serve.zone/dcrouter
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Philipp Kunz
2025-05-24 17:00:59 +00:00
parent 4e4c7df558
commit 11a2ae6b27
16 changed files with 8733 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

411
test/suite/smtpclient_security/test.csec-06.certificate-validation.ts Normal file
View File

@ -0,0 +1,411 @@
import { expect, tap } from '@git.zone/tstest/tapbundle';
import * as plugins from './plugins.js';
import { createTestServer } from '../../helpers/server.loader.js';
import { createSmtpClient } from '../../helpers/smtp.client.js';
tap.test('CSEC-06: should validate TLS certificates correctly', async (tools) => {
const testId = 'CSEC-06-certificate-validation';
console.log(`\n${testId}: Testing TLS certificate validation...`);
let scenarioCount = 0;
// Scenario 1: Valid certificate acceptance
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing valid certificate acceptance`);
const testServer = await createTestServer({
secure: true,
onConnection: async (socket) => {
console.log(' [Server] Secure client connected');
socket.write('220 secure.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
socket.write('250-secure.example.com\r\n');
socket.write('250-SIZE 10485760\r\n');
socket.write('250 AUTH PLAIN LOGIN\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK: Secure message accepted\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false // Accept self-signed for test
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Valid certificate test',
text: 'Testing with valid TLS connection'
});
const result = await smtpClient.sendMail(email);
console.log(` Result: ${result.messageId ? 'Success' : 'Failed'}`);
console.log(' Certificate accepted for secure connection');
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
await testServer.server.close();
})();
// Scenario 2: Self-signed certificate handling
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing self-signed certificate handling`);
const testServer = await createTestServer({
secure: true,
onConnection: async (socket) => {
console.log(' [Server] Client connected with self-signed cert');
socket.write('220 selfsigned.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-selfsigned.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// Test with strict validation (should fail)
const strictClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: true // Reject self-signed
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Self-signed cert test',
text: 'Testing self-signed certificate rejection'
});
try {
await strictClient.sendMail(email);
console.log(' Unexpected: Self-signed cert was accepted');
} catch (error) {
console.log(` Expected error: ${error.message}`);
expect(error.message).toContain('self signed');
}
// Test with relaxed validation (should succeed)
const relaxedClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false // Accept self-signed
}
});
const result = await relaxedClient.sendMail(email);
console.log(' Self-signed cert accepted with relaxed validation');
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
await testServer.server.close();
})();
// Scenario 3: Certificate hostname verification
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing certificate hostname verification`);
const testServer = await createTestServer({
secure: true,
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 mail.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-mail.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// Connect with hostname verification
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false, // For self-signed
servername: testServer.hostname, // Verify hostname
checkServerIdentity: (hostname, cert) => {
console.log(` Verifying hostname: ${hostname}`);
console.log(` Certificate CN: ${cert.subject?.CN || 'N/A'}`);
// Custom verification logic could go here
return undefined; // No error
}
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Hostname verification test',
text: 'Testing certificate hostname matching'
});
const result = await smtpClient.sendMail(email);
console.log(' Hostname verification completed');
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
await testServer.server.close();
})();
// Scenario 4: Certificate expiration handling
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing certificate expiration handling`);
// Note: In a real test, we would use an expired certificate
// For this test, we simulate the behavior
const testServer = await createTestServer({
secure: true,
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 expired.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-expired.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false,
// Custom certificate validation
secureContext: {
cert: undefined,
key: undefined,
ca: undefined
}
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Certificate expiration test',
text: 'Testing expired certificate handling'
});
console.log(' Testing with potentially expired certificate...');
const result = await smtpClient.sendMail(email);
console.log(' Connection established (test environment)');
expect(result).toBeDefined();
await testServer.server.close();
})();
// Scenario 5: Certificate chain validation
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing certificate chain validation`);
const testServer = await createTestServer({
secure: true,
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 chain.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-chain.example.com\r\n');
socket.write('250-STARTTLS\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false,
// In production, would specify CA certificates
ca: undefined,
requestCert: true,
// Log certificate details
secureContext: undefined
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Certificate chain test',
text: 'Testing certificate chain validation'
});
const result = await smtpClient.sendMail(email);
console.log(' Certificate chain validation completed');
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
await testServer.server.close();
})();
// Scenario 6: Certificate pinning
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing certificate pinning`);
const testServer = await createTestServer({
secure: true,
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 pinned.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-pinned.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// In production, would pin specific certificate fingerprint
const expectedFingerprint = 'SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false,
checkServerIdentity: (hostname, cert) => {
// In production, would verify fingerprint
console.log(` Certificate fingerprint: ${cert.fingerprint256 || 'N/A'}`);
console.log(` Expected fingerprint: ${expectedFingerprint}`);
// For test, accept any certificate
return undefined;
}
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Certificate pinning test',
text: 'Testing certificate fingerprint verification'
});
const result = await smtpClient.sendMail(email);
console.log(' Certificate pinning check completed');
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
await testServer.server.close();
})();
console.log(`\n${testId}: All ${scenarioCount} certificate validation scenarios tested ✓`);
});

507
test/suite/smtpclient_security/test.csec-07.cipher-suites.ts Normal file
View File

@ -0,0 +1,507 @@
import { expect, tap } from '@git.zone/tstest/tapbundle';
import * as plugins from './plugins.js';
import { createTestServer } from '../../helpers/server.loader.js';
import { createSmtpClient } from '../../helpers/smtp.client.js';
tap.test('CSEC-07: should handle cipher suites correctly', async (tools) => {
const testId = 'CSEC-07-cipher-suites';
console.log(`\n${testId}: Testing cipher suite handling...`);
let scenarioCount = 0;
// Scenario 1: Strong cipher suite negotiation
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing strong cipher suite negotiation`);
const testServer = await createTestServer({
secure: true,
tlsOptions: {
// Configure strong ciphers only
ciphers: 'TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384',
honorCipherOrder: true,
minVersion: 'TLSv1.2'
},
