serve.zone/mailer
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

feat(storage): add comprehensive tests for StorageManager with memory, filesystem, and custom function backends
Some checks failed
CI / Type Check & Lint (push) Failing after 3s
Details
CI / Build Test (Current Platform) (push) Failing after 3s
Details
CI / Build All Platforms (push) Failing after 3s
Details

Browse Source 
feat(email): implement EmailSendJob class for robust email delivery with retry logic and MX record resolution

feat(mail): restructure mail module exports for simplified access to core and delivery functionalities
This commit is contained in:
Jürgen Kunz
2025-10-28 19:46:17 +00:00
parent 6523c55516
commit 17f5661636
271 changed files with 61736 additions and 6222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

358
test/suite/smtpserver_security/test.sec-01.authentication.test.ts
View File

@@ -1,358 +0,0 @@
/**
* SEC-01: SMTP Authentication Tests
* Tests SMTP server AUTH mechanisms (PLAIN, LOGIN) and authentication enforcement
*/
import { assert, assertEquals, assertMatch } from '@std/assert';
import { startTestServer, stopTestServer, type ITestServer } from '../../helpers/server.loader.ts';
import {
connectToSmtp,
waitForGreeting,
sendSmtpCommand,
readSmtpResponse,
closeSmtpConnection,
upgradeToTls,
} from '../../helpers/utils.ts';
const TEST_PORT = 25301;
let testServer: ITestServer;
Deno.test({
name: 'SEC-01: Setup - Start SMTP server with authentication',
async fn() {
testServer = await startTestServer({
port: TEST_PORT,
tlsEnabled: true, // Enable STARTTLS
authRequired: true,
authMethods: ['PLAIN', 'LOGIN'],
// requireTLS defaults to true, which is correct for security testing
});
assert(testServer, 'Test server should be created');
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-01: Authentication - server advertises AUTH capability after STARTTLS',
async fn() {
let conn = await connectToSmtp('localhost', TEST_PORT);
try {
await waitForGreeting(conn);
// Send initial EHLO
await sendSmtpCommand(conn, 'EHLO test.example.com', '250');
// Upgrade to TLS with STARTTLS
const tlsConn = await upgradeToTls(conn, 'localhost');
conn = tlsConn as any;
// Send EHLO again to get capabilities after TLS upgrade
const ehloResponse = await sendSmtpCommand(tlsConn, 'EHLO test.example.com', '250');
// Parse capabilities
const lines = ehloResponse.split('\r\n').filter((line) => line.length > 0);
const capabilities = lines.map((line) => line.substring(4).trim());
// Check for AUTH capability (should be advertised after TLS)
const authCapability = capabilities.find((cap) => cap.startsWith('AUTH'));
assert(authCapability, 'Server should advertise AUTH capability after STARTTLS');
// Extract supported mechanisms
const supportedMechanisms = authCapability.substring(5).split(' ');
console.log('📋 Supported AUTH mechanisms after STARTTLS:', supportedMechanisms);
// Common mechanisms should be supported
assert(
supportedMechanisms.includes('PLAIN'),
'Server should support AUTH PLAIN'
);
assert(
supportedMechanisms.includes('LOGIN'),
'Server should support AUTH LOGIN'
);
console.log('✅ AUTH capability test passed');
} finally {
await closeSmtpConnection(conn);
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-01: AUTH PLAIN mechanism - correct credentials',
async fn() {
let conn = await connectToSmtp('localhost', TEST_PORT);
try {
await waitForGreeting(conn);
await sendSmtpCommand(conn, 'EHLO test.example.com', '250');
// Upgrade to TLS with STARTTLS
const tlsConn = await upgradeToTls(conn, 'localhost');
conn = tlsConn as any; // Update conn reference to TLS connection
// Send EHLO again after TLS upgrade (required by RFC)
await sendSmtpCommand(tlsConn, 'EHLO test.example.com', '250');
// Create AUTH PLAIN credentials
// Format: base64(NULL + username + NULL + password)
const username = 'testuser';
const password = 'testpass';
const encoder = new TextEncoder();
const authBytes = new Uint8Array([
0,
...encoder.encode(username),
0,
...encoder.encode(password),
]);
const authString = btoa(String.fromCharCode(...authBytes));
// Send AUTH PLAIN command
await tlsConn.write(encoder.encode(`AUTH PLAIN ${authString}\r\n`));
const authResponse = await readSmtpResponse(tlsConn);
// Should accept with valid credentials
assertMatch(
authResponse,
/^235/,
'Should accept valid credentials with 235'
);
console.log('✅ AUTH PLAIN accepted');
await sendSmtpCommand(tlsConn, 'QUIT', '221');
} finally {
await closeSmtpConnection(conn);
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-01: AUTH LOGIN mechanism - interactive authentication',
async fn() {
let conn = await connectToSmtp('localhost', TEST_PORT);
try {
await waitForGreeting(conn);
await sendSmtpCommand(conn, 'EHLO test.example.com', '250');
// Upgrade to TLS with STARTTLS
const tlsConn = await upgradeToTls(conn, 'localhost');
conn = tlsConn as any; // Update conn reference
// Send EHLO again after TLS upgrade (required by RFC)
await sendSmtpCommand(tlsConn, 'EHLO test.example.com', '250');
// Start AUTH LOGIN
const encoder = new TextEncoder();
await tlsConn.write(encoder.encode('AUTH LOGIN\r\n'));
const authStartResponse = await readSmtpResponse(tlsConn);
// Server should respond with 334 and prompt for username
assertMatch(
authStartResponse,
/^334/,
'Should request credentials with 334'
);
// Decode the prompt (should be base64 "Username:")
const promptBase64 = authStartResponse.substring(4).trim();
if (promptBase64) {
const promptBytes = Uint8Array.from(atob(promptBase64), (c) =>
c.charCodeAt(0)
);
const decoder = new TextDecoder();
const prompt = decoder.decode(promptBytes);
console.log('Server prompt:', prompt);
}
// Send username
const username = btoa('testuser');
await tlsConn.write(encoder.encode(`${username}\r\n`));
const passwordPromptResponse = await readSmtpResponse(tlsConn);
// Server should prompt for password
assertMatch(
passwordPromptResponse,
/^334/,
'Should request password with 334'
);
// Send password
const password = btoa('testpass');
await tlsConn.write(encoder.encode(`${password}\r\n`));
const authResult = await readSmtpResponse(tlsConn);
// Should accept valid credentials
assertMatch(
authResult,
/^235/,
'Should accept valid credentials with 235'
);
console.log('✅ AUTH LOGIN accepted');
await sendSmtpCommand(tlsConn, 'QUIT', '221');
} finally {
await closeSmtpConnection(conn);
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-01: Authentication required - reject commands without auth',
async fn() {
let conn = await connectToSmtp('localhost', TEST_PORT);
try {
await waitForGreeting(conn);
await sendSmtpCommand(conn, 'EHLO test.example.com', '250');
// Upgrade to TLS with STARTTLS
const tlsConn = await upgradeToTls(conn, 'localhost');
conn = tlsConn as any;
// Send EHLO again after TLS upgrade
await sendSmtpCommand(tlsConn, 'EHLO test.example.com', '250');
// Try to send email without authentication
const encoder = new TextEncoder();
await tlsConn.write(encoder.encode('MAIL FROM:<test@example.com>\r\n'));
const mailResponse = await readSmtpResponse(tlsConn);
// Server should reject with 530 (authentication required) or 503 (bad sequence)
// Note: In test mode without authRequired enforcement, server might accept (250)
if (mailResponse.startsWith('530') || mailResponse.startsWith('503')) {
console.log('✅ Server properly requires authentication');
} else if (mailResponse.startsWith('250')) {
console.log('⚠️ Server accepted mail without auth (test mode without auth enforcement)');
}
await sendSmtpCommand(tlsConn, 'QUIT', '221');
} finally {
try {
conn.close();
} catch {
// Ignore
}
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-01: Invalid authentication - returns 535 error',
async fn() {
let conn = await connectToSmtp('localhost', TEST_PORT);
try {
await waitForGreeting(conn);
await sendSmtpCommand(conn, 'EHLO test.example.com', '250');
// Upgrade to TLS with STARTTLS
const tlsConn = await upgradeToTls(conn, 'localhost');
conn = tlsConn as any;
// Send EHLO again after TLS upgrade
await sendSmtpCommand(tlsConn, 'EHLO test.example.com', '250');
// Send invalid AUTH PLAIN credentials
const encoder = new TextEncoder();
const invalidAuth = new Uint8Array([
0,
...encoder.encode('invalid'),
0,
...encoder.encode('wrong'),
]);
const authString = btoa(String.fromCharCode(...invalidAuth));
await tlsConn.write(encoder.encode(`AUTH PLAIN ${authString}\r\n`));
const response = await readSmtpResponse(tlsConn);
// Should fail with 535 (authentication failed)
assertMatch(
response,
/^535/,
'Should reject invalid credentials with 535'
);
console.log('✅ Invalid credentials properly rejected');
await sendSmtpCommand(tlsConn, 'QUIT', '221');
} finally {
await closeSmtpConnection(conn);
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-01: AUTH LOGIN cancellation with asterisk',
async fn() {
let conn = await connectToSmtp('localhost', TEST_PORT);
try {
await waitForGreeting(conn);
await sendSmtpCommand(conn, 'EHLO test.example.com', '250');
// Upgrade to TLS with STARTTLS
const tlsConn = await upgradeToTls(conn, 'localhost');
conn = tlsConn as any;
// Send EHLO again after TLS upgrade
await sendSmtpCommand(tlsConn, 'EHLO test.example.com', '250');
// Start AUTH LOGIN
const encoder = new TextEncoder();
await tlsConn.write(encoder.encode('AUTH LOGIN\r\n'));
const authStartResponse = await readSmtpResponse(tlsConn);
assertMatch(authStartResponse, /^334/, 'Should request credentials');
// Cancel authentication with *
await tlsConn.write(encoder.encode('*\r\n'));
const cancelResponse = await readSmtpResponse(tlsConn);
// Should return 535 (authentication cancelled)
assertMatch(
cancelResponse,
/^535/,
'Should cancel authentication with 535'
);
console.log('✅ AUTH LOGIN cancellation handled correctly');
await sendSmtpCommand(tlsConn, 'QUIT', '221');
} finally {
await closeSmtpConnection(conn);
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-01: Cleanup - Stop SMTP server',
async fn() {
await stopTestServer(testServer);
},
sanitizeResources: false,
sanitizeOps: false,
});

218
test/suite/smtpserver_security/test.sec-01.authentication.ts Normal file
View File

