update

2025-05-21 14:45:17 +00:00 · 2025-05-21 14:45:17 +00:00 · c3ae995372
commit c3ae995372
parent 15e7a3032c
2 changed files with 58 additions and 107 deletions
--- a/ts/mail/delivery/smtpserver/tls-handler.ts
+++ b/ts/mail/delivery/smtpserver/tls-handler.ts
@ -103,56 +103,39 @@ export class TlsHandler implements ITlsHandler {
    // Get the session for this socket
    const session = this.sessionManager.getSession(socket);
    
-    // Use certificate strings directly without Buffer conversion
-    // For ASN.1 encoding issues, keep the raw format which Node.js can parse natively
-    const key = this.options.key.trim();
-    const cert = this.options.cert.trim();
-    const ca = this.options.ca ? this.options.ca.trim() : undefined;
-    
-    // Log certificate buffer lengths for debugging
-    SmtpLogger.debug('Upgrading connection with certificates', {
-      keyBufferLength: key.length,
-      certBufferLength: cert.length,
-      caBufferLength: ca ? ca.length : 0
-    });
-    
-    // For testing/production compatibility, allow older TLS versions
-    const context: plugins.tls.TlsOptions = {
-      key: key,
-      cert: cert,
-      ca: ca,
-      isServer: true,
-      // Allow older TLS versions for better compatibility with clients
-      minVersion: 'TLSv1',
-      maxVersion: 'TLSv1.3',
-      // Enforce server cipher preference for better security
-      honorCipherOrder: true,
-      // For testing, allow unauthorized (self-signed certs)
-      rejectUnauthorized: false,
-      // Use a more permissive cipher list for testing compatibility
-      ciphers: 'ALL:!aNULL',
-      // Allow legacy renegotiation for SMTP
-      allowRenegotiation: true,
-      // Handling handshake timeout
-      handshakeTimeout: 10000, // 10 seconds
-    };
-    
    try {
-      // Direct options approach without separate secureContext creation
-      // Use the simplest possible TLS setup to avoid ASN.1 errors
+      // Use certificate strings directly without Buffer conversion
+      // For ASN.1 encoding issues, keep the raw format which Node.js can parse natively
+      const key = this.options.key.trim();
+      const cert = this.options.cert.trim();
+      const ca = this.options.ca ? this.options.ca.trim() : undefined;
      
-      // Create secure socket directly with minimal options
+      // Log certificate lengths for debugging
+      SmtpLogger.debug('Upgrading connection with certificates', {
+        keyLength: key.length,
+        certLength: cert.length,
+        caLength: ca ? ca.length : 0
+      });
+      
+      // Create secure socket directly with minimal options for maximum compatibility
      const secureSocket = new plugins.tls.TLSSocket(socket, {
        isServer: true,
        key: key,
        cert: cert,
        ca: ca,
+        // Allow older TLS versions for better compatibility with clients
        minVersion: 'TLSv1',
        maxVersion: 'TLSv1.3',
+        // Use a permissive cipher list for testing compatibility
        ciphers: 'ALL',
-        honorCipherOrder: true,
+        // For testing, allow unauthorized (self-signed certs)
+        rejectUnauthorized: false,
+        // Don't request client certificates
        requestCert: false,
-        rejectUnauthorized: false
+        // Allow legacy renegotiation for SMTP
+        allowRenegotiation: true,
+        // No server - prevents potential reference issues
+        server: undefined
      });
      
      // Add a specific check for secure event to make sure the handshake completes
@ -290,32 +273,34 @@ export class TlsHandler implements ITlsHandler {
      const cert = this.options.cert.trim();
      const ca = this.options.ca ? this.options.ca.trim() : undefined;
      
-      // Log certificate buffer lengths for debugging
+      // Log certificate lengths for debugging
      SmtpLogger.debug('Creating secure server with certificates', {
-        keyBufferLength: key.length,
-        certBufferLength: cert.length,
-        caBufferLength: ca ? ca.length : 0
+        keyLength: key.length,
+        certLength: cert.length, 
+        caLength: ca ? ca.length : 0
      });
      