onConnection: async (socket) => {
console.log(' [Server] Client connected with strong ciphers');
// Log cipher info if available
const tlsSocket = socket as any;
if (tlsSocket.getCipher) {
const cipher = tlsSocket.getCipher();
console.log(` [Server] Negotiated cipher: ${cipher.name} (${cipher.version})`);
}
socket.write('220 secure.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
socket.write('250-secure.example.com\r\n');
socket.write('250-SIZE 10485760\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK: Message accepted with strong encryption\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false,
// Prefer strong ciphers
ciphers: 'HIGH:!aNULL:!MD5:!3DES',
minVersion: 'TLSv1.2'
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Strong cipher test',
text: 'Testing with strong cipher suites'
});
const result = await smtpClient.sendMail(email);
console.log(' Successfully negotiated strong cipher');
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
await testServer.server.close();
})();
// Scenario 2: Weak cipher rejection
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing weak cipher rejection`);
const testServer = await createTestServer({
secure: true,
tlsOptions: {
// Only allow strong ciphers
ciphers: 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256',
honorCipherOrder: true,
minVersion: 'TLSv1.2'
},
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 secure.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-secure.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// Try to connect with weak ciphers only (should fail)
const weakClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false,
// Try to use weak ciphers
ciphers: 'DES-CBC3-SHA:RC4-SHA',
maxVersion: 'TLSv1.0'
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Weak cipher test',
text: 'Testing weak cipher rejection'
});
try {
await weakClient.sendMail(email);
console.log(' Unexpected: Weak cipher was accepted');
} catch (error) {
console.log(` Expected error: ${error.message}`);
expect(error.message).toMatch(/handshake|cipher|ssl/i);
}
// Connect with acceptable ciphers
const strongClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false,
ciphers: 'HIGH:!aNULL',
minVersion: 'TLSv1.2'
}
});
const result = await strongClient.sendMail(email);
console.log(' Successfully connected with strong ciphers');
expect(result).toBeDefined();
await testServer.server.close();
})();
// Scenario 3: Cipher suite priority testing
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing cipher suite priority`);
const preferredCiphers = [
'TLS_AES_256_GCM_SHA384',
'TLS_AES_128_GCM_SHA256',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES128-GCM-SHA256'
];
const testServer = await createTestServer({
secure: true,
tlsOptions: {
ciphers: preferredCiphers.join(':'),
honorCipherOrder: true, // Server chooses cipher
minVersion: 'TLSv1.2'
},
onConnection: async (socket) => {
console.log(' [Server] Client connected');
const tlsSocket = socket as any;
if (tlsSocket.getCipher) {
const cipher = tlsSocket.getCipher();
console.log(` [Server] Selected cipher: ${cipher.name}`);
// Check if preferred cipher was selected
const cipherIndex = preferredCiphers.findIndex(c =>
cipher.name.includes(c) || c.includes(cipher.name)
);
console.log(` [Server] Cipher priority: ${cipherIndex + 1}/${preferredCiphers.length}`);
}
socket.write('220 priority.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-priority.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false,
// Client offers ciphers in different order
ciphers: preferredCiphers.slice().reverse().join(':'),
honorCipherOrder: false // Let server choose
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Cipher priority test',
text: 'Testing cipher suite selection priority'
});
const result = await smtpClient.sendMail(email);
console.log(' Cipher negotiation completed');
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
await testServer.server.close();
})();
// Scenario 4: Perfect Forward Secrecy (PFS) ciphers
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing Perfect Forward Secrecy ciphers`);
const testServer = await createTestServer({
secure: true,
tlsOptions: {
// Only PFS ciphers (ECDHE/DHE)
ciphers: 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384',
honorCipherOrder: true,
ecdhCurve: 'auto'
},
onConnection: async (socket) => {
console.log(' [Server] Client connected with PFS');
const tlsSocket = socket as any;
if (tlsSocket.getCipher) {
const cipher = tlsSocket.getCipher();
const hasPFS = cipher.name.includes('ECDHE') || cipher.name.includes('DHE');
console.log(` [Server] Cipher: ${cipher.name} (PFS: ${hasPFS ? 'Yes' : 'No'})`);
}
socket.write('220 pfs.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-pfs.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK: Message sent with PFS\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false,
// Prefer PFS ciphers
ciphers: 'ECDHE:DHE:!aNULL:!MD5',
ecdhCurve: 'auto'
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'PFS cipher test',
text: 'Testing Perfect Forward Secrecy'
});
const result = await smtpClient.sendMail(email);
console.log(' Successfully used PFS cipher');
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
await testServer.server.close();
})();
// Scenario 5: Cipher renegotiation
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing cipher renegotiation handling`);
const testServer = await createTestServer({
secure: true,
tlsOptions: {
ciphers: 'HIGH:MEDIUM:!aNULL:!MD5',
// Disable renegotiation for security
secureOptions: plugins.crypto.constants.SSL_OP_NO_RENEGOTIATION
},
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 norenegotiation.example.com ESMTP\r\n');
let messageCount = 0;
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-norenegotiation.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
messageCount++;
console.log(` [Server] Processing message ${messageCount}`);
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'RSET') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false,
// Also disable renegotiation on client
secureOptions: plugins.crypto.constants.SSL_OP_NO_RENEGOTIATION
}
});
// Send multiple emails on same connection
for (let i = 0; i < 3; i++) {
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: `Renegotiation test ${i + 1}`,
text: `Testing without cipher renegotiation - email ${i + 1}`
});
const result = await smtpClient.sendMail(email);
console.log(` Email ${i + 1} sent without renegotiation`);
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
}
await testServer.server.close();
})();
// Scenario 6: Cipher compatibility testing
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing cipher compatibility`);
const cipherSets = [
{
name: 'TLS 1.3 only',
ciphers: 'TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256',
minVersion: 'TLSv1.3',
maxVersion: 'TLSv1.3'
},
{
name: 'TLS 1.2 compatible',
ciphers: 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256',
minVersion: 'TLSv1.2',
maxVersion: 'TLSv1.2'
},
{
name: 'Broad compatibility',
ciphers: 'HIGH:MEDIUM:!aNULL:!MD5:!3DES',
minVersion: 'TLSv1.2',
maxVersion: undefined
}
];
for (const cipherSet of cipherSets) {
console.log(`\n Testing ${cipherSet.name}...`);
const testServer = await createTestServer({
secure: true,
tlsOptions: {
ciphers: cipherSet.ciphers,
minVersion: cipherSet.minVersion as any,
maxVersion: cipherSet.maxVersion as any
},
onConnection: async (socket) => {
const tlsSocket = socket as any;
if (tlsSocket.getCipher && tlsSocket.getProtocol) {
const cipher = tlsSocket.getCipher();
const protocol = tlsSocket.getProtocol();
console.log(` [Server] Protocol: ${protocol}, Cipher: ${cipher.name}`);
}
socket.write('220 compat.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-compat.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
try {
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: true,
tls: {
rejectUnauthorized: false,
ciphers: cipherSet.ciphers,
minVersion: cipherSet.minVersion as any,
maxVersion: cipherSet.maxVersion as any
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: `${cipherSet.name} test`,
text: `Testing ${cipherSet.name} cipher configuration`
});
const result = await smtpClient.sendMail(email);