@@ -0,0 +1,218 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import { startTestServer, stopTestServer, type ITestServer } from '../../helpers/server.loader.ts';
import { connectToSmtp, waitForGreeting, sendSmtpCommand, closeSmtpConnection } from '../../helpers/utils.ts';
let testServer: ITestServer;
tap.test('setup - start SMTP server with authentication', async () => {
testServer = await startTestServer({
port: 2530,
hostname: 'localhost',
authRequired: true
});
expect(testServer).toBeInstanceOf(Object);
});
tap.test('SEC-01: Authentication - server advertises AUTH capability', async () => {
const socket = await connectToSmtp(testServer.hostname, testServer.port);
try {
await waitForGreeting(socket);
// Send EHLO to get capabilities
const ehloResponse = await sendSmtpCommand(socket, 'EHLO test.example.com', '250');
// Parse capabilities
const lines = ehloResponse.split('\r\n').filter(line => line.length > 0);
const capabilities = lines.map(line => line.substring(4).trim());
// Check for AUTH capability
const authCapability = capabilities.find(cap => cap.startsWith('AUTH'));
expect(authCapability).toBeDefined();
// Extract supported mechanisms
const supportedMechanisms = authCapability?.substring(5).split(' ') || [];
console.log('📋 Supported AUTH mechanisms:', supportedMechanisms);
// Common mechanisms should be supported
expect(supportedMechanisms).toContain('PLAIN');
expect(supportedMechanisms).toContain('LOGIN');
console.log('✅ AUTH capability test passed');
} finally {
await closeSmtpConnection(socket);
}
});
tap.test('SEC-01: AUTH PLAIN mechanism - correct credentials', async () => {
const socket = await connectToSmtp(testServer.hostname, testServer.port);
try {
await waitForGreeting(socket);
await sendSmtpCommand(socket, 'EHLO test.example.com', '250');
// Create AUTH PLAIN credentials
// Format: base64(NULL + username + NULL + password)
const username = 'testuser';
const password = 'testpass';
const authString = Buffer.from(`\0${username}\0${password}`).toString('base64');
// Send AUTH PLAIN command
try {
const authResponse = await sendSmtpCommand(socket, `AUTH PLAIN ${authString}`);
// Server might accept (235) or reject (535) based on configuration
expect(authResponse).toMatch(/^(235|535)/);
if (authResponse.startsWith('235')) {
console.log('✅ AUTH PLAIN accepted (test mode)');
} else {
console.log('✅ AUTH PLAIN properly rejected (production mode)');
}
} catch (error) {
// Auth failure is expected in test environment
console.log('✅ AUTH PLAIN handled:', error.message);
}
} finally {
await closeSmtpConnection(socket);
}
});
tap.test('SEC-01: AUTH LOGIN mechanism - interactive authentication', async () => {
const socket = await connectToSmtp(testServer.hostname, testServer.port);
try {
await waitForGreeting(socket);
await sendSmtpCommand(socket, 'EHLO test.example.com', '250');
// Start AUTH LOGIN
try {
const authStartResponse = await sendSmtpCommand(socket, 'AUTH LOGIN', '334');
expect(authStartResponse).toInclude('334');
// Server should prompt for username (base64 "Username:")
const usernamePrompt = Buffer.from(
authStartResponse.substring(4).trim(),
'base64'
).toString();
console.log('Server prompt:', usernamePrompt);
// Send username
const username = Buffer.from('testuser').toString('base64');
const passwordPromptResponse = await sendSmtpCommand(socket, username, '334');
// Send password
const password = Buffer.from('testpass').toString('base64');
const authResult = await sendSmtpCommand(socket, password);
// Check result (235 = success, 535 = failure)
expect(authResult).toMatch(/^(235|535)/);
} catch (error) {
// Auth failure is expected in test environment
console.log('✅ AUTH LOGIN handled:', error.message);
}
} finally {
await closeSmtpConnection(socket);
}
});
tap.test('SEC-01: Authentication required - reject commands without auth', async () => {
const socket = await connectToSmtp(testServer.hostname, testServer.port);
try {
await waitForGreeting(socket);
await sendSmtpCommand(socket, 'EHLO test.example.com', '250');
// Try to send email without authentication
try {
const mailResponse = await sendSmtpCommand(socket, 'MAIL FROM:<test@example.com>');
// Server should reject with 530 (authentication required) or similar
if (mailResponse.startsWith('530') || mailResponse.startsWith('503')) {
console.log('✅ Server properly requires authentication');
} else if (mailResponse.startsWith('250')) {
console.log('⚠️ Server accepted mail without auth (test mode)');
}
} catch (error) {
// Command rejection is expected
console.log('✅ Server rejected unauthenticated command:', error.message);
}
} finally {
await closeSmtpConnection(socket);
}
});
tap.test('SEC-01: Invalid authentication attempts - rate limiting', async () => {
const socket = await connectToSmtp(testServer.hostname, testServer.port);
try {
await waitForGreeting(socket);
await sendSmtpCommand(socket, 'EHLO test.example.com', '250');
// Try multiple failed authentication attempts
const maxAttempts = 5;
let failedAttempts = 0;
let requiresTLS = false;
for (let i = 0; i < maxAttempts; i++) {
try {
// Send invalid credentials
const invalidAuth = Buffer.from('\0invalid\0wrong').toString('base64');
const response = await sendSmtpCommand(socket, `AUTH PLAIN ${invalidAuth}`);
// Check if authentication failed
if (response.startsWith('535')) {
failedAttempts++;
console.log(`Failed attempt ${i + 1}: ${response.trim()}`);
// Check if server requires TLS (common security practice)
if (response.includes('TLS')) {
requiresTLS = true;
console.log('✅ Server enforces TLS requirement for authentication');
break;
}
} else if (response.startsWith('503')) {
// Too many failed attempts
failedAttempts++;
console.log('✅ Server enforces auth attempt limits');
break;
}
} catch (error) {
// Handle connection errors
failedAttempts++;
console.log(`Failed attempt ${i + 1}: ${error.message}`);
// Check if server closed connection or rate limited
if (error.message.includes('closed') || error.message.includes('timeout')) {
console.log('✅ Server enforces auth attempt limits by closing connection');
break;
}
}
}
// Either TLS is required or we had failed attempts
expect(failedAttempts).toBeGreaterThan(0);
if (requiresTLS) {
console.log('✅ Authentication properly protected by TLS requirement');
} else {
console.log(`✅ Handled ${failedAttempts} failed auth attempts`);
}
} finally {
if (!socket.destroyed) {
socket.destroy();
}
}
});
tap.test('cleanup - stop SMTP server', async () => {
await stopTestServer(testServer);
console.log('✅ Test server stopped');
});
export default tap.start();

286
test/suite/smtpserver_security/test.sec-02.authorization.ts Normal file
View File

@@ -0,0 +1,286 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../../../ts/plugins.ts';
import * as net from 'net';
import { startTestServer, stopTestServer } from '../../helpers/server.loader.ts'
import type { ITestServer } from '../../helpers/server.loader.ts';
const TEST_PORT = 2525;
let testServer: ITestServer;
// Helper to wait for SMTP response
const waitForResponse = (socket: net.Socket, expectedCode?: string, timeout = 5000): Promise<string> => {
return new Promise((resolve, reject) => {
let buffer = '';
const timer = setTimeout(() => {
socket.removeListener('data', handler);
reject(new Error(`Timeout waiting for ${expectedCode || 'any'} response`));
}, timeout);
const handler = (data: Buffer) => {
buffer += data.toString();
const lines = buffer.split('\r\n');
for (const line of lines) {
if (expectedCode) {
if (line.startsWith(expectedCode + ' ')) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
} else {
// Look for any complete response
if (line.match(/^\d{3} /)) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
}
}
};
socket.on('data', handler);
});
};
tap.test('setup - start test server', async (toolsArg) => {
testServer = await startTestServer({ port: TEST_PORT });
await toolsArg.delayFor(1000);
});
tap.test('Authorization - Valid sender domain', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO test.example.com\r\n');
await waitForResponse(socket, '250');
// Use valid sender domain with proper format
socket.write('MAIL FROM:<test@example.com>\r\n');
const mailResponse = await waitForResponse(socket);
if (mailResponse.startsWith('250')) {
// Try recipient
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket);
// Valid sender should be accepted or require auth
const accepted = rcptResponse.startsWith('250');
const authRequired = rcptResponse.startsWith('530');
console.log(`Valid sender domain: ${accepted ? 'accepted' : authRequired ? 'auth required' : 'rejected'}`);
expect(accepted || authRequired).toEqual(true);
} else {
// Mail from rejected - could be due to auth requirement
const authRequired = mailResponse.startsWith('530');
console.log(`MAIL FROM requires auth: ${authRequired}`);
expect(authRequired || mailResponse.startsWith('250')).toEqual(true);
}
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Authorization - External sender domain', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO external.com\r\n');
await waitForResponse(socket, '250');
// Use external sender domain
socket.write('MAIL FROM:<test@external.com>\r\n');
const mailResponse = await waitForResponse(socket);
if (mailResponse.startsWith('250')) {
// Try recipient
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket);
// Check response
const accepted = rcptResponse.startsWith('250');
const authRequired = rcptResponse.startsWith('530');
const rejected = rcptResponse.startsWith('550') || rcptResponse.startsWith('553');
console.log(`External sender: accepted=${accepted}, authRequired=${authRequired}, rejected=${rejected}`);
expect(accepted || authRequired || rejected).toEqual(true);
} else {
// Check if auth required or rejected
const authRequired = mailResponse.startsWith('530');
const rejected = mailResponse.startsWith('550') || mailResponse.startsWith('553');
console.log(`External sender ${authRequired ? 'requires authentication' : rejected ? 'rejected by policy' : 'error'}`);
expect(authRequired || rejected).toEqual(true);
}
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Authorization - Relay attempt rejection', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO external.com\r\n');
await waitForResponse(socket, '250');
// External sender
socket.write('MAIL FROM:<test@external.com>\r\n');
const mailResponse = await waitForResponse(socket);
if (mailResponse.startsWith('250')) {
// Try to relay to another external domain (should be rejected)
socket.write('RCPT TO:<recipient@another-external.com>\r\n');
const rcptResponse = await waitForResponse(socket);
// Relay attempt should be rejected or accepted (test mode)
const rejected = rcptResponse.startsWith('550') ||
rcptResponse.startsWith('553') ||
rcptResponse.startsWith('530') ||
rcptResponse.startsWith('554');
const accepted = rcptResponse.startsWith('250');
console.log(`Relay attempt ${rejected ? 'properly rejected' : accepted ? 'accepted (test mode)' : 'error'}`);
// In production, relay should be rejected. In test mode, it might be accepted
expect(rejected || accepted).toEqual(true);
if (accepted) {
console.log('⚠️ WARNING: Server accepted relay attempt - ensure relay restrictions are properly configured in production');
}
} else {
// MAIL FROM already rejected
console.log('External sender rejected at MAIL FROM');
expect(mailResponse.startsWith('530') || mailResponse.startsWith('550')).toEqual(true);
}
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Authorization - IP-based restrictions', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Use IP address in EHLO
socket.write('EHLO [127.0.0.1]\r\n');
await waitForResponse(socket, '250');
// Use proper email format
socket.write('MAIL FROM:<test@example.com>\r\n');
const mailResponse = await waitForResponse(socket);
if (mailResponse.startsWith('250')) {
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket);
// Localhost IP should typically be accepted
const accepted = rcptResponse.startsWith('250');
const rejected = rcptResponse.startsWith('550') || rcptResponse.startsWith('553');
const authRequired = rcptResponse.startsWith('530');
console.log(`IP-based authorization: ${accepted ? 'accepted' : rejected ? 'rejected' : 'auth required'}`);
expect(accepted || rejected || authRequired).toEqual(true); // Any is valid based on server config
} else {
// Check if auth required
const authRequired = mailResponse.startsWith('530');
console.log(`MAIL FROM ${authRequired ? 'requires auth' : 'rejected'}`);
expect(authRequired || mailResponse.startsWith('250')).toEqual(true);
}
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Authorization - Case sensitivity in addresses', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO test.example.com\r\n');
await waitForResponse(socket, '250');
// Use mixed case in email address with proper domain
socket.write('MAIL FROM:<TeSt@ExAmPlE.cOm>\r\n');
const mailResponse = await waitForResponse(socket);
if (mailResponse.startsWith('250')) {
// Mixed case recipient
socket.write('RCPT TO:<ReCiPiEnT@ExAmPlE.cOm>\r\n');
const rcptResponse = await waitForResponse(socket);
// Email addresses should be case-insensitive
const accepted = rcptResponse.startsWith('250');
const authRequired = rcptResponse.startsWith('530');
console.log(`Mixed case addresses ${accepted ? 'accepted' : authRequired ? 'auth required' : 'rejected'}`);
expect(accepted || authRequired).toEqual(true);
} else {
// Check if auth required
const authRequired = mailResponse.startsWith('530');
console.log(`MAIL FROM ${authRequired ? 'requires auth' : 'rejected'}`);
expect(authRequired || mailResponse.startsWith('250')).toEqual(true);
}
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('cleanup - stop test server', async () => {
await stopTestServer(testServer);
});
export default tap.start();

414
test/suite/smtpserver_security/test.sec-03.dkim-processing.ts Normal file
View File

