dcrouter/test/suite/smtpclient_commands/test.ccmd-10.vrfy-expn.ts

import { tap, expect } from '@git.zone/tstest/tapbundle';
import { startTestServer, stopTestServer, type ITestServer } from '../../helpers/server.loader.js';
import { createSmtpClient } from '../../../ts/mail/delivery/smtpclient/index.js';
import type { SmtpClient } from '../../../ts/mail/delivery/smtpclient/smtp-client.js';
import { Email } from '../../../ts/mail/core/classes.email.js';

let testServer: ITestServer;

tap.test('setup test SMTP server', async () => {
  testServer = await startTestServer({
    port: 2550,
    tlsEnabled: false,
    authRequired: false
  });
  expect(testServer).toBeTruthy();
  expect(testServer.port).toBeGreaterThan(0);
});

tap.test('CCMD-10: VRFY command basic usage', async () => {
  const smtpClient = createSmtpClient({
    host: testServer.hostname,
    port: testServer.port,
    secure: false,
    connectionTimeout: 5000,
    debug: true
  });

  await smtpClient.connect();
  await smtpClient.sendCommand('EHLO testclient.example.com');

  // Test VRFY with various addresses
  const testAddresses = [
    'user@example.com',
    'postmaster',
    'admin@example.com',
    'nonexistent@example.com'
  ];

  for (const address of testAddresses) {
    const response = await smtpClient.sendCommand(`VRFY ${address}`);
    console.log(`VRFY ${address}: ${response.trim()}`);
    
    // Response codes:
    // 250 - Address valid
    // 251 - Address valid but not local
    // 252 - Cannot verify but will accept
    // 550 - Address not found
    // 502 - Command not implemented
    // 252 - Cannot VRFY user
    
    expect(response).toMatch(/^[25]\d\d/);
    
    if (response.startsWith('250') || response.startsWith('251')) {
      console.log(`  -> Address verified: ${address}`);
    } else if (response.startsWith('252')) {
      console.log(`  -> Cannot verify: ${address}`);
    } else if (response.startsWith('550')) {
      console.log(`  -> Address not found: ${address}`);
    } else if (response.startsWith('502')) {
      console.log(`  -> VRFY not implemented`);
    }
  }

  await smtpClient.close();
});

tap.test('CCMD-10: EXPN command basic usage', async () => {
  const smtpClient = createSmtpClient({
    host: testServer.hostname,
    port: testServer.port,
    secure: false,
    connectionTimeout: 5000,
    debug: true
  });

  await smtpClient.connect();
  await smtpClient.sendCommand('EHLO testclient.example.com');

  // Test EXPN with mailing lists
  const testLists = [
    'all',
    'staff',
    'users@example.com',
    'mailinglist'
  ];

  for (const list of testLists) {
    const response = await smtpClient.sendCommand(`EXPN ${list}`);
    console.log(`EXPN ${list}: ${response.trim()}`);
    
    // Response codes:
    // 250 - Expansion successful (may be multi-line)
    // 252 - Cannot expand
    // 550 - List not found
    // 502 - Command not implemented
    
    expect(response).toMatch(/^[25]\d\d/);
    
    if (response.startsWith('250')) {
      // Multi-line response possible
      const lines = response.split('\r\n');
      console.log(`  -> List expanded to ${lines.length - 1} entries`);
    } else if (response.startsWith('252')) {
      console.log(`  -> Cannot expand list: ${list}`);
    } else if (response.startsWith('550')) {
      console.log(`  -> List not found: ${list}`);
    } else if (response.startsWith('502')) {
      console.log(`  -> EXPN not implemented`);
    }
  }

  await smtpClient.close();
});

tap.test('CCMD-10: VRFY with full names', async () => {
  const smtpClient = createSmtpClient({
    host: testServer.hostname,
    port: testServer.port,
    secure: false,
    connectionTimeout: 5000,
    debug: true
  });

  await smtpClient.connect();
  await smtpClient.sendCommand('EHLO testclient.example.com');