console.log(` Success with ${cipherSet.name}`);
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
} catch (error) {
console.log(` ${cipherSet.name} not supported in this environment`);
}
await testServer.server.close();
}
})();
console.log(`\n${testId}: All ${scenarioCount} cipher suite scenarios tested ✓`);
});

562
test/suite/smtpclient_security/test.csec-08.authentication-fallback.ts Normal file
View File

@ -0,0 +1,562 @@
import { expect, tap } from '@git.zone/tstest/tapbundle';
import * as plugins from './plugins.js';
import { createTestServer } from '../../helpers/server.loader.js';
import { createSmtpClient } from '../../helpers/smtp.client.js';
tap.test('CSEC-08: should handle authentication fallback securely', async (tools) => {
const testId = 'CSEC-08-authentication-fallback';
console.log(`\n${testId}: Testing authentication fallback mechanisms...`);
let scenarioCount = 0;
// Scenario 1: Multiple authentication methods
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing multiple authentication methods`);
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 auth.example.com ESMTP\r\n');
let authMethod = '';
let authStep = 0;
socket.on('data', (data) => {
const command = data.toString().trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
socket.write('250-auth.example.com\r\n');
socket.write('250-AUTH CRAM-MD5 PLAIN LOGIN\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('AUTH CRAM-MD5')) {
authMethod = 'CRAM-MD5';
authStep = 1;
// Send challenge
const challenge = Buffer.from(`<${Date.now()}.${Math.random()}@auth.example.com>`).toString('base64');
socket.write(`334 ${challenge}\r\n`);
} else if (command.startsWith('AUTH PLAIN')) {
authMethod = 'PLAIN';
if (command.length > 11) {
// Credentials included
const credentials = Buffer.from(command.substring(11), 'base64').toString();
console.log(` [Server] PLAIN auth attempt with immediate credentials`);
socket.write('235 2.7.0 Authentication successful\r\n');
} else {
// Request credentials
socket.write('334\r\n');
}
} else if (command.startsWith('AUTH LOGIN')) {
authMethod = 'LOGIN';
authStep = 1;
socket.write('334 VXNlcm5hbWU6\r\n'); // Username:
} else if (authMethod === 'CRAM-MD5' && authStep === 1) {
// Verify CRAM-MD5 response
console.log(` [Server] CRAM-MD5 response received`);
socket.write('235 2.7.0 Authentication successful\r\n');
authMethod = '';
authStep = 0;
} else if (authMethod === 'PLAIN' && !command.startsWith('AUTH')) {
// PLAIN credentials
const credentials = Buffer.from(command, 'base64').toString();
console.log(` [Server] PLAIN credentials received`);
socket.write('235 2.7.0 Authentication successful\r\n');
authMethod = '';
} else if (authMethod === 'LOGIN' && authStep === 1) {
// Username
console.log(` [Server] LOGIN username received`);
authStep = 2;
socket.write('334 UGFzc3dvcmQ6\r\n'); // Password:
} else if (authMethod === 'LOGIN' && authStep === 2) {
// Password
console.log(` [Server] LOGIN password received`);
socket.write('235 2.7.0 Authentication successful\r\n');
authMethod = '';
authStep = 0;
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false,
auth: {
user: 'testuser',
pass: 'testpass'
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Multi-auth test',
text: 'Testing multiple authentication methods'
});
const result = await smtpClient.sendMail(email);
console.log(' Authentication successful');
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
await testServer.server.close();
})();
// Scenario 2: Authentication method downgrade prevention
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing auth method downgrade prevention`);
let attemptCount = 0;
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 secure.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
attemptCount++;
if (attemptCount === 1) {
// First attempt: offer secure methods
socket.write('250-secure.example.com\r\n');
socket.write('250-AUTH CRAM-MD5 SCRAM-SHA-256\r\n');
socket.write('250 OK\r\n');
} else {
// Attacker attempt: offer weaker methods
socket.write('250-secure.example.com\r\n');
socket.write('250-AUTH PLAIN LOGIN\r\n');
socket.write('250 OK\r\n');
}
} else if (command.startsWith('AUTH CRAM-MD5')) {
// Simulate failure to force fallback attempt
socket.write('535 5.7.8 Authentication failed\r\n');
} else if (command.startsWith('AUTH PLAIN') || command.startsWith('AUTH LOGIN')) {
console.log(' [Server] Warning: Client using weak auth method');
socket.write('535 5.7.8 Weak authentication method not allowed\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false,
auth: {
user: 'testuser',
pass: 'testpass'
},
authMethod: 'CRAM-MD5' // Prefer secure method
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Downgrade prevention test',
text: 'Testing authentication downgrade prevention'
});
try {
await smtpClient.sendMail(email);
console.log(' Unexpected: Authentication succeeded');
} catch (error) {
console.log(` Expected: Auth failed - ${error.message}`);
expect(error.message).toContain('Authentication failed');
}
await testServer.server.close();
})();
// Scenario 3: OAuth2 fallback
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing OAuth2 authentication fallback`);
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 oauth.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
console.log(` [Server] Received: ${command.substring(0, 50)}...`);
if (command.startsWith('EHLO')) {
socket.write('250-oauth.example.com\r\n');
socket.write('250-AUTH XOAUTH2 PLAIN LOGIN\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('AUTH XOAUTH2')) {
// Check OAuth2 token
const token = command.substring(13);
if (token.includes('expired')) {
console.log(' [Server] OAuth2 token expired');
socket.write('334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIiwic2NvcGUiOiJodHRwczovL21haWwuZ29vZ2xlLmNvbS8ifQ==\r\n');
} else {
console.log(' [Server] OAuth2 authentication successful');
socket.write('235 2.7.0 Authentication successful\r\n');
}
} else if (command.startsWith('AUTH PLAIN')) {
// Fallback to PLAIN auth
console.log(' [Server] Fallback to PLAIN auth');
if (command.length > 11) {
socket.write('235 2.7.0 Authentication successful\r\n');
} else {
socket.write('334\r\n');
}
} else if (command === '') {
// Empty line after failed XOAUTH2
socket.write('535 5.7.8 Authentication failed\r\n');
} else if (!command.startsWith('AUTH') && command.length > 20) {
// PLAIN credentials
socket.write('235 2.7.0 Authentication successful\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// Test with OAuth2 token
const oauthClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false,
auth: {
type: 'oauth2',
user: 'user@example.com',
accessToken: 'valid-oauth-token'
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'OAuth2 test',
text: 'Testing OAuth2 authentication'
});
try {
const result = await oauthClient.sendMail(email);
console.log(' OAuth2 authentication successful');
expect(result).toBeDefined();
} catch (error) {
console.log(` OAuth2 failed, testing fallback...`);
// Test fallback to password auth
const fallbackClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false,
auth: {
user: 'testuser',
pass: 'testpass'
}
});
const result = await fallbackClient.sendMail(email);
console.log(' Fallback authentication successful');
expect(result).toBeDefined();
}
await testServer.server.close();
})();
// Scenario 4: Authentication retry with different credentials
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing auth retry with different credentials`);
let authAttempts = 0;
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 retry.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-retry.example.com\r\n');
socket.write('250-AUTH PLAIN LOGIN\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('AUTH')) {
authAttempts++;
console.log(` [Server] Auth attempt ${authAttempts}`);
if (authAttempts <= 2) {
// Fail first attempts
socket.write('535 5.7.8 Authentication failed\r\n');
} else {
// Success on third attempt
socket.write('235 2.7.0 Authentication successful\r\n');
}
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// Test multiple auth attempts
const credentials = [
{ user: 'wronguser', pass: 'wrongpass' },