@@ -0,0 +1,414 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../../../ts/plugins.ts';
import * as net from 'net';
import { startTestServer, stopTestServer } from '../../helpers/server.loader.ts'
import type { ITestServer } from '../../helpers/server.loader.ts';
const TEST_PORT = 2525;
let testServer: ITestServer;
// Helper to wait for SMTP response
const waitForResponse = (socket: net.Socket, expectedCode?: string, timeout = 5000): Promise<string> => {
return new Promise((resolve, reject) => {
let buffer = '';
const timer = setTimeout(() => {
socket.removeListener('data', handler);
reject(new Error(`Timeout waiting for ${expectedCode || 'any'} response`));
}, timeout);
const handler = (data: Buffer) => {
buffer += data.toString();
const lines = buffer.split('\r\n');
for (const line of lines) {
if (expectedCode) {
if (line.startsWith(expectedCode + ' ')) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
} else {
// Look for any complete response
if (line.match(/^\d{3} /)) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
}
}
};
socket.on('data', handler);
});
};
tap.test('setup - start test server', async (toolsArg) => {
testServer = await startTestServer({ port: TEST_PORT });
await toolsArg.delayFor(1000);
});
tap.test('DKIM Processing - Valid DKIM signature', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
const mailResponse = await waitForResponse(socket, '250');
console.log('Server response:', mailResponse);
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket, '250');
console.log('Server response:', rcptResponse);
// Send DATA
socket.write('DATA\r\n');
const dataResponse = await waitForResponse(socket, '354');
console.log('Server response:', dataResponse);
// Generate valid DKIM signature
const timestamp = Math.floor(Date.now() / 1000);
const dkimSignature = [
'v=1; a=rsa-sha256; c=relaxed/relaxed;',
' d=example.com; s=default;',
' t=' + timestamp + ';',
' h=from:to:subject:date:message-id;',
' bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;',
' b=AMGNaJ3BliF0KSLD0wTfJd1eJhYbhP8YD2z9BPwAoeh6nKzfQ8wktB9Iwml3GKKj',
' V6zJSGxJClQAoqJnO7oiIzPvHZTMGTbMvV9YBQcw5uvxLa2mRNkRT3FQ5vKFzfVQ',
' OlHnZ8qZJDxYO4JmReCBnHQcC8W9cNJJh9ZQ4A='
].join('');
const email = [
`DKIM-Signature: ${dkimSignature}`,
`Subject: DKIM Test - Valid Signature`,
`From: sender@example.com`,
`To: recipient@example.com`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <dkim-valid-${Date.now()}@example.com>`,
'',
'This is a DKIM test email with a valid signature.',
`Timestamp: ${Date.now()}`,
'.',
''
].join('\r\n');
socket.write(email);
const emailResponse = await waitForResponse(socket, '250');
console.log('Server response:', emailResponse);
console.log('Email with valid DKIM signature accepted');
expect(emailResponse).toInclude('250');
expect(emailResponse.startsWith('250')).toEqual(true);
// Send QUIT
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('DKIM Processing - Invalid DKIM signature', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
const mailResponse = await waitForResponse(socket, '250');
console.log('Server response:', mailResponse);
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket, '250');
console.log('Server response:', rcptResponse);
// Send DATA
socket.write('DATA\r\n');
const dataResponse = await waitForResponse(socket, '354');
console.log('Server response:', dataResponse);
// Generate invalid DKIM signature (wrong domain, bad signature)
const timestamp = Math.floor(Date.now() / 1000);
const dkimSignature = [
'v=1; a=rsa-sha256; c=relaxed/relaxed;',
' d=wrong-domain.com; s=invalid;',
' t=' + timestamp + ';',
' h=from:to:subject:date;',
' bh=INVALID-BODY-HASH;',
' b=INVALID-SIGNATURE-DATA'
].join('');
const email = [
`DKIM-Signature: ${dkimSignature}`,
`Subject: DKIM Test - Invalid Signature`,
`From: sender@example.com`,
`To: recipient@example.com`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <dkim-invalid-${Date.now()}@example.com>`,
'',
'This is a DKIM test email with an invalid signature.',
`Timestamp: ${Date.now()}`,
'.',
''
].join('\r\n');
socket.write(email);
const emailResponse = await waitForResponse(socket);
console.log('Server response:', emailResponse);
const accepted = emailResponse.includes('250');
console.log(`Email with invalid DKIM signature ${accepted ? 'accepted' : 'rejected'}`);
// Either response is valid - server may accept and mark as failed, or reject
expect(emailResponse.match(/250|550/)).toBeTruthy();
// Send QUIT
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('DKIM Processing - Missing DKIM signature', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
const mailResponse = await waitForResponse(socket, '250');
console.log('Server response:', mailResponse);
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket, '250');
console.log('Server response:', rcptResponse);
// Send DATA
socket.write('DATA\r\n');
const dataResponse = await waitForResponse(socket, '354');
console.log('Server response:', dataResponse);
// Email without DKIM signature
const email = [
`Subject: DKIM Test - No Signature`,
`From: sender@example.com`,
`To: recipient@example.com`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <dkim-none-${Date.now()}@example.com>`,
'',
'This is a DKIM test email without any signature.',
`Timestamp: ${Date.now()}`,
'.',
''
].join('\r\n');
socket.write(email);
const emailResponse = await waitForResponse(socket, '250');
console.log('Server response:', emailResponse);
console.log('Email without DKIM signature accepted (neutral)');
expect(emailResponse).toInclude('250');
expect(emailResponse.startsWith('250')).toEqual(true);
// Send QUIT
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('DKIM Processing - Multiple DKIM signatures', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
const mailResponse = await waitForResponse(socket, '250');
console.log('Server response:', mailResponse);
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket, '250');
console.log('Server response:', rcptResponse);
// Send DATA
socket.write('DATA\r\n');
const dataResponse = await waitForResponse(socket, '354');
console.log('Server response:', dataResponse);
// Email with multiple DKIM signatures (common in forwarding)
const timestamp = Math.floor(Date.now() / 1000);
const email = [
'DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;',
' d=example.com; s=selector1;',
' t=' + timestamp + ';',
' h=from:to:subject;',
' bh=first-body-hash;',
' b=first-signature',
'DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;',
' d=forwarder.com; s=selector2;',
' t=' + (timestamp + 60) + ';',
' h=from:to:subject:date:message-id;',
' bh=second-body-hash;',
' b=second-signature',
`Subject: DKIM Test - Multiple Signatures`,
`From: sender@example.com`,
`To: recipient@example.com`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <dkim-multi-${Date.now()}@example.com>`,
'',
'This email has multiple DKIM signatures.',
'.',
''
].join('\r\n');
socket.write(email);
const emailResponse = await waitForResponse(socket, '250');
console.log('Server response:', emailResponse);
console.log('Email with multiple DKIM signatures accepted');
expect(emailResponse).toInclude('250');
expect(emailResponse.startsWith('250')).toEqual(true);
// Send QUIT
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('DKIM Processing - Expired DKIM signature', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
const mailResponse = await waitForResponse(socket, '250');
console.log('Server response:', mailResponse);
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket, '250');
console.log('Server response:', rcptResponse);
// Send DATA
socket.write('DATA\r\n');
const dataResponse = await waitForResponse(socket, '354');
console.log('Server response:', dataResponse);
// DKIM signature with expired timestamp
const expiredTimestamp = Math.floor(Date.now() / 1000) - 2592000; // 30 days ago
const expirationTime = expiredTimestamp + 86400; // Expired 29 days ago
const dkimSignature = [
'v=1; a=rsa-sha256; c=relaxed/relaxed;',
' d=example.com; s=default;',
' t=' + expiredTimestamp + '; x=' + expirationTime + ';',
' h=from:to:subject:date;',
' bh=expired-body-hash;',
' b=expired-signature'
].join('');
const email = [
`DKIM-Signature: ${dkimSignature}`,
`Subject: DKIM Test - Expired Signature`,
`From: sender@example.com`,
`To: recipient@example.com`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <dkim-expired-${Date.now()}@example.com>`,
'',
'This email has an expired DKIM signature.',
'.',
''
].join('\r\n');
socket.write(email);
const emailResponse = await waitForResponse(socket);
console.log('Server response:', emailResponse);
const accepted = emailResponse.includes('250');
console.log(`Email with expired DKIM signature ${accepted ? 'accepted' : 'rejected'}`);
// Either response is valid
expect(emailResponse.match(/250|550/)).toBeTruthy();
// Send QUIT
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('cleanup - stop test server', async () => {
await stopTestServer(testServer);
});
export default tap.start();

280
test/suite/smtpserver_security/test.sec-04.spf-checking.ts Normal file
View File

@@ -0,0 +1,280 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../../../ts/plugins.ts';
import * as net from 'net';
import { startTestServer, stopTestServer } from '../../helpers/server.loader.ts'
import type { ITestServer } from '../../helpers/server.loader.ts';
const TEST_PORT = 2525;
let testServer: ITestServer;
// Helper to wait for SMTP response
const waitForResponse = (socket: net.Socket, expectedCode?: string, timeout = 5000): Promise<string> => {
return new Promise((resolve, reject) => {
let buffer = '';
const timer = setTimeout(() => {
socket.removeListener('data', handler);
reject(new Error(`Timeout waiting for ${expectedCode || 'any'} response`));
}, timeout);
const handler = (data: Buffer) => {
buffer += data.toString();
const lines = buffer.split('\r\n');
for (const line of lines) {
if (expectedCode) {
if (line.startsWith(expectedCode + ' ')) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
} else {
// Look for any complete response
if (line.match(/^\d{3} /)) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
}
}
};
socket.on('data', handler);
});
};
tap.test('setup - start test server', async (toolsArg) => {
testServer = await startTestServer({ port: TEST_PORT });
await toolsArg.delayFor(1000);
});
tap.test('SPF Checking - Authorized IP from local domain', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO localhost\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM with example.com domain
socket.write('MAIL FROM:<test@example.com>\r\n');
const mailResponse = await waitForResponse(socket);
console.log('Server response:', mailResponse);
if (mailResponse.includes('250')) {
console.log('Local domain sender accepted (SPF pass or neutral)');
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket);
console.log('Server response:', rcptResponse);
if (rcptResponse.includes('250')) {
console.log('Email accepted - SPF likely passed or neutral');
expect(true).toEqual(true);
}
} else if (mailResponse.includes('550') || mailResponse.includes('553')) {
console.log('Local domain sender rejected (SPF fail)');
expect(true).toEqual(true); // Either result shows SPF processing
}
// Send QUIT
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('SPF Checking - External domain sender', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM with well-known external domain
socket.write('MAIL FROM:<test@google.com>\r\n');
const mailResponse = await waitForResponse(socket);
console.log('Server response:', mailResponse);
if (mailResponse.includes('250')) {
console.log('External domain sender accepted');
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket);
console.log('Server response:', rcptResponse);
const accepted = rcptResponse.includes('250');
const rejected = rcptResponse.includes('550') || rcptResponse.includes('553');
console.log(`External domain: accepted=${accepted}, rejected=${rejected}`);
expect(accepted || rejected).toEqual(true);
} else if (mailResponse.includes('550') || mailResponse.includes('553')) {
console.log('External domain sender rejected (SPF fail)');
expect(true).toEqual(true); // Shows SPF is working
}
// Send QUIT
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('SPF Checking - Known SPF fail domain', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM with domain that should fail SPF
socket.write('MAIL FROM:<test@spf-fail-test.example>\r\n');
const mailResponse = await waitForResponse(socket);
console.log('Server response:', mailResponse);
if (mailResponse.includes('250')) {
console.log('SPF fail domain accepted (server may not enforce SPF)');
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket);
console.log('Server response:', rcptResponse);
// Either accepted or rejected is valid
const response = rcptResponse.includes('250') || rcptResponse.includes('550') || rcptResponse.includes('553');
expect(response).toEqual(true);
} else if (mailResponse.includes('550') || mailResponse.includes('553')) {
console.log('SPF fail domain properly rejected');
expect(true).toEqual(true);
}
// Send QUIT
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('SPF Checking - IPv4 literal in HELO', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO with IP literal
socket.write('EHLO [127.0.0.1]\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM with IP literal
socket.write('MAIL FROM:<test@[127.0.0.1]>\r\n');
const mailResponse = await waitForResponse(socket);
console.log('Server response:', mailResponse);
// Server should handle IP literals appropriately
const accepted = mailResponse.includes('250');
const rejected = mailResponse.includes('550') || mailResponse.includes('553');
console.log(`IP literal sender: accepted=${accepted}, rejected=${rejected}`);
expect(accepted || rejected).toEqual(true);
// Send QUIT
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('SPF Checking - Subdomain sender', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO subdomain.example.com\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM with subdomain
socket.write('MAIL FROM:<test@subdomain.example.com>\r\n');
const mailResponse = await waitForResponse(socket);
console.log('Server response:', mailResponse);
if (mailResponse.includes('250')) {
console.log('Subdomain sender accepted');
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket);
console.log('Server response:', rcptResponse);
const accepted = rcptResponse.includes('250');
console.log(`Subdomain SPF test: ${accepted ? 'passed' : 'failed'}`);
expect(true).toEqual(true);
} else if (mailResponse.includes('550') || mailResponse.includes('553')) {
console.log('Subdomain sender rejected');
expect(true).toEqual(true);
}
// Send QUIT
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('cleanup - stop test server', async () => {
await stopTestServer(testServer);
});
export default tap.start();

374
test/suite/smtpserver_security/test.sec-05.dmarc-policy.ts Normal file
View File