  // Test VRFY with full names
  const fullNameTests = [
    'John Doe',
    '"Smith, John" <john.smith@example.com>',
    'Mary Johnson <mary@example.com>',
    'Robert "Bob" Williams'
  ];

  for (const name of fullNameTests) {
    const response = await smtpClient.sendCommand(`VRFY ${name}`);
    console.log(`VRFY "${name}": ${response.trim()}`);
    
    // Check if response includes email address
    const emailMatch = response.match(/<([^>]+)>/);
    if (emailMatch) {
      console.log(`  -> Resolved to: ${emailMatch[1]}`);
    }
  }

  await smtpClient.close();
});

tap.test('CCMD-10: VRFY/EXPN security considerations', async () => {
  const smtpClient = createSmtpClient({
    host: testServer.hostname,
    port: testServer.port,
    secure: false,
    connectionTimeout: 5000,
    debug: true
  });

  await smtpClient.connect();
  await smtpClient.sendCommand('EHLO testclient.example.com');

  // Many servers disable VRFY/EXPN for security
  console.log('\nTesting security responses:');

  // Check if commands are disabled
  const vrfyResponse = await smtpClient.sendCommand('VRFY postmaster');
  const expnResponse = await smtpClient.sendCommand('EXPN all');

  if (vrfyResponse.startsWith('502') || vrfyResponse.startsWith('252')) {
    console.log('VRFY is disabled or restricted (security best practice)');
  }

  if (expnResponse.startsWith('502') || expnResponse.startsWith('252')) {
    console.log('EXPN is disabled or restricted (security best practice)');
  }

  // Test potential information disclosure
  const probeAddresses = [
    'root',
    'admin',
    'administrator',
    'webmaster',
    'hostmaster',
    'abuse'
  ];

  let disclosureCount = 0;
  for (const addr of probeAddresses) {
    const response = await smtpClient.sendCommand(`VRFY ${addr}`);
    if (response.startsWith('250') || response.startsWith('251')) {
      disclosureCount++;
      console.log(`Information disclosed for: ${addr}`);
    }
  }

  console.log(`Total addresses disclosed: ${disclosureCount}/${probeAddresses.length}`);

  await smtpClient.close();
});

tap.test('CCMD-10: VRFY/EXPN during transaction', async () => {
  const smtpClient = createSmtpClient({
    host: testServer.hostname,
    port: testServer.port,
    secure: false,
    connectionTimeout: 5000,
    debug: true
  });

  await smtpClient.connect();
  await smtpClient.sendCommand('EHLO testclient.example.com');

  // Start a mail transaction
  await smtpClient.sendCommand('MAIL FROM:<sender@example.com>');
  await smtpClient.sendCommand('RCPT TO:<recipient@example.com>');

  // VRFY/EXPN during transaction should not affect it
  const vrfyResponse = await smtpClient.sendCommand('VRFY user@example.com');
  console.log(`VRFY during transaction: ${vrfyResponse.trim()}`);

  const expnResponse = await smtpClient.sendCommand('EXPN mailinglist');
  console.log(`EXPN during transaction: ${expnResponse.trim()}`);

  // Continue transaction
  const dataResponse = await smtpClient.sendCommand('DATA');
  expect(dataResponse).toInclude('354');

  await smtpClient.sendCommand('Subject: Test\r\n\r\nTest message\r\n.');
  
  console.log('Transaction completed successfully after VRFY/EXPN');

  await smtpClient.close();
});

tap.test('CCMD-10: VRFY with special characters', async () => {
  const smtpClient = createSmtpClient({
    host: testServer.hostname,
    port: testServer.port,
    secure: false,
    connectionTimeout: 5000,
    debug: true
  });

  await smtpClient.connect();
  await smtpClient.sendCommand('EHLO testclient.example.com');