{ user: 'testuser', pass: 'wrongpass' },
{ user: 'testuser', pass: 'testpass' }
];
let successfulAuth = false;
for (const cred of credentials) {
try {
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false,
auth: cred
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Retry test',
text: 'Testing authentication retry'
});
const result = await smtpClient.sendMail(email);
console.log(` Auth succeeded with user: ${cred.user}`);
successfulAuth = true;
expect(result).toBeDefined();
break;
} catch (error) {
console.log(` Auth failed with user: ${cred.user}`);
}
}
expect(successfulAuth).toBe(true);
expect(authAttempts).toBe(3);
await testServer.server.close();
})();
// Scenario 5: Secure authentication over insecure connection
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing secure auth over insecure connection`);
const testServer = await createTestServer({
secure: false, // Plain text connection
onConnection: async (socket) => {
console.log(' [Server] Client connected (insecure)');
socket.write('220 insecure.example.com ESMTP\r\n');
let tlsStarted = false;
socket.on('data', (data) => {
const command = data.toString().trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
socket.write('250-insecure.example.com\r\n');
socket.write('250-STARTTLS\r\n');
if (tlsStarted) {
socket.write('250-AUTH PLAIN LOGIN\r\n');
}
socket.write('250 OK\r\n');
} else if (command === 'STARTTLS') {
socket.write('220 2.0.0 Ready to start TLS\r\n');
tlsStarted = true;
// In real scenario, would upgrade to TLS here
} else if (command.startsWith('AUTH') && !tlsStarted) {
console.log(' [Server] Rejecting auth over insecure connection');
socket.write('530 5.7.0 Must issue a STARTTLS command first\r\n');
} else if (command.startsWith('AUTH') && tlsStarted) {
console.log(' [Server] Accepting auth over TLS');
socket.write('235 2.7.0 Authentication successful\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// Try auth without TLS (should fail)
const insecureClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false,
ignoreTLS: true, // Don't use STARTTLS
auth: {
user: 'testuser',
pass: 'testpass'
}
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Secure auth test',
text: 'Testing secure authentication requirements'
});
try {
await insecureClient.sendMail(email);
console.log(' Unexpected: Auth succeeded without TLS');
} catch (error) {
console.log(' Expected: Auth rejected without TLS');
expect(error.message).toContain('STARTTLS');
}
// Try with STARTTLS
const secureClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false,
requireTLS: true,
auth: {
user: 'testuser',
pass: 'testpass'
}
});
try {
const result = await secureClient.sendMail(email);
console.log(' Auth succeeded with STARTTLS');
// Note: In real test, STARTTLS would actually upgrade the connection
} catch (error) {
console.log(' STARTTLS not fully implemented in test');
}
await testServer.server.close();
})();
// Scenario 6: Authentication mechanism negotiation
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing auth mechanism negotiation`);
const supportedMechanisms = new Map([
['SCRAM-SHA-256', { priority: 1, supported: true }],
['CRAM-MD5', { priority: 2, supported: true }],
['PLAIN', { priority: 3, supported: true }],
['LOGIN', { priority: 4, supported: true }]
]);
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 negotiate.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-negotiate.example.com\r\n');
const authMechs = Array.from(supportedMechanisms.entries())
.filter(([_, info]) => info.supported)
.map(([mech, _]) => mech)
.join(' ');
socket.write(`250-AUTH ${authMechs}\r\n`);
socket.write('250 OK\r\n');
} else if (command.startsWith('AUTH ')) {
const mechanism = command.split(' ')[1];
console.log(` [Server] Client selected: ${mechanism}`);
const mechInfo = supportedMechanisms.get(mechanism);
if (mechInfo && mechInfo.supported) {
console.log(` [Server] Priority: ${mechInfo.priority}`);
socket.write('235 2.7.0 Authentication successful\r\n');
} else {
socket.write('504 5.5.4 Unrecognized authentication type\r\n');
}
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false,
auth: {
user: 'testuser',
pass: 'testpass'
}
// Client will negotiate best available mechanism
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Negotiation test',
text: 'Testing authentication mechanism negotiation'
});
const result = await smtpClient.sendMail(email);
console.log(' Authentication negotiation successful');
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
await testServer.server.close();
})();
console.log(`\n${testId}: All ${scenarioCount} authentication fallback scenarios tested ✓`);
});

627
test/suite/smtpclient_security/test.csec-09.relay-restrictions.ts Normal file
View File

@ -0,0 +1,627 @@
import { expect, tap } from '@git.zone/tstest/tapbundle';
import * as plugins from './plugins.js';
import { createTestServer } from '../../helpers/server.loader.js';
import { createSmtpClient } from '../../helpers/smtp.client.js';
tap.test('CSEC-09: should handle relay restrictions correctly', async (tools) => {
const testId = 'CSEC-09-relay-restrictions';
console.log(`\n${testId}: Testing relay restriction handling...`);
let scenarioCount = 0;
// Scenario 1: Open relay prevention
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing open relay prevention`);
const allowedDomains = ['example.com', 'trusted.com'];
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 relay.example.com ESMTP\r\n');
let authenticated = false;
let fromAddress = '';
socket.on('data', (data) => {
const command = data.toString().trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
socket.write('250-relay.example.com\r\n');
socket.write('250-AUTH PLAIN LOGIN\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('AUTH')) {
authenticated = true;
console.log(' [Server] User authenticated');
socket.write('235 2.7.0 Authentication successful\r\n');
} else if (command.startsWith('MAIL FROM:')) {
fromAddress = command.match(/<(.+)>/)?.[1] || '';
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
const toAddress = command.match(/<(.+)>/)?.[1] || '';
const toDomain = toAddress.split('@')[1];
const fromDomain = fromAddress.split('@')[1];
console.log(` [Server] Relay check: from=${fromDomain}, to=${toDomain}, auth=${authenticated}`);
// Check relay permissions
if (authenticated) {
// Authenticated users can relay
socket.write('250 OK\r\n');
} else if (allowedDomains.includes(toDomain)) {
// Accept mail for local domains
socket.write('250 OK\r\n');
} else if (allowedDomains.includes(fromDomain)) {
// Accept mail from local domains (outbound)
socket.write('250 OK\r\n');
} else {
// Reject relay attempt
console.log(' [Server] Rejecting relay attempt');
socket.write('554 5.7.1 Relay access denied\r\n');
}
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// Test 1: Unauthenticated relay attempt (should fail)
const unauthClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
const relayEmail = new plugins.smartmail.Email({
from: 'external@untrusted.com',
to: ['recipient@another-external.com'],
subject: 'Relay test',
text: 'Testing open relay prevention'
});
try {
await unauthClient.sendMail(relayEmail);
console.log(' Unexpected: Relay was allowed');
} catch (error) {
console.log(' Expected: Relay denied for unauthenticated user');
expect(error.message).toContain('Relay access denied');
}
// Test 2: Local delivery (should succeed)
const localEmail = new plugins.smartmail.Email({
from: 'external@untrusted.com',
to: ['recipient@example.com'], // Local domain
subject: 'Local delivery test',
text: 'Testing local delivery'
});
const localResult = await unauthClient.sendMail(localEmail);
console.log(' Local delivery allowed');
expect(localResult).toBeDefined();
expect(localResult.messageId).toBeDefined();
// Test 3: Authenticated relay (should succeed)
const authClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false,
auth: {
user: 'testuser',
pass: 'testpass'
}
});
const authRelayResult = await authClient.sendMail(relayEmail);
console.log(' Authenticated relay allowed');
expect(authRelayResult).toBeDefined();
expect(authRelayResult.messageId).toBeDefined();
await testServer.server.close();
})();
// Scenario 2: IP-based relay restrictions