@@ -0,0 +1,374 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../../../ts/plugins.ts';
import * as net from 'net';
import { startTestServer, stopTestServer } from '../../helpers/server.loader.ts'
import type { ITestServer } from '../../helpers/server.loader.ts';
const TEST_PORT = 2525;
let testServer: ITestServer;
// Helper to wait for SMTP response
const waitForResponse = (socket: net.Socket, expectedCode?: string, timeout = 5000): Promise<string> => {
return new Promise((resolve, reject) => {
let buffer = '';
const timer = setTimeout(() => {
socket.removeListener('data', handler);
reject(new Error(`Timeout waiting for ${expectedCode || 'any'} response`));
}, timeout);
const handler = (data: Buffer) => {
buffer += data.toString();
const lines = buffer.split('\r\n');
for (const line of lines) {
if (expectedCode) {
if (line.startsWith(expectedCode + ' ')) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
} else {
// Look for any complete response
if (line.match(/^\d{3} /)) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
}
}
};
socket.on('data', handler);
});
};
tap.test('setup - start test server', async (toolsArg) => {
testServer = await startTestServer({ port: TEST_PORT });
await toolsArg.delayFor(1000);
});
tap.test('DMARC Policy - Reject policy enforcement', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Check if server advertises DMARC support
const advertisesDmarc = ehloResponse.toLowerCase().includes('dmarc');
console.log('DMARC advertised:', advertisesDmarc);
// Send MAIL FROM with domain that has reject policy
socket.write('MAIL FROM:<test@dmarc-reject.example.com>\r\n');
const mailResponse = await waitForResponse(socket);
console.log('Server response:', mailResponse);
if (mailResponse.includes('550') || mailResponse.includes('553')) {
// DMARC reject policy enforced at MAIL FROM
console.log('DMARC reject policy enforced at MAIL FROM');
expect(true).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} else if (mailResponse.includes('250')) {
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket, '250');
console.log('Server response:', rcptResponse);
// Send DATA
socket.write('DATA\r\n');
const dataResponse = await waitForResponse(socket, '354');
console.log('Server response:', dataResponse);
// Send email with DMARC-relevant headers
const email = [
`From: test@dmarc-reject.example.com`,
`To: recipient@example.com`,
`Subject: DMARC Policy Test - Reject`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <dmarc-reject-${Date.now()}@example.com>`,
`DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dmarc-reject.example.com; s=default;`,
` h=from:to:subject:date; bh=test; b=test`,
'',
'Testing DMARC reject policy enforcement.',
'.',
''
].join('\r\n');
socket.write(email);
const finalResponse = await waitForResponse(socket);
console.log('Server response:', finalResponse);
const accepted = finalResponse.includes('250');
const rejected = finalResponse.includes('550');
console.log(`DMARC reject policy: accepted=${accepted}, rejected=${rejected}`);
expect(accepted || rejected).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
}
} finally {
socket.destroy();
}
});
tap.test('DMARC Policy - Quarantine policy', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM with domain that has quarantine policy
socket.write('MAIL FROM:<test@dmarc-quarantine.example.com>\r\n');
const mailResponse = await waitForResponse(socket, '250');
console.log('Server response:', mailResponse);
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket, '250');
console.log('Server response:', rcptResponse);
// Send DATA
socket.write('DATA\r\n');
const dataResponse = await waitForResponse(socket, '354');
console.log('Server response:', dataResponse);
// Send email with DMARC-relevant headers
const email = [
`From: test@dmarc-quarantine.example.com`,
`To: recipient@example.com`,
`Subject: DMARC Policy Test - Quarantine`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <dmarc-quarantine-${Date.now()}@example.com>`,
'',
'Testing DMARC quarantine policy.',
'.',
''
].join('\r\n');
socket.write(email);
const finalResponse = await waitForResponse(socket);
console.log('Server response:', finalResponse);
const accepted = finalResponse.includes('250');
console.log(`DMARC quarantine policy: ${accepted ? 'accepted (may be quarantined)' : 'rejected'}`);
expect(true).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('DMARC Policy - None policy', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM with domain that has none policy (monitoring only)
socket.write('MAIL FROM:<test@dmarc-none.example.com>\r\n');
const mailResponse = await waitForResponse(socket, '250');
console.log('Server response:', mailResponse);
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket, '250');
console.log('Server response:', rcptResponse);
// Send DATA
socket.write('DATA\r\n');
const dataResponse = await waitForResponse(socket, '354');
console.log('Server response:', dataResponse);
// Send email with DMARC-relevant headers
const email = [
`From: test@dmarc-none.example.com`,
`To: recipient@example.com`,
`Subject: DMARC Policy Test - None`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <dmarc-none-${Date.now()}@example.com>`,
'',
'Testing DMARC none policy (monitoring only).',
'.',
''
].join('\r\n');
socket.write(email);
const finalResponse = await waitForResponse(socket, '250');
console.log('Server response:', finalResponse);
console.log('DMARC none policy: email accepted (monitoring only)');
expect(true).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('DMARC Policy - Alignment testing', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM with envelope domain
socket.write('MAIL FROM:<test@envelope-domain.com>\r\n');
const mailResponse = await waitForResponse(socket, '250');
console.log('Server response:', mailResponse);
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket, '250');
console.log('Server response:', rcptResponse);
// Send DATA
socket.write('DATA\r\n');
const dataResponse = await waitForResponse(socket, '354');
console.log('Server response:', dataResponse);
// Send email with different header From (tests alignment)
const email = [
`From: test@header-domain.com`,
`To: recipient@example.com`,
`Subject: DMARC Alignment Test`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <dmarc-align-${Date.now()}@example.com>`,
`DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=header-domain.com; s=default;`,
` h=from:to:subject:date; bh=test; b=test`,
'',
'Testing DMARC domain alignment (envelope vs header From).',
'.',
''
].join('\r\n');
socket.write(email);
const finalResponse = await waitForResponse(socket);
console.log('Server response:', finalResponse);
const result = finalResponse.includes('250') ? 'accepted' : 'rejected';
console.log(`DMARC alignment test: ${result}`);
expect(true).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('DMARC Policy - Percentage testing', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM with domain that has percentage-based DMARC policy
socket.write('MAIL FROM:<test@dmarc-pct.example.com>\r\n');
const mailResponse = await waitForResponse(socket, '250');
console.log('Server response:', mailResponse);
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket, '250');
console.log('Server response:', rcptResponse);
// Send DATA
socket.write('DATA\r\n');
const dataResponse = await waitForResponse(socket, '354');
console.log('Server response:', dataResponse);
// Send email with DMARC-relevant headers
const email = [
`From: test@dmarc-pct.example.com`,
`To: recipient@example.com`,
`Subject: DMARC Percentage Test`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <dmarc-pct-${Date.now()}@example.com>`,
'',
'Testing DMARC with percentage-based policy application.',
'.',
''
].join('\r\n');
socket.write(email);
const finalResponse = await waitForResponse(socket);
console.log('Server response:', finalResponse);
const result = finalResponse.includes('250') ? 'accepted' : 'rejected';
console.log(`DMARC percentage policy: ${result} (may vary based on percentage)`);
expect(true).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('cleanup - stop test server', async () => {
await stopTestServer(testServer);
});
export default tap.start();

222
test/suite/smtpserver_security/test.sec-06.ip-reputation.test.ts
View File

@@ -1,222 +0,0 @@
/**
* SEC-06: IP Reputation Tests
* Tests SMTP server IP reputation checking infrastructure
*
* NOTE: Current implementation uses placeholder IP reputation checker
* that accepts all connections. These tests verify the infrastructure
* is in place and working correctly with legitimate traffic.
*/
import { assert, assertEquals } from '@std/assert';
import { startTestServer, stopTestServer, type ITestServer } from '../../helpers/server.loader.ts';
import {
connectToSmtp,
waitForGreeting,
sendSmtpCommand,
closeSmtpConnection,
} from '../../helpers/utils.ts';
const TEST_PORT = 25260;
let testServer: ITestServer;
Deno.test({
name: 'SEC-06: Setup - Start SMTP server',
async fn() {
testServer = await startTestServer({ port: TEST_PORT });
assert(testServer, 'Test server should be created');
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-06: IP Reputation - accepts localhost connections',
async fn() {
const conn = await connectToSmtp('localhost', TEST_PORT);
try {
// IP reputation check should pass for localhost
const greeting = await waitForGreeting(conn);
assert(greeting.includes('220'), 'Should receive greeting after IP reputation check');
await sendSmtpCommand(conn, 'EHLO localhost', '250');
await sendSmtpCommand(conn, 'QUIT', '221');
console.log('✓ IP reputation check passed for localhost');
} finally {
try {
conn.close();
} catch {
// Ignore
}
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-06: IP Reputation - accepts known good sender',
async fn() {
const conn = await connectToSmtp('localhost', TEST_PORT);
try {
await waitForGreeting(conn);
await sendSmtpCommand(conn, 'EHLO test.example.com', '250');
// Legitimate sender should be accepted
const mailFromResponse = await sendSmtpCommand(conn, 'MAIL FROM:<test@example.com>', '250');
assert(mailFromResponse.includes('250'), 'Should accept legitimate sender');
// Legitimate recipient should be accepted
const rcptToResponse = await sendSmtpCommand(conn, 'RCPT TO:<recipient@example.com>', '250');
assert(rcptToResponse.includes('250'), 'Should accept legitimate recipient');
await sendSmtpCommand(conn, 'QUIT', '221');
console.log('✓ Known good sender accepted - IP reputation allows legitimate traffic');
} finally {
try {
conn.close();
} catch {
// Ignore
}
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-06: IP Reputation - handles multiple connections from same IP',
async fn() {
const connections: Deno.Conn[] = [];
const connectionResults: Promise<void>[] = [];
const totalConnections = 3;
// Create multiple connections rapidly
for (let i = 0; i < totalConnections; i++) {
const connectionPromise = (async () => {
try {
const conn = await connectToSmtp('localhost', TEST_PORT);
connections.push(conn);
// Wait for greeting
const greeting = await waitForGreeting(conn);
assert(greeting.includes('220'), `Connection ${i + 1} should receive greeting`);
// Send EHLO
const ehloResponse = await sendSmtpCommand(conn, 'EHLO testclient', '250');
assert(ehloResponse.includes('250'), `Connection ${i + 1} should accept EHLO`);
// Graceful quit
await sendSmtpCommand(conn, 'QUIT', '221');
console.log(`✓ Connection ${i + 1} completed successfully`);
} catch (err: any) {
console.error(`Connection ${i + 1} error:`, err.message);
throw err;
}
})();
connectionResults.push(connectionPromise);
// Small delay between connections
if (i < totalConnections - 1) {
await new Promise(resolve => setTimeout(resolve, 100));
}
}
// Wait for all connections to complete
await Promise.all(connectionResults);
// Clean up all connections
for (const conn of connections) {
try {
conn.close();
} catch {
// Already closed
}
}
console.log('✓ All connections from same IP handled successfully');
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-06: IP Reputation - complete SMTP flow with reputation check',
async fn() {
const conn = await connectToSmtp('localhost', TEST_PORT);
try {
// Full SMTP transaction should work after IP reputation check
await waitForGreeting(conn);
await sendSmtpCommand(conn, 'EHLO test.example.com', '250');
await sendSmtpCommand(conn, 'MAIL FROM:<sender@example.com>', '250');
await sendSmtpCommand(conn, 'RCPT TO:<recipient@example.com>', '250');
// Send DATA
await sendSmtpCommand(conn, 'DATA', '354');
// Send email content
const encoder = new TextEncoder();
const emailContent = `Subject: IP Reputation Test\r\nFrom: sender@example.com\r\nTo: recipient@example.com\r\n\r\nThis email tests IP reputation checking.\r\n`;
await conn.write(encoder.encode(emailContent));
await conn.write(encoder.encode('.\r\n'));
// Should receive acceptance
const decoder = new TextDecoder();
const responseBuffer = new Uint8Array(1024);
const bytesRead = await conn.read(responseBuffer);
const response = decoder.decode(responseBuffer.subarray(0, bytesRead || 0));
assert(response.includes('250'), 'Should accept email after IP reputation check');
await sendSmtpCommand(conn, 'QUIT', '221');
console.log('✓ Complete SMTP flow works with IP reputation infrastructure');
} finally {
try {
conn.close();
} catch {
// Ignore
}
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-06: IP Reputation - infrastructure placeholder test',
async fn() {
// This test documents that IP reputation checking is currently a placeholder
// Future implementations should:
// 1. Check against real IP reputation databases
// 2. Reject connections from blacklisted IPs
// 3. Detect suspicious hostnames
// 4. Identify spam patterns
// 5. Apply rate limiting based on reputation score
console.log(' IP Reputation Infrastructure Status:');
console.log(' - IPReputationChecker class exists');
console.log(' - Currently returns placeholder data (score: 100, not blacklisted)');
console.log(' - Infrastructure is in place for future implementation');
console.log(' - Tests verify legitimate traffic is accepted');
assert(true, 'Infrastructure test passed');
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-06: Cleanup - Stop SMTP server',
async fn() {
await stopTestServer(testServer);
},
sanitizeResources: false,
sanitizeOps: false,
});

303
test/suite/smtpserver_security/test.sec-06.ip-reputation.ts Normal file
View File