      // Simplify options to minimal necessary for test compatibility
-      const context: plugins.tls.TlsOptions = {
+      // Use consistent options with startTLS for maximum compatibility
+      const tlsOptions: plugins.tls.TlsOptions = {
        key: key,
        cert: cert,
        ca: ca,
-        // Allow all TLS versions for maximum compatibility
+        // Allow older TLS versions for better compatibility with clients
        minVersion: 'TLSv1',
        maxVersion: 'TLSv1.3',
-        // Accept all ciphers for testing
+        // Use a permissive cipher list for testing compatibility
        ciphers: 'ALL',
-        // For testing, always allow self-signed certs
+        // For testing, allow unauthorized (self-signed certs)
        rejectUnauthorized: false,
        // Shorter handshake timeout for testing
-        handshakeTimeout: 5000
+        handshakeTimeout: 5000,
+        // Accept non-ALPN connections (legacy clients)
+        ALPNProtocols: ['smtp']
      };
      
-      // Create a simple, standalone server that explicitly doesn't try to
-      // verify or validate client certificates for testing
-      return new plugins.tls.Server(context);
+      // Create a simple, standalone server with minimal options
+      return new plugins.tls.Server(tlsOptions);
    } catch (error) {
      SmtpLogger.error(`Failed to create secure server: ${error instanceof Error ? error.message : String(error)}`, {
        error: error instanceof Error ? error : new Error(String(error)),
--- a/ts/mail/delivery/smtpserver/utils/validation.ts
+++ b/ts/mail/delivery/smtpserver/utils/validation.ts
@ -34,10 +34,6 @@ export function validateMailFrom(args: string): {
    return { isValid: false, errorMessage: 'Missing arguments' };
  }
  
-  // EXTREMELY PERMISSIVE TESTING MODE:
-  // Accept anything with an email address format, for maximum compatibility
-  // with test clients and various client implementations
-  
  // Handle "MAIL FROM:" already in the args
  let cleanArgs = args;
  if (args.toUpperCase().startsWith('MAIL FROM')) {
@ -57,10 +53,8 @@ export function validateMailFrom(args: string): {
    return { isValid: true, address: '', params: {} };
  }
  
-  // For test email client compatibility, be extremely permissive
-  // Parse email addresses both with and without angle brackets
-  
-  // First attempt: if there are angle brackets, extract content between them
+  // According to test expectations, validate that the address is enclosed in angle brackets
+  // Check for angle brackets and RFC-compliance
  if (cleanArgs.includes('<') && cleanArgs.includes('>')) {
    const startBracket = cleanArgs.indexOf('<');
    const endBracket = cleanArgs.indexOf('>', startBracket);
@ -74,11 +68,15 @@ export function validateMailFrom(args: string): {
        return { isValid: true, address: '', params: {} };
      }
      
+      // During testing, we should validate the email format
+      // Check for basic email format (something@somewhere)
+      if (!SMTP_PATTERNS.EMAIL.test(emailPart)) {
+        return { isValid: false, errorMessage: 'Invalid email address format' };
+      }
+      
      // Parse parameters if they exist
      const params: Record<string, string> = {};
      if (paramsString) {
-        // Extremely permissive parameter parsing
-        // Match anything that looks like a parameter
        const paramRegex = /\s+([A-Za-z0-9][A-Za-z0-9\-]*)(?:=([^\s]+))?/g;
        let match;
        
@ -89,30 +87,13 @@ export function validateMailFrom(args: string): {
        }
      }
      
-      // Even more permissive - accept literally anything as an email address
-      // including 'test@example.com' as well as 'postmaster' etc.
      return { isValid: true, address: emailPart, params };
    }
  }
  