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing IP-based relay restrictions`);
const trustedIPs = ['127.0.0.1', '::1', '10.0.0.0/8', '192.168.0.0/16'];
const testServer = await createTestServer({
onConnection: async (socket) => {
const clientIP = socket.remoteAddress || '';
console.log(` [Server] Client connected from ${clientIP}`);
socket.write('220 ip-relay.example.com ESMTP\r\n');
const isTrustedIP = (ip: string): boolean => {
// Simple check for demo (in production, use proper IP range checking)
return trustedIPs.some(trusted =>
ip === trusted ||
ip.includes('127.0.0.1') ||
ip.includes('::1')
);
};
socket.on('data', (data) => {
const command = data.toString().trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
socket.write('250-ip-relay.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
const toAddress = command.match(/<(.+)>/)?.[1] || '';
const isLocalDomain = toAddress.includes('@example.com');
if (isTrustedIP(clientIP)) {
console.log(' [Server] Trusted IP - allowing relay');
socket.write('250 OK\r\n');
} else if (isLocalDomain) {
console.log(' [Server] Local delivery - allowing');
socket.write('250 OK\r\n');
} else {
console.log(' [Server] Untrusted IP - denying relay');
socket.write('554 5.7.1 Relay access denied for IP\r\n');
}
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
// Test from localhost (trusted)
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@external.com'],
subject: 'IP-based relay test',
text: 'Testing IP-based relay restrictions'
});
const result = await smtpClient.sendMail(email);
console.log(' Relay allowed from trusted IP (localhost)');
expect(result).toBeDefined();
expect(result.messageId).toBeDefined();
await testServer.server.close();
})();
// Scenario 3: Sender domain restrictions
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing sender domain restrictions`);
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 sender-restrict.example.com ESMTP\r\n');
let authenticated = false;
let authUser = '';
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-sender-restrict.example.com\r\n');
socket.write('250-AUTH PLAIN\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('AUTH PLAIN')) {
const credentials = command.substring(11);
if (credentials) {
const decoded = Buffer.from(credentials, 'base64').toString();
authUser = decoded.split('\0')[1] || '';
authenticated = true;
console.log(` [Server] User authenticated: ${authUser}`);
socket.write('235 2.7.0 Authentication successful\r\n');
} else {
socket.write('334\r\n');
}
} else if (!command.startsWith('AUTH') && authenticated === false && command.length > 20) {
// PLAIN auth credentials
const decoded = Buffer.from(command, 'base64').toString();
authUser = decoded.split('\0')[1] || '';
authenticated = true;
console.log(` [Server] User authenticated: ${authUser}`);
socket.write('235 2.7.0 Authentication successful\r\n');
} else if (command.startsWith('MAIL FROM:')) {
const fromAddress = command.match(/<(.+)>/)?.[1] || '';
const fromDomain = fromAddress.split('@')[1];
if (!authenticated) {
// Unauthenticated users can only send from specific domains
if (fromDomain === 'example.com' || fromDomain === 'trusted.com') {
socket.write('250 OK\r\n');
} else {
console.log(` [Server] Rejecting sender domain: ${fromDomain}`);
socket.write('553 5.7.1 Sender domain not allowed\r\n');
}
} else {
// Authenticated users must use their own domain
const expectedDomain = authUser.split('@')[1];
if (fromDomain === expectedDomain || fromDomain === 'example.com') {
socket.write('250 OK\r\n');
} else {
console.log(` [Server] Auth user ${authUser} cannot send from ${fromDomain}`);
socket.write('553 5.7.1 Authenticated sender mismatch\r\n');
}
}
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// Test 1: Unauthorized sender domain
const unauthClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
const unauthorizedEmail = new plugins.smartmail.Email({
from: 'sender@untrusted.com',
to: ['recipient@example.com'],
subject: 'Unauthorized sender test',
text: 'Testing sender domain restrictions'
});
try {
await unauthClient.sendMail(unauthorizedEmail);
console.log(' Unexpected: Unauthorized sender accepted');
} catch (error) {
console.log(' Expected: Unauthorized sender domain rejected');
expect(error.message).toContain('Sender domain not allowed');
}
// Test 2: Authorized sender domain
const authorizedEmail = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@external.com'],
subject: 'Authorized sender test',
text: 'Testing authorized sender domain'
});
const result = await unauthClient.sendMail(authorizedEmail);
console.log(' Authorized sender domain accepted');
expect(result).toBeDefined();
// Test 3: Authenticated sender mismatch
const authClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false,
auth: {
user: 'user@example.com',
pass: 'testpass'
}
});
const mismatchEmail = new plugins.smartmail.Email({
from: 'someone@otherdomain.com',
to: ['recipient@example.com'],
subject: 'Sender mismatch test',
text: 'Testing authenticated sender mismatch'
});
try {
await authClient.sendMail(mismatchEmail);
console.log(' Unexpected: Sender mismatch accepted');
} catch (error) {
console.log(' Expected: Authenticated sender mismatch rejected');
expect(error.message).toContain('Authenticated sender mismatch');
}
await testServer.server.close();
})();
// Scenario 4: Recipient count limits
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing recipient count limits`);
const maxRecipientsUnauthenticated = 5;
const maxRecipientsAuthenticated = 100;
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 recipient-limit.example.com ESMTP\r\n');
let authenticated = false;
let recipientCount = 0;
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-recipient-limit.example.com\r\n');
socket.write('250-AUTH PLAIN\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('AUTH')) {
authenticated = true;
socket.write('235 2.7.0 Authentication successful\r\n');
} else if (command.startsWith('MAIL FROM:')) {
recipientCount = 0; // Reset for new message
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
recipientCount++;
const limit = authenticated ? maxRecipientsAuthenticated : maxRecipientsUnauthenticated;
console.log(` [Server] Recipient ${recipientCount}/${limit} (auth: ${authenticated})`);
if (recipientCount > limit) {
socket.write('452 4.5.3 Too many recipients\r\n');
} else {
socket.write('250 OK\r\n');
}
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// Test unauthenticated recipient limit
const unauthClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
const manyRecipients = Array(10).fill(null).map((_, i) => `recipient${i + 1}@example.com`);
const bulkEmail = new plugins.smartmail.Email({
from: 'sender@example.com',
to: manyRecipients,
subject: 'Recipient limit test',
text: 'Testing recipient count limits'
});
try {
const result = await unauthClient.sendMail(bulkEmail);
console.log(` Sent to ${result.accepted?.length || 0} recipients (unauthenticated)`);
// Some recipients should be rejected
expect(result.rejected?.length).toBeGreaterThan(0);
} catch (error) {
console.log(' Some recipients rejected due to limit');
}
// Test authenticated higher limit
const authClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false,
auth: {
user: 'testuser',
pass: 'testpass'
}
});
const authResult = await authClient.sendMail(bulkEmail);
console.log(` Authenticated user sent to ${authResult.accepted?.length || 0} recipients`);
expect(authResult.accepted?.length).toBe(manyRecipients.length);
await testServer.server.close();
})();
// Scenario 5: Rate-based relay restrictions
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing rate-based relay restrictions`);
const messageRates = new Map<string, { count: number; resetTime: number }>();
const rateLimit = 3; // 3 messages per minute
const testServer = await createTestServer({
onConnection: async (socket) => {
const clientIP = socket.remoteAddress || 'unknown';
console.log(` [Server] Client connected from ${clientIP}`);
socket.write('220 rate-limit.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-rate-limit.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
const now = Date.now();