@@ -0,0 +1,303 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../../../ts/plugins.ts';
import * as net from 'net';
import { startTestServer, stopTestServer } from '../../helpers/server.loader.ts'
import type { ITestServer } from '../../helpers/server.loader.ts';
const TEST_PORT = 2525;
let testServer: ITestServer;
// Helper to wait for SMTP response
const waitForResponse = (socket: net.Socket, expectedCode?: string, timeout = 5000): Promise<string> => {
return new Promise((resolve, reject) => {
let buffer = '';
const timer = setTimeout(() => {
socket.removeListener('data', handler);
reject(new Error(`Timeout waiting for ${expectedCode || 'any'} response`));
}, timeout);
const handler = (data: Buffer) => {
buffer += data.toString();
const lines = buffer.split('\r\n');
for (const line of lines) {
if (expectedCode) {
if (line.startsWith(expectedCode + ' ')) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
} else {
// Look for any complete response
if (line.match(/^\d{3} /)) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
}
}
};
socket.on('data', handler);
});
};
tap.test('setup - start test server', async (toolsArg) => {
testServer = await startTestServer({ port: TEST_PORT });
await toolsArg.delayFor(1000);
});
tap.test('IP Reputation - Suspicious hostname in EHLO', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Use suspicious hostname
socket.write('EHLO suspicious-host.badreputation.com\r\n');
const ehloResponse = await waitForResponse(socket);
console.log('Server response:', ehloResponse);
const accepted = ehloResponse.includes('250');
const rejected = ehloResponse.includes('550') || ehloResponse.includes('521');
console.log(`Suspicious hostname: accepted=${accepted}, rejected=${rejected}`);
expect(accepted || rejected).toEqual(true);
if (rejected) {
console.log('IP reputation check working - suspicious host rejected at EHLO');
}
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('IP Reputation - Blacklisted sender domain', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Use known spam/blacklisted domain
socket.write('MAIL FROM:<spam@blacklisted.com>\r\n');
const mailResponse = await waitForResponse(socket);
console.log('Server response:', mailResponse);
if (mailResponse.includes('250')) {
console.log('Blacklisted sender accepted at MAIL FROM');
// Try RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket);
console.log('Server response:', rcptResponse);
const accepted = rcptResponse.includes('250');
const rejected = rcptResponse.includes('550') || rcptResponse.includes('553');
console.log(`Blacklisted domain at RCPT: accepted=${accepted}, rejected=${rejected}`);
expect(accepted || rejected).toEqual(true);
} else if (mailResponse.includes('550') || mailResponse.includes('553')) {
console.log('Blacklisted sender rejected - IP reputation check working');
expect(true).toEqual(true);
}
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('IP Reputation - Known good sender', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO localhost\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Use legitimate sender
socket.write('MAIL FROM:<test@example.com>\r\n');
const mailResponse = await waitForResponse(socket, '250');
console.log('Server response:', mailResponse);
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
const rcptResponse = await waitForResponse(socket, '250');
console.log('Server response:', rcptResponse);
console.log('Good sender accepted - IP reputation allows legitimate senders');
expect(true).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('IP Reputation - Multiple connections from same IP', async (tools) => {
const connections: net.Socket[] = [];
const totalConnections = 3;
const connectionResults: Promise<void>[] = [];
// Create multiple connections rapidly
for (let i = 0; i < totalConnections; i++) {
const connectionPromise = (async () => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
connections.push(socket);
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log(`Connection ${i + 1} response:`, greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket);
console.log(`Connection ${i + 1} response:`, ehloResponse);
if (ehloResponse.includes('250')) {
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} else if (ehloResponse.includes('421') || ehloResponse.includes('550')) {
// Connection rejected due to rate limiting or reputation
console.log(`Connection ${i + 1} rejected - IP reputation/rate limiting active`);
}
} catch (err: any) {
console.error(`Connection ${i + 1} error:`, err.message);
} finally {
socket.destroy();
}
})();
connectionResults.push(connectionPromise);
// Small delay between connections
if (i < totalConnections - 1) {
await tools.delayFor(100);
}
}
// Wait for all connections to complete
await Promise.all(connectionResults);
console.log('All connections completed');
expect(true).toEqual(true);
});
tap.test('IP Reputation - Suspicious patterns in email', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
const greeting = await waitForResponse(socket, '220');
console.log('Server response:', greeting);
// Send EHLO
socket.write('EHLO testclient\r\n');
const ehloResponse = await waitForResponse(socket, '250');
console.log('Server response:', ehloResponse);
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
const mailResponse = await waitForResponse(socket, '250');
console.log('Server response:', mailResponse);
// Multiple recipients (spam pattern)
socket.write('RCPT TO:<recipient1@example.com>\r\n');
const rcpt1Response = await waitForResponse(socket, '250');
console.log('Server response:', rcpt1Response);
socket.write('RCPT TO:<recipient2@example.com>\r\n');
const rcpt2Response = await waitForResponse(socket, '250');
console.log('Server response:', rcpt2Response);
socket.write('RCPT TO:<recipient3@example.com>\r\n');
const rcpt3Response = await waitForResponse(socket);
console.log('Server response:', rcpt3Response);
if (rcpt3Response.includes('250')) {
// Send DATA
socket.write('DATA\r\n');
const dataResponse = await waitForResponse(socket, '354');
console.log('Server response:', dataResponse);
// Email with spam-like content
const email = [
`From: sender@example.com`,
`To: recipient1@example.com, recipient2@example.com, recipient3@example.com`,
`Subject: URGENT!!! You've won $1,000,000!!!`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <spam-pattern-${Date.now()}@example.com>`,
'',
'CLICK HERE NOW!!! Limited time offer!!!',
'Visit http://suspicious-link.com/win-money',
'Act NOW before it\'s too late!!!',
'.',
''
].join('\r\n');
socket.write(email);
const emailResponse = await waitForResponse(socket);
console.log('Server response:', emailResponse);
const result = emailResponse.includes('250') ? 'accepted' : 'rejected';
console.log(`Suspicious content email ${result}`);
expect(true).toEqual(true);
} else if (rcpt3Response.includes('452') || rcpt3Response.includes('550')) {
console.log('Multiple recipients limited - reputation control active');
expect(true).toEqual(true);
}
socket.write('QUIT\r\n');
await waitForResponse(socket, '221');
} finally {
socket.destroy();
}
});
tap.test('cleanup - stop test server', async () => {
await stopTestServer(testServer);
});
export default tap.start();

409
test/suite/smtpserver_security/test.sec-07.content-scanning.ts Normal file
View File

@@ -0,0 +1,409 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../../../ts/plugins.ts';
import * as net from 'net';
import { startTestServer, stopTestServer } from '../../helpers/server.loader.ts'
import type { ITestServer } from '../../helpers/server.loader.ts';
const TEST_PORT = 2525;
let testServer: ITestServer;
// Helper to wait for SMTP response
const waitForResponse = (socket: net.Socket, expectedCode?: string, timeout = 5000): Promise<string> => {
return new Promise((resolve, reject) => {
let buffer = '';
const timer = setTimeout(() => {
socket.removeListener('data', handler);
reject(new Error(`Timeout waiting for ${expectedCode || 'any'} response`));
}, timeout);
const handler = (data: Buffer) => {
buffer += data.toString();
const lines = buffer.split('\r\n');
for (const line of lines) {
if (expectedCode) {
if (line.startsWith(expectedCode + ' ')) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
} else {
// Look for any complete response
if (line.match(/^\d{3} /)) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
}
}
};
socket.on('data', handler);
});
};
tap.test('setup - start test server', async (toolsArg) => {
testServer = await startTestServer({ port: TEST_PORT });
await toolsArg.delayFor(1000);
});
tap.test('Content Scanning - Suspicious content patterns', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO testclient\r\n');
await waitForResponse(socket, '250');
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
await waitForResponse(socket, '250');
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
await waitForResponse(socket, '250');
// Send DATA
socket.write('DATA\r\n');
await waitForResponse(socket, '354');
// Email with suspicious content
const email = [
`From: sender@example.com`,
`To: recipient@example.com`,
`Subject: Content Scanning Test`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <content-scan-${Date.now()}@example.com>`,
'',
'This email contains suspicious content that should trigger content scanning:',
'VIRUS_TEST_STRING',
'SUSPICIOUS_ATTACHMENT_PATTERN',
'MALWARE_SIGNATURE_TEST',
'Click here for FREE MONEY!!!',
'Visit http://phishing-site.com/steal-data',
'.',
''
].join('\r\n');
socket.write(email);
const dataResponse = await waitForResponse(socket);
const accepted = dataResponse.startsWith('250');
const rejected = dataResponse.startsWith('550');
console.log(`Suspicious content: accepted=${accepted}, rejected=${rejected}`);
if (rejected) {
console.log('Content scanning active - suspicious content detected');
} else {
console.log('Content scanning operational - email processed');
}
expect(accepted || rejected).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Content Scanning - Malware patterns', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO testclient\r\n');
await waitForResponse(socket, '250');
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
await waitForResponse(socket, '250');
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
await waitForResponse(socket, '250');
// Send DATA
socket.write('DATA\r\n');
await waitForResponse(socket, '354');
// Email with malware-like patterns
const email = [
`From: sender@example.com`,
`To: recipient@example.com`,
`Subject: Important Security Update`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <malware-test-${Date.now()}@example.com>`,
'Content-Type: multipart/mixed; boundary="malware-boundary"',
'',
'--malware-boundary',
'Content-Type: text/plain',
'',
'Please run the attached file to update your security software.',
'',
'--malware-boundary',
'Content-Type: application/x-msdownload; name="update.exe"',
'Content-Transfer-Encoding: base64',
'Content-Disposition: attachment; filename="update.exe"',
'',
'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',
'AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v',
'',
'--malware-boundary--',
'.',
''
].join('\r\n');
socket.write(email);
const dataResponse = await waitForResponse(socket);
const accepted = dataResponse.startsWith('250');
const rejected = dataResponse.startsWith('550');
console.log(`Malware pattern email: ${accepted ? 'accepted' : 'rejected'}`);
if (rejected) {
console.log('Content scanning active - malware patterns detected');
} else {
console.log('Content scanning operational - email processed');
}
expect(accepted || rejected).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Content Scanning - Spam keywords', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO testclient\r\n');
await waitForResponse(socket, '250');
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
await waitForResponse(socket, '250');
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
await waitForResponse(socket, '250');
// Send DATA
socket.write('DATA\r\n');
await waitForResponse(socket, '354');
// Email with spam keywords
const email = [
`From: sender@example.com`,
`To: recipient@example.com`,
`Subject: URGENT!!! Act NOW!!! Limited Time OFFER!!!`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <spam-test-${Date.now()}@example.com>`,
'',
'CONGRATULATIONS!!! You have WON!!!',
'FREE FREE FREE!!!',
'VIAGRA CIALIS CHEAP MEDS!!!',
'MAKE $$$ FAST!!!',
'WORK FROM HOME!!!',
'NO CREDIT CHECK!!!',
'GUARANTEED WINNER!!!',
'CLICK HERE NOW!!!',
'This is NOT SPAM!!!',
'.',
''
].join('\r\n');
socket.write(email);
const dataResponse = await waitForResponse(socket);
const accepted = dataResponse.startsWith('250');
const rejected = dataResponse.startsWith('550');
console.log(`Spam keyword email: ${accepted ? 'accepted' : 'rejected (spam detected)'}`);
if (rejected) {
console.log('Content scanning active - spam keywords detected');
} else {
console.log('Content scanning operational - email processed');
}
expect(accepted || rejected).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Content Scanning - Clean legitimate email', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO testclient\r\n');
await waitForResponse(socket, '250');
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
await waitForResponse(socket, '250');
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
await waitForResponse(socket, '250');
// Send DATA
socket.write('DATA\r\n');
await waitForResponse(socket, '354');
// Clean legitimate email
const email = [
`From: sender@example.com`,
`To: recipient@example.com`,
`Subject: Meeting Tomorrow`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <clean-email-${Date.now()}@example.com>`,
'',
'Hi,',
'',
'Just wanted to confirm our meeting for tomorrow at 2 PM.',
'Please let me know if you need to reschedule.',
'',
'Best regards,',
'John',
'.',
''
].join('\r\n');
socket.write(email);
const dataResponse = await waitForResponse(socket, '250');
console.log('Clean email accepted - content scanning allows legitimate emails');
expect(dataResponse.startsWith('250')).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Content Scanning - Large attachment', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO testclient\r\n');
await waitForResponse(socket, '250');
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
await waitForResponse(socket, '250');
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
await waitForResponse(socket, '250');
// Send DATA
socket.write('DATA\r\n');
await waitForResponse(socket, '354');
// Email with large attachment pattern
const largeData = 'A'.repeat(10000); // 10KB of data
const email = [
`From: sender@example.com`,
`To: recipient@example.com`,
`Subject: Large Attachment Test`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <large-attach-${Date.now()}@example.com>`,
'Content-Type: multipart/mixed; boundary="boundary123"',
'',
'--boundary123',
'Content-Type: text/plain',
'',
'Please find the attached file.',
'',
'--boundary123',
'Content-Type: application/octet-stream; name="largefile.dat"',
'Content-Transfer-Encoding: base64',
'Content-Disposition: attachment; filename="largefile.dat"',
'',
Buffer.from(largeData).toString('base64'),
'',
'--boundary123--',
'.',
''
].join('\r\n');
socket.write(email);
const dataResponse = await waitForResponse(socket);
const accepted = dataResponse.startsWith('250');
const rejected = dataResponse.startsWith('550') || dataResponse.startsWith('552');
console.log(`Large attachment: ${accepted ? 'accepted' : 'rejected (size or content issue)'}`);
if (rejected) {
console.log('Content scanning active - large attachment blocked');
} else {
console.log('Content scanning operational - email processed');
}
expect(accepted || rejected).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('cleanup - stop test server', async () => {
await stopTestServer(testServer);
});
export default tap.start();