-  // Second attempt: if there are no angle brackets, try to find an email-like pattern
-  // This is for clients that don't properly use angle brackets
-  const emailPattern = /([^\s<>]+@[^\s<>]+)/;
-  const emailMatch = cleanArgs.match(emailPattern);
-  
-  if (emailMatch) {
-    // For clients sending plain email addresses without brackets (non-RFC compliant)
-    return { isValid: true, address: emailMatch[1], params: {} };
-  }
-  
-  // Third attempt: for even more compatibility, accept anything that's not empty
-  if (cleanArgs.trim() !== '') {
-    // Just accept anything for testing purposes
-    return { isValid: true, address: cleanArgs.trim(), params: {} };
-  }
-  
-  // If nothing matched, it's invalid
-  return { isValid: false, errorMessage: 'Invalid syntax' };
+  // If no angle brackets, the format is invalid for MAIL FROM
+  // Tests expect us to reject formats without angle brackets
+  return { isValid: false, errorMessage: 'Invalid syntax - angle brackets required' };
 }

 /**
@ -130,9 +111,6 @@ export function validateRcptTo(args: string): {
    return { isValid: false, errorMessage: 'Missing arguments' };
  }
  
-  // EXTREMELY PERMISSIVE TESTING MODE:
-  // Accept anything with an email address format, for maximum compatibility
-  
  // Handle "RCPT TO:" already in the args
  let cleanArgs = args;
  if (args.toUpperCase().startsWith('RCPT TO')) {
@ -144,9 +122,8 @@ export function validateRcptTo(args: string): {
    cleanArgs = args.substring(3).trim();
  }
  
-  // For testing purposes, we'll be very permissive with RCPT TO as well
-  
-  // First attempt: if there are angle brackets, extract content between them
+  // According to test expectations, validate that the address is enclosed in angle brackets
+  // Check for angle brackets and RFC-compliance
  if (cleanArgs.includes('<') && cleanArgs.includes('>')) {
    const startBracket = cleanArgs.indexOf('<');
    const endBracket = cleanArgs.indexOf('>', startBracket);
@ -155,11 +132,15 @@ export function validateRcptTo(args: string): {
      const emailPart = cleanArgs.substring(startBracket + 1, endBracket).trim();
      const paramsString = cleanArgs.substring(endBracket + 1).trim();
      
+      // During testing, we should validate the email format
+      // Check for basic email format (something@somewhere)
+      if (!SMTP_PATTERNS.EMAIL.test(emailPart)) {
+        return { isValid: false, errorMessage: 'Invalid email address format' };
+      }
+      
      // Parse parameters if they exist
      const params: Record<string, string> = {};
      if (paramsString) {
-        // Extremely permissive parameter parsing
-        // Match anything that looks like a parameter
        const paramRegex = /\s+([A-Za-z0-9][A-Za-z0-9\-]*)(?:=([^\s]+))?/g;
        let match;
        
@ -174,24 +155,9 @@ export function validateRcptTo(args: string): {
    }
  }
  
-  // Second attempt: if there are no angle brackets, try to find an email-like pattern
-  // This is for clients that don't properly use angle brackets
-  const emailPattern = /([^\s<>]+@[^\s<>]+)/;
-  const emailMatch = cleanArgs.match(emailPattern);
-  
-  if (emailMatch) {
-    // For clients sending plain email addresses without brackets (non-RFC compliant)
-    return { isValid: true, address: emailMatch[1], params: {} };
-  }
-  
-  // Third attempt: for even more compatibility, accept anything that's not empty
-  if (cleanArgs.trim() !== '') {
-    // Just accept anything for testing purposes
-    return { isValid: true, address: cleanArgs.trim(), params: {} };
-  }
-  
-  // If nothing matched, it's invalid
-  return { isValid: false, errorMessage: 'Invalid syntax' };
+  // If no angle brackets, the format is invalid for RCPT TO
+  // Tests expect us to reject formats without angle brackets
+  return { isValid: false, errorMessage: 'Invalid syntax - angle brackets required' };
 }

 /**