const clientRate = messageRates.get(clientIP) || { count: 0, resetTime: now + 60000 };
if (now > clientRate.resetTime) {
// Reset rate limit
clientRate.count = 0;
clientRate.resetTime = now + 60000;
}
clientRate.count++;
messageRates.set(clientIP, clientRate);
console.log(` [Server] Message ${clientRate.count}/${rateLimit} from ${clientIP}`);
if (clientRate.count > rateLimit) {
socket.write('421 4.7.0 Rate limit exceeded, try again later\r\n');
socket.end();
} else {
socket.write('250 OK\r\n');
}
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// Send multiple messages to test rate limiting
const results: boolean[] = [];
for (let i = 0; i < 5; i++) {
try {
const client = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: `Rate test ${i + 1}`,
text: `Testing rate limits - message ${i + 1}`
});
const result = await client.sendMail(email);
console.log(` Message ${i + 1}: Sent successfully`);
results.push(true);
} catch (error) {
console.log(` Message ${i + 1}: Rate limited`);
results.push(false);
}
}
// First 3 should succeed, rest should fail
const successCount = results.filter(r => r).length;
console.log(` Sent ${successCount}/${results.length} messages before rate limit`);
expect(successCount).toBe(rateLimit);
await testServer.server.close();
})();
// Scenario 6: SPF-based relay restrictions
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing SPF-based relay restrictions`);
const testServer = await createTestServer({
onConnection: async (socket) => {
const clientIP = socket.remoteAddress || '';
console.log(` [Server] Client connected from ${clientIP}`);
socket.write('220 spf-relay.example.com ESMTP\r\n');
const checkSPF = (domain: string, ip: string): string => {
// Simplified SPF check for demo
console.log(` [Server] Checking SPF for ${domain} from ${ip}`);
// In production, would do actual DNS lookups
if (domain === 'example.com' && (ip.includes('127.0.0.1') || ip.includes('::1'))) {
return 'pass';
} else if (domain === 'spf-fail.com') {
return 'fail';
} else {
return 'none';
}
};
socket.on('data', (data) => {
const command = data.toString().trim();
if (command.startsWith('EHLO')) {
socket.write('250-spf-relay.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
const fromAddress = command.match(/<(.+)>/)?.[1] || '';
const domain = fromAddress.split('@')[1];
const spfResult = checkSPF(domain, clientIP);
console.log(` [Server] SPF result: ${spfResult}`);
if (spfResult === 'fail') {
socket.write('550 5.7.1 SPF check failed\r\n');
} else {
socket.write('250 OK SPF=' + spfResult + '\r\n');
}
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
// Test 1: SPF pass
const spfPassEmail = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'SPF pass test',
text: 'Testing SPF-based relay - should pass'
});
const passResult = await smtpClient.sendMail(spfPassEmail);
console.log(' SPF check passed');
expect(passResult).toBeDefined();
expect(passResult.response).toContain('SPF=pass');
// Test 2: SPF fail
const spfFailEmail = new plugins.smartmail.Email({
from: 'sender@spf-fail.com',
to: ['recipient@example.com'],
subject: 'SPF fail test',
text: 'Testing SPF-based relay - should fail'
});
try {
await smtpClient.sendMail(spfFailEmail);
console.log(' Unexpected: SPF fail was accepted');
} catch (error) {
console.log(' Expected: SPF check failed');
expect(error.message).toContain('SPF check failed');
}
await testServer.server.close();
})();
console.log(`\n${testId}: All ${scenarioCount} relay restriction scenarios tested ✓`);
});

701
test/suite/smtpclient_security/test.csec-10.anti-spam-measures.ts Normal file
View File

@ -0,0 +1,701 @@
import { expect, tap } from '@git.zone/tstest/tapbundle';
import * as plugins from './plugins.js';
import { createTestServer } from '../../helpers/server.loader.js';
import { createSmtpClient } from '../../helpers/smtp.client.js';
tap.test('CSEC-10: should handle anti-spam measures correctly', async (tools) => {
const testId = 'CSEC-10-anti-spam-measures';
console.log(`\n${testId}: Testing anti-spam measure handling...`);
let scenarioCount = 0;
// Scenario 1: Reputation-based filtering
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing reputation-based filtering`);
const ipReputation = new Map([
['127.0.0.1', { score: 100, status: 'trusted' }],
['10.0.0.1', { score: 50, status: 'neutral' }],
['192.168.1.100', { score: 10, status: 'suspicious' }],
['10.10.10.10', { score: 0, status: 'blocked' }]
]);
const testServer = await createTestServer({
onConnection: async (socket) => {
const clientIP = socket.remoteAddress || '127.0.0.1';
const reputation = ipReputation.get(clientIP) || { score: 50, status: 'unknown' };
console.log(` [Server] Client ${clientIP} connected (reputation: ${reputation.status})`);
if (reputation.score === 0) {
socket.write('554 5.7.1 Your IP has been blocked due to poor reputation\r\n');
socket.end();
return;
}
socket.write('220 reputation.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
socket.write('250-reputation.example.com\r\n');
if (reputation.score < 30) {
// Suspicious IPs get limited features
socket.write('250 OK\r\n');
} else {
socket.write('250-SIZE 10485760\r\n');
socket.write('250-AUTH PLAIN LOGIN\r\n');
socket.write('250 OK\r\n');
}
} else if (command.startsWith('MAIL FROM:')) {
if (reputation.score < 30) {
// Add delay for suspicious IPs (tarpitting)
setTimeout(() => {
socket.write('250 OK\r\n');
}, 2000);
} else {
socket.write('250 OK\r\n');
}
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write(`250 OK: Message accepted (reputation score: ${reputation.score})\r\n`);
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
// Test with good reputation (localhost)
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Reputation test',
text: 'Testing reputation-based filtering'
});
const result = await smtpClient.sendMail(email);
console.log(' Good reputation: Message accepted');
expect(result).toBeDefined();
expect(result.response).toContain('reputation score: 100');
await testServer.server.close();
})();
// Scenario 2: Content filtering and spam scoring
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing content filtering and spam scoring`);
const spamKeywords = [
{ word: 'viagra', score: 5 },
{ word: 'lottery', score: 4 },
{ word: 'winner', score: 3 },
{ word: 'click here', score: 3 },
{ word: 'free money', score: 5 },
{ word: 'guarantee', score: 2 },
{ word: 'act now', score: 3 },
{ word: '100% free', score: 4 }
];
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 content-filter.example.com ESMTP\r\n');
let inData = false;
let messageContent = '';
socket.on('data', (data) => {
const text = data.toString();
if (inData) {
messageContent += text;
if (text.includes('\r\n.\r\n')) {
inData = false;
// Calculate spam score
let spamScore = 0;
const lowerContent = messageContent.toLowerCase();
spamKeywords.forEach(({ word, score }) => {
if (lowerContent.includes(word)) {
spamScore += score;
console.log(` [Server] Found spam keyword: "${word}" (+${score})`);
}
});
// Check for suspicious patterns
if ((messageContent.match(/!/g) || []).length > 5) {
spamScore += 2;
console.log(' [Server] Excessive exclamation marks (+2)');
}
if ((messageContent.match(/\$|€|£/g) || []).length > 3) {
spamScore += 2;
console.log(' [Server] Multiple currency symbols (+2)');
}
if (messageContent.includes('ALL CAPS') || /[A-Z]{10,}/.test(messageContent)) {
spamScore += 1;
console.log(' [Server] Excessive capitals (+1)');
}
console.log(` [Server] Total spam score: ${spamScore}`);
if (spamScore >= 10) {
socket.write('550 5.7.1 Message rejected due to spam content\r\n');
} else if (spamScore >= 5) {
socket.write('250 OK: Message quarantined for review\r\n');
} else {
socket.write('250 OK: Message accepted\r\n');
}
messageContent = '';
}
return;
}
const command = text.trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
socket.write('250-content-filter.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
inData = true;
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
// Test 1: Clean email
const cleanEmail = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Business proposal',
text: 'I would like to discuss our upcoming project. Please let me know your availability.'