272
test/suite/smtpserver_security/test.sec-08.rate-limiting.test.ts
View File

@@ -1,272 +0,0 @@
/**
* SEC-08: Rate Limiting Tests
* Tests SMTP server rate limiting for connections and commands
*/
import { assert, assertMatch } from '@std/assert';
import { startTestServer, stopTestServer, type ITestServer } from '../../helpers/server.loader.ts';
import {
connectToSmtp,
waitForGreeting,
sendSmtpCommand,
readSmtpResponse,
closeSmtpConnection,
} from '../../helpers/utils.ts';
const TEST_PORT = 25308;
let testServer: ITestServer;
Deno.test({
name: 'SEC-08: Setup - Start SMTP server for rate limiting tests',
async fn() {
testServer = await startTestServer({
port: TEST_PORT,
});
assert(testServer, 'Test server should be created');
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-08: Rate Limiting - should limit rapid consecutive connections',
async fn() {
const connections: Deno.Conn[] = [];
let rateLimitTriggered = false;
let successfulConnections = 0;
const maxAttempts = 10;
try {
for (let i = 0; i < maxAttempts; i++) {
try {
const conn = await connectToSmtp('localhost', TEST_PORT);
connections.push(conn);
// Wait for greeting and send EHLO
await waitForGreeting(conn);
const encoder = new TextEncoder();
await conn.write(encoder.encode('EHLO testhost\r\n'));
const response = await readSmtpResponse(conn);
// Check for rate limit responses
if (
response.includes('421') ||
response.toLowerCase().includes('rate') ||
response.toLowerCase().includes('limit')
) {
rateLimitTriggered = true;
console.log(`📊 Rate limit triggered at connection ${i + 1}`);
break;
}
if (response.includes('250')) {
successfulConnections++;
}
// Small delay between connections
await new Promise((resolve) => setTimeout(resolve, 100));
} catch (error) {
const errorMsg = error instanceof Error ? error.message.toLowerCase() : '';
if (
errorMsg.includes('rate') ||
errorMsg.includes('limit') ||
errorMsg.includes('too many')
) {
rateLimitTriggered = true;
console.log(`📊 Rate limit error at connection ${i + 1}: ${errorMsg}`);
break;
}
// Connection refused might also indicate rate limiting
if (errorMsg.includes('refused')) {
rateLimitTriggered = true;
console.log(`📊 Connection refused at attempt ${i + 1} - possible rate limiting`);
break;
}
}
}
// Rate limiting is working if either:
// 1. We got explicit rate limit responses
// 2. We couldn't make all connections (some were refused/limited)
const rateLimitWorking = rateLimitTriggered || successfulConnections < maxAttempts;
console.log(`📊 Rate limiting test results:
- Successful connections: ${successfulConnections}/${maxAttempts}
- Rate limit triggered: ${rateLimitTriggered}
- Rate limiting effective: ${rateLimitWorking}`);
// Note: We consider the test passed if rate limiting is either working OR not configured
// Many SMTP servers don't have rate limiting, which is also valid
assert(true, 'Rate limiting test completed');
} finally {
// Clean up connections
for (const conn of connections) {
try {
await closeSmtpConnection(conn);
} catch {
// Ignore cleanup errors
}
}
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-08: Rate Limiting - should allow connections after rate limit period',
async fn() {
const connections: Deno.Conn[] = [];
let rateLimitTriggered = false;
try {
// First, try to trigger rate limiting with rapid connections
for (let i = 0; i < 5; i++) {
try {
const conn = await connectToSmtp('localhost', TEST_PORT);
connections.push(conn);
await waitForGreeting(conn);
const encoder = new TextEncoder();
await conn.write(encoder.encode('EHLO testhost\r\n'));
const response = await readSmtpResponse(conn);
if (response.includes('421') || response.toLowerCase().includes('rate')) {
rateLimitTriggered = true;
break;
}
} catch (error) {
// Rate limit might cause connection errors
rateLimitTriggered = true;
break;
}
}
// Clean up initial connections
for (const conn of connections) {
try {
await closeSmtpConnection(conn);
} catch {
// Ignore
}
}
if (rateLimitTriggered) {
console.log('📊 Rate limit was triggered, waiting before retry...');
// Wait for rate limit to potentially reset
await new Promise((resolve) => setTimeout(resolve, 2000));
// Try a new connection
try {
const retryConn = await connectToSmtp('localhost', TEST_PORT);
await waitForGreeting(retryConn);
const encoder = new TextEncoder();
await retryConn.write(encoder.encode('EHLO testhost\r\n'));
const retryResponse = await readSmtpResponse(retryConn);
console.log('📊 Retry connection response:', retryResponse.trim());
// Clean up
await sendSmtpCommand(retryConn, 'QUIT', '221');
await closeSmtpConnection(retryConn);
// If we got a normal response, rate limiting reset worked
assertMatch(retryResponse, /250/, 'Should accept connection after rate limit period');
console.log('✅ Rate limit reset correctly');
} catch (error) {
console.log('📊 Retry connection failed:', error);
// Some servers might have longer rate limit periods
assert(true, 'Rate limit period test completed');
}
} else {
console.log('📊 Rate limiting not triggered or not configured');
assert(true, 'No rate limiting configured');
}
} finally {
// Ensure all connections are closed
for (const conn of connections) {
try {
await closeSmtpConnection(conn);
} catch {
// Ignore
}
}
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-08: Rate Limiting - should limit rapid MAIL FROM commands',
async fn() {
const conn = await connectToSmtp('localhost', TEST_PORT);
try {
// Get greeting
await waitForGreeting(conn);
// Send EHLO
await sendSmtpCommand(conn, 'EHLO testhost', '250');
let commandRateLimitTriggered = false;
let successfulCommands = 0;
// Try rapid MAIL FROM commands
for (let i = 0; i < 10; i++) {
const encoder = new TextEncoder();
await conn.write(encoder.encode(`MAIL FROM:<sender${i}@example.com>\r\n`));
const response = await readSmtpResponse(conn);
if (
response.includes('421') ||
response.toLowerCase().includes('rate') ||
response.toLowerCase().includes('limit')
) {
commandRateLimitTriggered = true;
console.log(`📊 Command rate limit triggered at command ${i + 1}`);
break;
}
if (response.includes('250')) {
successfulCommands++;
// Need to reset after each MAIL FROM
await conn.write(encoder.encode('RSET\r\n'));
await readSmtpResponse(conn);
}
}
console.log(`📊 Command rate limiting results:
- Successful commands: ${successfulCommands}/10
- Rate limit triggered: ${commandRateLimitTriggered}`);
// Test passes regardless - rate limiting is optional
assert(true, 'Command rate limiting test completed');
// Clean up
await sendSmtpCommand(conn, 'QUIT', '221');
} finally {
await closeSmtpConnection(conn);
}
},
sanitizeResources: false,
sanitizeOps: false,
});
Deno.test({
name: 'SEC-08: Cleanup - Stop SMTP server',
async fn() {
await stopTestServer(testServer);
},
sanitizeResources: false,
sanitizeOps: false,
});

324
test/suite/smtpserver_security/test.sec-08.rate-limiting.ts Normal file
View File

@@ -0,0 +1,324 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as net from 'net';
import { startTestServer, stopTestServer } from '../../helpers/server.loader.ts';
import type { ITestServer } from '../../helpers/server.loader.ts';
const TEST_PORT = 30025;
const TEST_TIMEOUT = 30000;
let testServer: ITestServer;
tap.test('setup - start SMTP server for rate limiting tests', async () => {
testServer = await startTestServer({
port: TEST_PORT,
hostname: 'localhost'
});
expect(testServer).toBeInstanceOf(Object);
});
tap.test('Rate Limiting - should limit rapid consecutive connections', async (tools) => {
const done = tools.defer();
try {
const connections: net.Socket[] = [];
let rateLimitTriggered = false;
let successfulConnections = 0;
const maxAttempts = 10;
for (let i = 0; i < maxAttempts; i++) {
try {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: TEST_TIMEOUT
});
await new Promise<void>((resolve, reject) => {
socket.once('connect', () => resolve());
socket.once('error', reject);
});
connections.push(socket);
// Try EHLO
socket.write('EHLO testhost\r\n');
const response = await new Promise<string>((resolve) => {
let data = '';
const handler = (chunk: Buffer) => {
data += chunk.toString();
if (data.includes('\r\n') && (data.match(/^[0-9]{3} /m) || data.match(/^[0-9]{3}-.*\r\n[0-9]{3} /ms))) {
socket.removeListener('data', handler);
resolve(data);
}
};
socket.on('data', handler);
});
if (response.includes('421') || response.toLowerCase().includes('rate') || response.toLowerCase().includes('limit')) {
rateLimitTriggered = true;
console.log(`Rate limit triggered at connection ${i + 1}`);
break;
}
if (response.includes('250')) {
successfulConnections++;
}
// Small delay between connections
await new Promise(resolve => setTimeout(resolve, 100));
} catch (error) {
const errorMsg = error instanceof Error ? error.message.toLowerCase() : '';
if (errorMsg.includes('rate') || errorMsg.includes('limit') || errorMsg.includes('too many')) {
rateLimitTriggered = true;
console.log(`Rate limit error at connection ${i + 1}: ${errorMsg}`);
break;
}
// Connection refused might also indicate rate limiting
if (errorMsg.includes('econnrefused')) {
rateLimitTriggered = true;
console.log(`Connection refused at attempt ${i + 1} - possible rate limiting`);
break;
}
}
}
// Clean up connections
for (const socket of connections) {
try {
if (!socket.destroyed) {
socket.write('QUIT\r\n');
socket.end();
}
} catch (e) {
// Ignore cleanup errors
}
}
// Rate limiting is working if either:
// 1. We got explicit rate limit responses
// 2. We couldn't make all connections (some were refused/limited)
const rateLimitWorking = rateLimitTriggered || successfulConnections < maxAttempts;
console.log(`Rate limiting test results:
- Successful connections: ${successfulConnections}/${maxAttempts}
- Rate limit triggered: ${rateLimitTriggered}
- Rate limiting effective: ${rateLimitWorking}`);
// Note: We consider the test passed if rate limiting is either working OR not configured
// Many SMTP servers don't have rate limiting, which is also valid
expect(true).toEqual(true);
} finally {
done.resolve();
}
});
tap.test('Rate Limiting - should allow connections after rate limit period', async (tools) => {
const done = tools.defer();
try {
// First, try to trigger rate limiting
const connections: net.Socket[] = [];
let rateLimitTriggered = false;
// Make rapid connections
for (let i = 0; i < 5; i++) {
try {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: TEST_TIMEOUT
});
await new Promise<void>((resolve, reject) => {
socket.once('connect', () => resolve());
socket.once('error', reject);
});
connections.push(socket);
socket.write('EHLO testhost\r\n');
const response = await new Promise<string>((resolve) => {
let data = '';
const handler = (chunk: Buffer) => {
data += chunk.toString();
if (data.includes('\r\n') && (data.match(/^[0-9]{3} /m) || data.match(/^[0-9]{3}-.*\r\n[0-9]{3} /ms))) {
socket.removeListener('data', handler);
resolve(data);
}
};
socket.on('data', handler);
});
if (response.includes('421') || response.toLowerCase().includes('rate')) {
rateLimitTriggered = true;
break;
}
} catch (error) {
// Rate limit might cause connection errors
rateLimitTriggered = true;
break;
}
}
// Clean up initial connections
for (const socket of connections) {
try {
if (!socket.destroyed) {
socket.end();
}
} catch (e) {
// Ignore
}
}
if (rateLimitTriggered) {
console.log('Rate limit was triggered, waiting before retry...');
// Wait a bit for rate limit to potentially reset
await new Promise(resolve => setTimeout(resolve, 2000));
// Try a new connection
try {
const retrySocket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: TEST_TIMEOUT
});
await new Promise<void>((resolve, reject) => {
retrySocket.once('connect', () => resolve());
retrySocket.once('error', reject);
});
retrySocket.write('EHLO testhost\r\n');
const retryResponse = await new Promise<string>((resolve) => {
let data = '';
const handler = (chunk: Buffer) => {
data += chunk.toString();
if (data.includes('\r\n') && (data.match(/^[0-9]{3} /m) || data.match(/^[0-9]{3}-.*\r\n[0-9]{3} /ms))) {
retrySocket.removeListener('data', handler);
resolve(data);
}
};
retrySocket.on('data', handler);
});
console.log('Retry connection response:', retryResponse.trim());
// Clean up
retrySocket.write('QUIT\r\n');
retrySocket.end();
// If we got a normal response, rate limiting reset worked
expect(retryResponse).toInclude('250');
} catch (error) {
console.log('Retry connection failed:', error);
// Some servers might have longer rate limit periods
expect(true).toEqual(true);
}
} else {
console.log('Rate limiting not triggered or not configured');
expect(true).toEqual(true);
}
} finally {
done.resolve();
}
});
tap.test('Rate Limiting - should limit rapid MAIL FROM commands', async (tools) => {
const done = tools.defer();
try {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: TEST_TIMEOUT
});
await new Promise<void>((resolve, reject) => {
socket.once('connect', () => resolve());
socket.once('error', reject);
});
// Get banner
await new Promise<string>((resolve) => {
socket.once('data', (chunk) => resolve(chunk.toString()));
});
// Send EHLO
socket.write('EHLO testhost\r\n');
await new Promise<string>((resolve) => {
let data = '';
const handler = (chunk: Buffer) => {
data += chunk.toString();
if (data.includes('\r\n') && (data.match(/^250 /m) || data.match(/^250-.*\r\n250 /ms))) {
socket.removeListener('data', handler);
resolve(data);
}
};
socket.on('data', handler);
});
let commandRateLimitTriggered = false;
let successfulCommands = 0;
// Try rapid MAIL FROM commands
for (let i = 0; i < 10; i++) {
socket.write(`MAIL FROM:<sender${i}@example.com>\r\n`);
const response = await new Promise<string>((resolve) => {
let data = '';
const handler = (chunk: Buffer) => {
data += chunk.toString();
if (data.includes('\r\n')) {
socket.removeListener('data', handler);
resolve(data);
}
};
socket.on('data', handler);
});
if (response.includes('421') || response.toLowerCase().includes('rate') || response.toLowerCase().includes('limit')) {
commandRateLimitTriggered = true;
console.log(`Command rate limit triggered at command ${i + 1}`);
break;
}
if (response.includes('250')) {
successfulCommands++;
// Need to reset after each MAIL FROM
socket.write('RSET\r\n');
await new Promise<string>((resolve) => {
socket.once('data', (chunk) => resolve(chunk.toString()));
});
}
}
console.log(`Command rate limiting results:
- Successful commands: ${successfulCommands}/10
- Rate limit triggered: ${commandRateLimitTriggered}`);
// Clean up
socket.write('QUIT\r\n');
socket.end();
// Test passes regardless - rate limiting is optional
expect(true).toEqual(true);
} finally {
done.resolve();
}
});
tap.test('cleanup - stop SMTP server', async () => {
await stopTestServer(testServer);
expect(true).toEqual(true);
});
export default tap.start();