  // Test addresses with special characters
  const specialAddresses = [
    'user+tag@example.com',
    'first.last@example.com',
    'user%remote@example.com',
    '"quoted string"@example.com',
    'user@[192.168.1.1]',
    'user@sub.domain.example.com'
  ];

  for (const addr of specialAddresses) {
    const response = await smtpClient.sendCommand(`VRFY ${addr}`);
    console.log(`VRFY special address "${addr}": ${response.trim()}`);
  }

  await smtpClient.close();
});

tap.test('CCMD-10: EXPN multi-line response', async () => {
  const smtpClient = createSmtpClient({
    host: testServer.hostname,
    port: testServer.port,
    secure: false,
    connectionTimeout: 5000,
    debug: true
  });

  await smtpClient.connect();
  await smtpClient.sendCommand('EHLO testclient.example.com');

  // EXPN might return multiple addresses
  const response = await smtpClient.sendCommand('EXPN all-users');
  
  if (response.startsWith('250')) {
    const lines = response.split('\r\n').filter(line => line.length > 0);
    
    console.log('EXPN multi-line response:');
    lines.forEach((line, index) => {
      if (line.includes('250-')) {
        // Continuation line
        const address = line.substring(4);
        console.log(`  Member ${index + 1}: ${address}`);
      } else if (line.includes('250 ')) {
        // Final line
        const address = line.substring(4);
        console.log(`  Member ${index + 1}: ${address} (last)`);
      }
    });
  }

  await smtpClient.close();
});

tap.test('CCMD-10: VRFY/EXPN rate limiting', async () => {
  const smtpClient = createSmtpClient({
    host: testServer.hostname,
    port: testServer.port,
    secure: false,
    connectionTimeout: 5000,
    debug: false // Quiet for rate test
  });

  await smtpClient.connect();
  await smtpClient.sendCommand('EHLO testclient.example.com');

  // Send many VRFY commands rapidly
  const requestCount = 20;
  const startTime = Date.now();
  let successCount = 0;
  let rateLimitHit = false;

  console.log(`Sending ${requestCount} VRFY commands rapidly...`);

  for (let i = 0; i < requestCount; i++) {
    const response = await smtpClient.sendCommand(`VRFY user${i}@example.com`);
    
    if (response.startsWith('421') || response.startsWith('450')) {
      rateLimitHit = true;
      console.log(`Rate limit hit at request ${i + 1}`);
      break;
    } else if (response.match(/^[25]\d\d/)) {
      successCount++;
    }
  }

  const elapsed = Date.now() - startTime;
  const rate = (successCount / elapsed) * 1000;

  console.log(`Completed ${successCount} requests in ${elapsed}ms`);
  console.log(`Rate: ${rate.toFixed(2)} requests/second`);
  
  if (rateLimitHit) {
    console.log('Server implements rate limiting (good security practice)');
  }

  await smtpClient.close();
});

tap.test('CCMD-10: VRFY/EXPN error handling', async () => {
  const smtpClient = createSmtpClient({
    host: testServer.hostname,
    port: testServer.port,
    secure: false,
    connectionTimeout: 5000,
    debug: true
  });

  await smtpClient.connect();
  await smtpClient.sendCommand('EHLO testclient.example.com');

  // Test error cases
  const errorTests = [
    { command: 'VRFY', description: 'VRFY without parameter' },
    { command: 'EXPN', description: 'EXPN without parameter' },
    { command: 'VRFY @', description: 'VRFY with invalid address' },
    { command: 'EXPN ""', description: 'EXPN with empty string' },
    { command: 'VRFY ' + 'x'.repeat(500), description: 'VRFY with very long parameter' }
  ];

  for (const test of errorTests) {
    try {
      const response = await smtpClient.sendCommand(test.command);
      console.log(`${test.description}: ${response.trim()}`);
      
      // Should get error response
      expect(response).toMatch(/^[45]\d\d/);
    } catch (error) {
      console.log(`${test.description}: Caught error - ${error.message}`);
    }
  }

  await smtpClient.close();
});

tap.test('cleanup test SMTP server', async () => {
  if (testServer) {
    await testServer.stop();
  }
});

export default tap.start();