});
const cleanResult = await smtpClient.sendMail(cleanEmail);
console.log(' Clean email: Accepted');
expect(cleanResult.response).toContain('Message accepted');
// Test 2: Suspicious email
const suspiciousEmail = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'You are a WINNER!',
text: 'Click here to claim your lottery prize! Act now! 100% guarantee!'
});
const suspiciousResult = await smtpClient.sendMail(suspiciousEmail);
console.log(' Suspicious email: Quarantined');
expect(suspiciousResult.response).toContain('quarantined');
// Test 3: Spam email
const spamEmail = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'FREE MONEY - VIAGRA - LOTTERY WINNER!!!',
text: 'CLICK HERE NOW!!! 100% FREE VIAGRA!!! You are a LOTTERY WINNER!!! Act now to claim your FREE MONEY!!! $$$€€€£££'
});
try {
await smtpClient.sendMail(spamEmail);
console.log(' Unexpected: Spam email accepted');
} catch (error) {
console.log(' Spam email: Rejected');
expect(error.message).toContain('spam content');
}
await testServer.server.close();
})();
// Scenario 3: Greylisting
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing greylisting`);
const greylist = new Map<string, { firstSeen: number; attempts: number }>();
const greylistDuration = 2000; // 2 seconds for testing
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 greylist.example.com ESMTP\r\n');
let triplet = '';
socket.on('data', (data) => {
const command = data.toString().trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
socket.write('250-greylist.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
const from = command.match(/<(.+)>/)?.[1] || '';
triplet = `${socket.remoteAddress}-${from}`;
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
const to = command.match(/<(.+)>/)?.[1] || '';
triplet += `-${to}`;
const now = Date.now();
const greylistEntry = greylist.get(triplet);
if (!greylistEntry) {
// First time seeing this triplet
greylist.set(triplet, { firstSeen: now, attempts: 1 });
console.log(' [Server] New sender - greylisting');
socket.write('451 4.7.1 Greylisting in effect, please retry later\r\n');
} else {
greylistEntry.attempts++;
const elapsed = now - greylistEntry.firstSeen;
if (elapsed < greylistDuration) {
console.log(` [Server] Too soon (${elapsed}ms) - still greylisted`);
socket.write('451 4.7.1 Greylisting in effect, please retry later\r\n');
} else {
console.log(` [Server] Greylist passed (${greylistEntry.attempts} attempts)`);
socket.write('250 OK\r\n');
}
}
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK: Message accepted after greylisting\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Greylist test',
text: 'Testing greylisting mechanism'
});
// First attempt - should be greylisted
try {
await smtpClient.sendMail(email);
console.log(' Unexpected: First attempt succeeded');
} catch (error) {
console.log(' First attempt: Greylisted as expected');
expect(error.message).toContain('Greylisting');
}
// Wait and retry
console.log(` Waiting ${greylistDuration}ms before retry...`);
await new Promise(resolve => setTimeout(resolve, greylistDuration + 100));
// Second attempt - should succeed
const retryResult = await smtpClient.sendMail(email);
console.log(' Retry attempt: Accepted after greylist period');
expect(retryResult).toBeDefined();
expect(retryResult.response).toContain('after greylisting');
await testServer.server.close();
})();
// Scenario 4: DNS blacklist (DNSBL) checking
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing DNSBL checking`);
const blacklistedIPs = ['192.168.1.100', '10.0.0.50'];
const blacklistedDomains = ['spam-domain.com', 'phishing-site.net'];
const testServer = await createTestServer({
onConnection: async (socket) => {
const clientIP = socket.remoteAddress || '';
console.log(` [Server] Client connected from ${clientIP}`);
// Simulate DNSBL check
const isBlacklisted = blacklistedIPs.some(ip => clientIP.includes(ip));
if (isBlacklisted) {
console.log(' [Server] IP found in DNSBL');
socket.write('554 5.7.1 Your IP is listed in DNSBL\r\n');
socket.end();
return;
}
socket.write('220 dnsbl.example.com ESMTP\r\n');
socket.on('data', (data) => {
const command = data.toString().trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
const domain = command.split(' ')[1];
if (blacklistedDomains.includes(domain)) {
console.log(' [Server] HELO domain in DNSBL');
socket.write('554 5.7.1 Your domain is blacklisted\r\n');
socket.end();
return;
}
socket.write('250-dnsbl.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
const fromAddress = command.match(/<(.+)>/)?.[1] || '';
const fromDomain = fromAddress.split('@')[1];
if (blacklistedDomains.includes(fromDomain)) {
console.log(' [Server] Sender domain in DNSBL');
socket.write('554 5.7.1 Sender domain is blacklisted\r\n');
} else {
socket.write('250 OK\r\n');
}
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
socket.write('250 OK\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
// Test with clean sender
const cleanEmail = new plugins.smartmail.Email({
from: 'sender@clean-domain.com',
to: ['recipient@example.com'],
subject: 'DNSBL test',
text: 'Testing DNSBL checking'
});
const result = await smtpClient.sendMail(cleanEmail);
console.log(' Clean sender: Accepted');
expect(result).toBeDefined();
// Test with blacklisted domain
const blacklistedEmail = new plugins.smartmail.Email({
from: 'sender@spam-domain.com',
to: ['recipient@example.com'],
subject: 'Blacklisted domain test',
text: 'Testing from blacklisted domain'
});
try {
await smtpClient.sendMail(blacklistedEmail);
console.log(' Unexpected: Blacklisted domain accepted');
} catch (error) {
console.log(' Blacklisted domain: Rejected');
expect(error.message).toContain('blacklisted');
}
await testServer.server.close();
})();
// Scenario 5: Connection behavior analysis
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing connection behavior analysis`);
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
const connectionStart = Date.now();
let commandCount = 0;
let errorCount = 0;
let rapidCommands = 0;
let lastCommandTime = Date.now();
// Set initial timeout
socket.setTimeout(30000); // 30 seconds
socket.write('220 behavior.example.com ESMTP\r\n');
socket.on('data', (data) => {
const now = Date.now();