312
test/suite/smtpserver_security/test.sec-09.tls-certificate-validation.ts Normal file
View File

@@ -0,0 +1,312 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../../../ts/plugins.ts';
import * as net from 'net';
import * as tls from 'tls';
import { startTestServer, stopTestServer } from '../../helpers/server.loader.ts'
import type { ITestServer } from '../../helpers/server.loader.ts';
const TEST_PORT = 2525;
let testServer: ITestServer;
tap.test('setup - start test server', async (toolsArg) => {
testServer = await startTestServer({ port: TEST_PORT });
await toolsArg.delayFor(1000);
});
tap.test('TLS Certificate Validation - STARTTLS certificate check', async (tools) => {
const done = tools.defer();
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
let dataBuffer = '';
let step = 'greeting';
socket.on('data', (data) => {
dataBuffer += data.toString();
console.log('Server response:', data.toString());
if (step === 'greeting' && dataBuffer.includes('220 ')) {
step = 'ehlo';
socket.write('EHLO testclient\r\n');
dataBuffer = '';
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
const supportsStarttls = dataBuffer.toLowerCase().includes('starttls');
console.log('STARTTLS supported:', supportsStarttls);
if (supportsStarttls) {
step = 'starttls';
socket.write('STARTTLS\r\n');
dataBuffer = '';
} else {
console.log('STARTTLS not supported, testing plain connection');
socket.write('QUIT\r\n');
socket.end();
done.resolve();
}
} else if (step === 'starttls' && dataBuffer.includes('220')) {
console.log('Ready to start TLS');
// Upgrade to TLS
const tlsOptions = {
socket: socket,
rejectUnauthorized: false, // For self-signed certificates in testing
requestCert: true
};
const tlsSocket = tls.connect(tlsOptions);
tlsSocket.on('secureConnect', () => {
console.log('TLS connection established');
// Get certificate information
const cert = tlsSocket.getPeerCertificate();
console.log('Certificate present:', !!cert);
if (cert && Object.keys(cert).length > 0) {
console.log('Certificate subject:', cert.subject);
console.log('Certificate issuer:', cert.issuer);
console.log('Certificate valid from:', cert.valid_from);
console.log('Certificate valid to:', cert.valid_to);
// Check certificate validity
const now = new Date();
const validFrom = new Date(cert.valid_from);
const validTo = new Date(cert.valid_to);
const isValid = now >= validFrom && now <= validTo;
console.log('Certificate currently valid:', isValid);
expect(true).toEqual(true); // Certificate present
}
// Test EHLO over TLS
tlsSocket.write('EHLO testclient\r\n');
});
tlsSocket.on('data', (data) => {
const response = data.toString();
console.log('TLS response:', response);
if (response.includes('250')) {
console.log('EHLO over TLS successful');
expect(true).toEqual(true);
tlsSocket.write('QUIT\r\n');
tlsSocket.end();
done.resolve();
}
});
tlsSocket.on('error', (err) => {
console.error('TLS error:', err);
done.reject(err);
});
}
});
socket.on('error', (err) => {
console.error('Socket error:', err);
done.reject(err);
});
await done.promise;
});
tap.test('TLS Certificate Validation - Direct TLS connection', async (tools) => {
const done = tools.defer();
// Try connecting with TLS directly (implicit TLS)
const tlsOptions = {
host: 'localhost',
port: TEST_PORT,
rejectUnauthorized: false,
timeout: 30000
};
const socket = tls.connect(tlsOptions);
socket.on('secureConnect', () => {
console.log('Direct TLS connection established');
const cert = socket.getPeerCertificate();
if (cert && Object.keys(cert).length > 0) {
console.log('Certificate found on direct TLS connection');
expect(true).toEqual(true);
}
socket.end();
done.resolve();
});
socket.on('error', (err) => {
// Direct TLS might not be supported, try plain connection
console.log('Direct TLS not supported, this is expected for STARTTLS servers');
expect(true).toEqual(true);
done.resolve();
});
socket.on('timeout', () => {
console.log('Direct TLS connection timeout');
socket.destroy();
done.resolve();
});
await done.promise;
});
tap.test('TLS Certificate Validation - Certificate verification with strict mode', async (tools) => {
const done = tools.defer();
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
let dataBuffer = '';
let step = 'greeting';
socket.on('data', (data) => {
dataBuffer += data.toString();
console.log('Server response:', data.toString());
if (step === 'greeting' && dataBuffer.includes('220 ')) {
step = 'ehlo';
socket.write('EHLO testclient\r\n');
dataBuffer = '';
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
if (dataBuffer.toLowerCase().includes('starttls')) {
step = 'starttls';
socket.write('STARTTLS\r\n');
dataBuffer = '';
} else {
socket.write('QUIT\r\n');
socket.end();
done.resolve();
}
} else if (step === 'starttls' && dataBuffer.includes('220')) {
// Try with strict certificate verification
const tlsOptions = {
socket: socket,
rejectUnauthorized: true, // Strict mode
servername: 'localhost' // For SNI
};
const tlsSocket = tls.connect(tlsOptions);
tlsSocket.on('secureConnect', () => {
console.log('TLS connection with strict verification successful');
const authorized = tlsSocket.authorized;
console.log('Certificate authorized:', authorized);
if (!authorized) {
console.log('Authorization error:', tlsSocket.authorizationError);
}
expect(true).toEqual(true); // Connection established
tlsSocket.write('QUIT\r\n');
tlsSocket.end();
done.resolve();
});
tlsSocket.on('error', (err) => {
console.log('Certificate verification error (expected for self-signed):', err.message);
expect(true).toEqual(true); // Error is expected for self-signed certificates
socket.end();
done.resolve();
});
}
});
socket.on('error', (err) => {
console.error('Socket error:', err);
done.reject(err);
});
await done.promise;
});
tap.test('TLS Certificate Validation - Cipher suite information', async (tools) => {
const done = tools.defer();
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
let dataBuffer = '';
let step = 'greeting';
socket.on('data', (data) => {
dataBuffer += data.toString();
console.log('Server response:', data.toString());
if (step === 'greeting' && dataBuffer.includes('220 ')) {
step = 'ehlo';
socket.write('EHLO testclient\r\n');
dataBuffer = '';
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
if (dataBuffer.toLowerCase().includes('starttls')) {
step = 'starttls';
socket.write('STARTTLS\r\n');
dataBuffer = '';
} else {
socket.write('QUIT\r\n');
socket.end();
done.resolve();
}
} else if (step === 'starttls' && dataBuffer.includes('220')) {
const tlsOptions = {
socket: socket,
rejectUnauthorized: false
};
const tlsSocket = tls.connect(tlsOptions);
tlsSocket.on('secureConnect', () => {
console.log('TLS connection established');
// Get cipher information
const cipher = tlsSocket.getCipher();
if (cipher) {
console.log('Cipher name:', cipher.name);
console.log('Cipher version:', cipher.version);
console.log('Cipher standardName:', cipher.standardName);
}
// Get protocol version
const protocol = tlsSocket.getProtocol();
console.log('TLS Protocol:', protocol);
// Verify modern TLS version
expect(['TLSv1.2', 'TLSv1.3']).toContain(protocol);
tlsSocket.write('QUIT\r\n');
tlsSocket.end();
done.resolve();
});
tlsSocket.on('error', (err) => {
console.error('TLS error:', err);
done.reject(err);
});
}
});
socket.on('error', (err) => {
console.error('Socket error:', err);
done.reject(err);
});
await done.promise;
});
tap.test('cleanup - stop test server', async () => {
await stopTestServer(testServer);
});
export default tap.start();

332
test/suite/smtpserver_security/test.sec-10.header-injection-prevention.ts Normal file
View File

