchange)) { const mx = wrap_mx(addresses[i]); mxs.push(mx); } From 76f50cb186eac03140f48cd4961dc30866338772 Mon Sep 17 00:00:00 2001 From: DoobleD Date: Wed, 16 Jun 2021 12:51:48 +0200 Subject: [PATCH 3/6] fix(localhost-loop): update Changes.md with new outbound config local_mx_ok --- Changes.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changes.md b/Changes.md index 21c2f0008..202a665cf 100644 --- a/Changes.md +++ b/Changes.md @@ -9,11 +9,13 @@ - use address-rfc2821 2.0.0 - http: use CDN for bootstrap/jquery, drop bower #2891 - drop support for node 10 #2890 +- outbound: disable outbound to localhost by default #2952 ### New features - tls: require secure and verified sockets for configured hosts/domains - tls: add `no_starttls_ports` - an array of incoming ports where STARTTLS is not advertised +- outbound: add local_mx_ok config #2952 ### Fixes From 8c94008ff37ce14eafdef1b915fca69f9fc0ce9b Mon Sep 17 00:00:00 2001 From: DoobleD Date: Wed, 16 Jun 2021 16:10:08 +0200 Subject: [PATCH 4/6] fix(localhost-loop): config fix --- outbound/config.js | 1 + 1 file changed, 1 insertion(+) diff --git a/outbound/config.js b/outbound/config.js index 3d49a9354..934fd477d 100644 --- a/outbound/config.js +++ b/outbound/config.js @@ -9,6 +9,7 @@ function load_config () { '-always_split', '+enable_tls', '-ipv6_enabled', + '-local_mx_ok', ], }, () => { load_config(); From 29e6b123319aa7f34cd8d91dd880855fd1fbcad6 Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Wed, 16 Jun 2021 17:25:55 -0700 Subject: [PATCH 5/6] Update docs/Outbound.md --- docs/Outbound.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Outbound.md b/docs/Outbound.md index 13aeef355..a575f969c 100644 --- a/docs/Outbound.md +++ b/docs/Outbound.md @@ -99,7 +99,7 @@ IP address (destination) in the pool. Default: 10 connections. Default: false. By default, outbound to a local IP is disabled, to avoid creating outbound loops. Set this to true if you want to allow outbound to local IPs. -This is be useful if you want to deliver mail to localhost on another port. +This could be useful if you want to deliver mail to localhost on another port. ### outbound.bounce\_message From 255eb549cdf1947e94a0fdb9086e391668b8b030 Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Wed, 1 Sep 2021 12:01:34 -0700 Subject: [PATCH 6/6] remove backwards compat shim, not needed --- outbound/config.js | 3 --- 1 file changed, 3 deletions(-) diff --git a/outbound/config.js b/outbound/config.js index 934fd477d..a339066aa 100644 --- a/outbound/config.js +++ b/outbound/config.js @@ -43,9 +43,6 @@ function load_config () { if (!cfg.received_header) { cfg.received_header = config.get('outbound.received_header') || 'Haraka outbound'; } - if (!cfg.local_mx_ok) { - cfg.local_mx_ok = config.get('outbound.local_mx_ok') || false; - } } load_config();