const timeSinceLastCommand = now - lastCommandTime;
lastCommandTime = now;
commandCount++;
// Check for rapid-fire commands (bot behavior)
if (timeSinceLastCommand < 50) {
rapidCommands++;
if (rapidCommands > 5) {
console.log(' [Server] Detected rapid-fire commands (bot behavior)');
socket.write('421 4.7.0 Suspicious behavior detected\r\n');
socket.end();
return;
}
} else {
rapidCommands = 0; // Reset counter
}
const command = data.toString().trim();
console.log(` [Server] Received: ${command} (${timeSinceLastCommand}ms since last)`);
// Check for invalid commands (spam bot behavior)
if (!command.match(/^(EHLO|HELO|MAIL FROM:|RCPT TO:|DATA|QUIT|RSET|NOOP|AUTH|\.)/i)) {
errorCount++;
if (errorCount > 3) {
console.log(' [Server] Too many invalid commands');
socket.write('421 4.7.0 Too many errors\r\n');
socket.end();
return;
}
socket.write('500 5.5.1 Command not recognized\r\n');
return;
}
if (command.startsWith('EHLO') || command.startsWith('HELO')) {
socket.write('250-behavior.example.com\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
} else if (command === '.') {
const connectionDuration = Date.now() - connectionStart;
console.log(` [Server] Session duration: ${connectionDuration}ms, commands: ${commandCount}`);
socket.write('250 OK: Message accepted\r\n');
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
} else if (command === 'NOOP') {
socket.write('250 OK\r\n');
}
});
socket.on('timeout', () => {
console.log(' [Server] Connection timeout - possible spam bot');
socket.write('421 4.4.2 Connection timeout\r\n');
socket.end();
});
}
});
// Test normal behavior
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
const email = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Behavior test',
text: 'Testing normal email sending behavior'
});
const result = await smtpClient.sendMail(email);
console.log(' Normal behavior: Accepted');
expect(result).toBeDefined();
await testServer.server.close();
})();
// Scenario 6: Attachment and link scanning
await (async () => {
scenarioCount++;
console.log(`\nScenario ${scenarioCount}: Testing attachment and link scanning`);
const dangerousExtensions = ['.exe', '.scr', '.vbs', '.com', '.bat', '.cmd', '.pif'];
const suspiciousLinks = ['bit.ly', 'tinyurl.com', 'short.link'];
const testServer = await createTestServer({
onConnection: async (socket) => {
console.log(' [Server] Client connected');
socket.write('220 scanner.example.com ESMTP\r\n');
let inData = false;
let messageContent = '';
socket.on('data', (data) => {
const text = data.toString();
if (inData) {
messageContent += text;
if (text.includes('\r\n.\r\n')) {
inData = false;
let threatLevel = 0;
const threats: string[] = [];
// Check for dangerous attachments
const attachmentMatch = messageContent.match(/filename="([^"]+)"/gi);
if (attachmentMatch) {
attachmentMatch.forEach(match => {
const filename = match.match(/filename="([^"]+)"/i)?.[1] || '';
const extension = filename.substring(filename.lastIndexOf('.')).toLowerCase();
if (dangerousExtensions.includes(extension)) {
threatLevel += 10;
threats.push(`Dangerous attachment: ${filename}`);
console.log(` [Server] Found dangerous attachment: ${filename}`);
}
});
}
// Check for suspicious links
const urlMatch = messageContent.match(/https?:\/\/[^\s]+/gi);
if (urlMatch) {
urlMatch.forEach(url => {
if (suspiciousLinks.some(domain => url.includes(domain))) {
threatLevel += 5;
threats.push(`Suspicious link: ${url}`);
console.log(` [Server] Found suspicious link: ${url}`);
}
});
}
// Check for phishing patterns
if (messageContent.includes('verify your account') && urlMatch) {
threatLevel += 5;
threats.push('Possible phishing attempt');
}
console.log(` [Server] Threat level: ${threatLevel}`);
if (threatLevel >= 10) {
socket.write(`550 5.7.1 Message rejected: ${threats.join(', ')}\r\n`);
} else if (threatLevel >= 5) {
socket.write('250 OK: Message flagged for review\r\n');
} else {
socket.write('250 OK: Message scanned and accepted\r\n');
}
messageContent = '';
}
return;
}
const command = text.trim();
console.log(` [Server] Received: ${command}`);
if (command.startsWith('EHLO')) {
socket.write('250-scanner.example.com\r\n');
socket.write('250-SIZE 10485760\r\n');
socket.write('250 OK\r\n');
} else if (command.startsWith('MAIL FROM:')) {
socket.write('250 OK\r\n');
} else if (command.startsWith('RCPT TO:')) {
socket.write('250 OK\r\n');
} else if (command === 'DATA') {
socket.write('354 Start mail input\r\n');
inData = true;
} else if (command === 'QUIT') {
socket.write('221 Bye\r\n');
socket.end();
}
});
}
});
const smtpClient = createSmtpClient({
host: testServer.hostname,
port: testServer.port,
secure: false
});
// Test 1: Clean email with safe attachment
const safeEmail = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Document for review',
text: 'Please find the attached document.',
attachments: [{
filename: 'report.pdf',
content: 'PDF content here'
}]
});
const safeResult = await smtpClient.sendMail(safeEmail);
console.log(' Safe email: Scanned and accepted');
expect(safeResult.response).toContain('scanned and accepted');
// Test 2: Email with suspicious link
const suspiciousEmail = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Check this out',
text: 'Click here: https://bit.ly/abc123 to verify your account',
html: '<p>Click <a href="https://bit.ly/abc123">here</a> to verify your account</p>'
});
const suspiciousResult = await smtpClient.sendMail(suspiciousEmail);
console.log(' Suspicious email: Flagged for review');
expect(suspiciousResult.response).toContain('flagged for review');
// Test 3: Email with dangerous attachment
const dangerousEmail = new plugins.smartmail.Email({
from: 'sender@example.com',
to: ['recipient@example.com'],
subject: 'Important update',
text: 'Please run the attached file',
attachments: [{
filename: 'update.exe',
content: Buffer.from('MZ\x90\x00\x03') // Fake executable header
}]
});
try {
await smtpClient.sendMail(dangerousEmail);
console.log(' Unexpected: Dangerous attachment accepted');
} catch (error) {
console.log(' Dangerous attachment: Rejected');
expect(error.message).toContain('Dangerous attachment');
}
await testServer.server.close();
})();
console.log(`\n${testId}: All ${scenarioCount} anti-spam scenarios tested ✓`);
});