@@ -0,0 +1,332 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../../../ts/plugins.ts';
import * as net from 'net';
import { startTestServer, stopTestServer } from '../../helpers/server.loader.ts'
import type { ITestServer } from '../../helpers/server.loader.ts';
const TEST_PORT = 2525;
let testServer: ITestServer;
tap.test('setup - start test server', async (toolsArg) => {
testServer = await startTestServer({ port: TEST_PORT });
await toolsArg.delayFor(1000);
});
tap.test('Header Injection Prevention - CRLF injection in headers', async (tools) => {
const done = tools.defer();
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
let dataBuffer = '';
let step = 'greeting';
socket.on('data', (data) => {
dataBuffer += data.toString();
console.log('Server response:', data.toString());
if (step === 'greeting' && dataBuffer.includes('220 ')) {
step = 'ehlo';
socket.write('EHLO testclient\r\n');
dataBuffer = '';
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
step = 'mail';
socket.write('MAIL FROM:<sender@example.com>\r\n');
dataBuffer = '';
} else if (step === 'mail' && dataBuffer.includes('250')) {
step = 'rcpt';
socket.write('RCPT TO:<recipient@example.com>\r\n');
dataBuffer = '';
} else if (step === 'rcpt' && dataBuffer.includes('250')) {
step = 'data';
socket.write('DATA\r\n');
dataBuffer = '';
} else if (step === 'data' && dataBuffer.includes('354')) {
// Attempt header injection with CRLF sequences
const email = [
`From: sender@example.com`,
`To: recipient@example.com`,
`Subject: Test\r\nBcc: hidden@attacker.com`, // CRLF injection attempt
`Date: ${new Date().toUTCString()}`,
`Message-ID: <header-inject-${Date.now()}@example.com>`,
`X-Custom: normal\r\nX-Injected: malicious`, // Another injection attempt
'',
'This email tests header injection prevention.',
'.',
''
].join('\r\n');
socket.write(email);
dataBuffer = '';
} else if (dataBuffer.includes('250 ') || dataBuffer.includes('550 ')) {
const accepted = dataBuffer.includes('250');
const rejected = dataBuffer.includes('550');
console.log(`Header injection attempt: ${accepted ? 'accepted' : 'rejected'}`);
if (rejected) {
console.log('Header injection prevention active - malicious headers detected');
}
expect(accepted || rejected).toEqual(true);
socket.write('QUIT\r\n');
socket.end();
done.resolve();
}
});
socket.on('error', (err) => {
console.error('Socket error:', err);
done.reject(err);
});
await done.promise;
});
tap.test('Header Injection Prevention - Command injection in MAIL FROM', async (tools) => {
const done = tools.defer();
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
let dataBuffer = '';
let step = 'greeting';
socket.on('data', (data) => {
dataBuffer += data.toString();
console.log('Server response:', data.toString());
if (step === 'greeting' && dataBuffer.includes('220 ')) {
step = 'ehlo';
socket.write('EHLO testclient\r\n');
dataBuffer = '';
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
step = 'mail';
// Attempt command injection in MAIL FROM
socket.write('MAIL FROM:<test@example.com> SIZE=1000\r\nRCPT TO:<hidden@attacker.com>\r\n');
dataBuffer = '';
} else if (step === 'mail') {
// Server should reject or handle this properly
const properResponse = dataBuffer.includes('250') ||
dataBuffer.includes('501') ||
dataBuffer.includes('500');
console.log('Command injection attempt handled');
expect(properResponse).toEqual(true);
socket.write('QUIT\r\n');
socket.end();
done.resolve();
}
});
socket.on('error', (err) => {
console.error('Socket error:', err);
done.reject(err);
});
await done.promise;
});
tap.test('Header Injection Prevention - HTML/Script injection in body', async (tools) => {
const done = tools.defer();
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
let dataBuffer = '';
let step = 'greeting';
socket.on('data', (data) => {
dataBuffer += data.toString();
console.log('Server response:', data.toString());
if (step === 'greeting' && dataBuffer.includes('220 ')) {
step = 'ehlo';
socket.write('EHLO testclient\r\n');
dataBuffer = '';
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
step = 'mail';
socket.write('MAIL FROM:<sender@example.com>\r\n');
dataBuffer = '';
} else if (step === 'mail' && dataBuffer.includes('250')) {
step = 'rcpt';
socket.write('RCPT TO:<recipient@example.com>\r\n');
dataBuffer = '';
} else if (step === 'rcpt' && dataBuffer.includes('250')) {
step = 'data';
socket.write('DATA\r\n');
dataBuffer = '';
} else if (step === 'data' && dataBuffer.includes('354')) {
// Email with HTML/Script content
const email = [
`From: sender@example.com`,
`To: recipient@example.com`,
`Subject: HTML Injection Test`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <html-inject-${Date.now()}@example.com>`,
`Content-Type: text/html`,
'',
'<html><body>',
'<h1>Test Email</h1>',
'<script>alert("XSS Attack")</script>',
'<iframe src="http://malicious-site.com"></iframe>',
'Injected-Header: malicious-value', // Attempted header injection in body
'</body></html>',
'.',
''
].join('\r\n');
socket.write(email);
dataBuffer = '';
} else if (dataBuffer.includes('250 ') || dataBuffer.includes('550 ')) {
const accepted = dataBuffer.includes('250');
console.log(`HTML/Script content: ${accepted ? 'accepted (may be sanitized)' : 'rejected'}`);
expect(true).toEqual(true);
socket.write('QUIT\r\n');
socket.end();
done.resolve();
}
});
socket.on('error', (err) => {
console.error('Socket error:', err);
done.reject(err);
});
await done.promise;
});
tap.test('Header Injection Prevention - Null byte injection', async (tools) => {
const done = tools.defer();
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
let dataBuffer = '';
let step = 'greeting';
socket.on('data', (data) => {
dataBuffer += data.toString();
console.log('Server response:', data.toString());
if (step === 'greeting' && dataBuffer.includes('220 ')) {
step = 'ehlo';
socket.write('EHLO testclient\r\n');
dataBuffer = '';
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
step = 'mail';
// Attempt null byte injection
socket.write('MAIL FROM:<sender\x00@example.com>\r\n');
dataBuffer = '';
} else if (step === 'mail') {
// Should be rejected or sanitized
const handled = dataBuffer.includes('250') ||
dataBuffer.includes('501') ||
dataBuffer.includes('550');
console.log('Null byte injection attempt handled');
expect(handled).toEqual(true);
socket.write('QUIT\r\n');
socket.end();
done.resolve();
}
});
socket.on('error', (err) => {
console.error('Socket error:', err);
done.reject(err);
});
await done.promise;
});
tap.test('Header Injection Prevention - Unicode and encoding attacks', async (tools) => {
const done = tools.defer();
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
let dataBuffer = '';
let step = 'greeting';
socket.on('data', (data) => {
dataBuffer += data.toString();
console.log('Server response:', data.toString());
if (step === 'greeting' && dataBuffer.includes('220 ')) {
step = 'ehlo';
socket.write('EHLO testclient\r\n');
dataBuffer = '';
} else if (step === 'ehlo' && dataBuffer.includes('250')) {
step = 'mail';
socket.write('MAIL FROM:<sender@example.com>\r\n');
dataBuffer = '';
} else if (step === 'mail' && dataBuffer.includes('250')) {
step = 'rcpt';
socket.write('RCPT TO:<recipient@example.com>\r\n');
dataBuffer = '';
} else if (step === 'rcpt' && dataBuffer.includes('250')) {
step = 'data';
socket.write('DATA\r\n');
dataBuffer = '';
} else if (step === 'data' && dataBuffer.includes('354')) {
// Unicode tricks and encoding attacks
const email = [
`From: sender@example.com`,
`To: recipient@example.com`,
`Subject: =?UTF-8?B?${Buffer.from('Test\r\nBcc: hidden@attacker.com').toString('base64')}?=`, // Encoded injection
`Date: ${new Date().toUTCString()}`,
`Message-ID: <unicode-inject-${Date.now()}@example.com>`,
`X-Test: \u000D\u000AX-Injected: true`, // Unicode CRLF
'',
'Testing unicode and encoding attacks.',
'\x00\x0D\x0AExtra-Header: injected', // Null byte + CRLF
'.',
''
].join('\r\n');
socket.write(email);
dataBuffer = '';
} else if (dataBuffer.includes('250 ') || dataBuffer.includes('550 ')) {
const result = dataBuffer.includes('250') ? 'accepted' : 'rejected';
console.log(`Unicode/encoding attack: ${result}`);
expect(true).toEqual(true);
socket.write('QUIT\r\n');
socket.end();
done.resolve();
}
});
socket.on('error', (err) => {
console.error('Socket error:', err);
done.reject(err);
});
await done.promise;
});
tap.test('cleanup - stop test server', async () => {
await stopTestServer(testServer);
});
export default tap.start();

363
test/suite/smtpserver_security/test.sec-11.bounce-management.ts Normal file
View File

@@ -0,0 +1,363 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../../../ts/plugins.ts';
import * as net from 'net';
import { startTestServer, stopTestServer } from '../../helpers/server.loader.ts'
import type { ITestServer } from '../../helpers/server.loader.ts';
const TEST_PORT = 2525;
let testServer: ITestServer;
// Helper to wait for SMTP response
const waitForResponse = (socket: net.Socket, expectedCode?: string, timeout = 5000): Promise<string> => {
return new Promise((resolve, reject) => {
let buffer = '';
const timer = setTimeout(() => {
socket.removeListener('data', handler);
reject(new Error(`Timeout waiting for ${expectedCode || 'any'} response`));
}, timeout);
const handler = (data: Buffer) => {
buffer += data.toString();
const lines = buffer.split('\r\n');
for (const line of lines) {
if (expectedCode) {
if (line.startsWith(expectedCode + ' ')) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
} else {
// Look for any complete response
if (line.match(/^\d{3} /)) {
clearTimeout(timer);
socket.removeListener('data', handler);
resolve(buffer);
return;
}
}
}
};
socket.on('data', handler);
});
};
tap.test('setup - start test server', async (toolsArg) => {
testServer = await startTestServer({ port: TEST_PORT });
await toolsArg.delayFor(1000);
});
tap.test('Bounce Management - Invalid recipient domain', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO testclient\r\n');
await waitForResponse(socket, '250');
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
await waitForResponse(socket, '250');
// Send to non-existent domain
socket.write('RCPT TO:<nonexistent@invalid-domain-that-does-not-exist.com>\r\n');
const rcptResponse = await waitForResponse(socket);
if (rcptResponse.startsWith('550') || rcptResponse.startsWith('551') || rcptResponse.startsWith('553')) {
console.log('Bounce management active - invalid recipient properly rejected');
expect(true).toEqual(true);
} else if (rcptResponse.startsWith('250')) {
// Server accepted, may generate bounce later
console.log('Invalid recipient accepted - bounce may be generated later');
// Send DATA
socket.write('DATA\r\n');
await waitForResponse(socket, '354');
const email = [
`From: sender@example.com`,
`To: nonexistent@invalid-domain-that-does-not-exist.com`,
`Subject: Bounce Management Test`,
`Return-Path: <bounce@example.com>`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <bounce-test-${Date.now()}@example.com>`,
'',
'This email is designed to test bounce management functionality.',
'.',
''
].join('\r\n');
socket.write(email);
const dataResponse = await waitForResponse(socket, '250');
console.log('Email accepted for processing - bounce will be generated');
expect(dataResponse.startsWith('250')).toEqual(true);
}
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Bounce Management - Empty return path (null sender)', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO testclient\r\n');
await waitForResponse(socket, '250');
// Empty return path (null sender) - used for bounce messages
socket.write('MAIL FROM:<>\r\n');
const mailResponse = await waitForResponse(socket);
if (mailResponse.startsWith('250')) {
console.log('Null sender accepted (for bounce messages)');
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
await waitForResponse(socket, '250');
// Send DATA
socket.write('DATA\r\n');
const dataCommandResponse = await waitForResponse(socket);
if (dataCommandResponse.startsWith('354')) {
// Bounce message format
const email = [
`From: MAILER-DAEMON@example.com`,
`To: recipient@example.com`,
`Subject: Mail delivery failed: returning message to sender`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <bounce-${Date.now()}@example.com>`,
`Auto-Submitted: auto-replied`,
'',
'This message was created automatically by mail delivery software.',
'',
'A message that you sent could not be delivered to one or more recipients.',
'.',
''
].join('\r\n');
socket.write(email);
const dataResponse = await waitForResponse(socket, '250');
console.log('Bounce message with null sender accepted');
expect(dataResponse.startsWith('250')).toEqual(true);
} else if (dataCommandResponse.startsWith('503')) {
// Server rejects DATA for null sender
console.log('Server rejects DATA command for null sender (strict policy)');
expect(dataCommandResponse.startsWith('503')).toEqual(true);
}
} else {
console.log('Null sender rejected');
expect(true).toEqual(true);
}
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Bounce Management - DSN headers', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO testclient\r\n');
await waitForResponse(socket, '250');
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
await waitForResponse(socket, '250');
// Send RCPT TO
socket.write('RCPT TO:<recipient@example.com>\r\n');
await waitForResponse(socket, '250');
// Send DATA
socket.write('DATA\r\n');
await waitForResponse(socket, '354');
// Email with DSN request headers
const email = [
`From: sender@example.com`,
`To: recipient@example.com`,
`Subject: DSN Test`,
`Return-Path: <bounce-handler@example.com>`,
`Disposition-Notification-To: sender@example.com`,
`Return-Receipt-To: sender@example.com`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <dsn-test-${Date.now()}@example.com>`,
'',
'This email requests delivery status notifications.',
'.',
''
].join('\r\n');
socket.write(email);
const dataResponse = await waitForResponse(socket, '250');
console.log('Email with DSN headers accepted');
expect(dataResponse.startsWith('250')).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Bounce Management - Bounce loop prevention', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO testclient\r\n');
await waitForResponse(socket, '250');
// Null sender (bounce message)
socket.write('MAIL FROM:<>\r\n');
await waitForResponse(socket, '250');
// To another mailer-daemon (potential loop)
socket.write('RCPT TO:<mailer-daemon@another-server.com>\r\n');
const rcptResponse = await waitForResponse(socket);
if (rcptResponse.startsWith('550') || rcptResponse.startsWith('553')) {
console.log('Bounce loop prevented - mailer-daemon recipient rejected');
expect(true).toEqual(true);
} else if (rcptResponse.startsWith('250')) {
console.log('Mailer-daemon recipient accepted - check for loop prevention');
// Send DATA
socket.write('DATA\r\n');
const dataCommandResponse = await waitForResponse(socket);
if (dataCommandResponse.startsWith('354')) {
const email = [
`From: MAILER-DAEMON@example.com`,
`To: mailer-daemon@another-server.com`,
`Subject: Delivery Status Notification (Failure)`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <bounce-loop-${Date.now()}@example.com>`,
`Auto-Submitted: auto-replied`,
`X-Loop: example.com`,
'',
'This is a bounce of a bounce - potential loop.',
'.',
''
].join('\r\n');
socket.write(email);
const dataResponse = await waitForResponse(socket);
const result = dataResponse.startsWith('250') ? 'accepted' : 'rejected';
console.log(`Bounce loop test: ${result}`);
expect(true).toEqual(true);
} else if (dataCommandResponse.startsWith('503')) {
// Server rejects DATA for null sender
console.log('Bounce loop prevented at DATA stage (null sender rejection)');
expect(dataCommandResponse.startsWith('503')).toEqual(true);
}
}
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('Bounce Management - Valid email (control test)', async (tools) => {
const socket = net.createConnection({
host: 'localhost',
port: TEST_PORT,
timeout: 30000
});
try {
// Wait for greeting
await waitForResponse(socket, '220');
// Send EHLO
socket.write('EHLO testclient\r\n');
await waitForResponse(socket, '250');
// Send MAIL FROM
socket.write('MAIL FROM:<sender@example.com>\r\n');
await waitForResponse(socket, '250');
// Send RCPT TO
socket.write('RCPT TO:<valid@example.com>\r\n');
await waitForResponse(socket, '250');
// Send DATA
socket.write('DATA\r\n');
await waitForResponse(socket, '354');
const email = [
`From: sender@example.com`,
`To: valid@example.com`,
`Subject: Valid Email Test`,
`Return-Path: <sender@example.com>`,
`Date: ${new Date().toUTCString()}`,
`Message-ID: <valid-email-${Date.now()}@example.com>`,
'',
'This is a valid email that should not trigger bounce.',
'.',
''
].join('\r\n');
socket.write(email);
const dataResponse = await waitForResponse(socket, '250');
console.log('Valid email accepted - no bounce expected');
expect(dataResponse.startsWith('250')).toEqual(true);
socket.write('QUIT\r\n');
await waitForResponse(socket, '221').catch(() => {});
} finally {
socket.destroy();
}
});
tap.test('cleanup - stop test server', async () => {
await stopTestServer(testServer);
});
export default tap.start();