我正在Haraka建立一个需要tls认证的应用程序。我使用命令
生成了.pem文件tls_cert.pem和tls_key.pemopenssl req -x509 -nodes -days 2190 -newkey rsa:1024 -keyout config/tls_key.pem -out config/tls_cert.pem
# default list of plugins
# Log to syslog (disabled by default, see docs)
#log.syslog
# block mails from known bad hosts (see config/dnsbl.zones for the DNS zones queried)
#dnsbl
# Check mail headers are valid
data.rfc5322_header_checks
# block mail from some known bad HELOs - see config/helo.checks.ini for configuration
#helo.checks
# control which "MAIL FROM" addresses you accept. See docs.
#mail_from.access
# Only accept mail where the MAIL FROM domain is resolvable to an MX record
#mail_from.is_resolvable
# Disconnect client if they spew bad SMTP commands at us
#max_unrecognized_commands
# control which "RCPT TO" addresses you reject. See docs.
#rcpt_to.access
# Only accept mail for your personal list of hosts. Edit config/host_list
# NOTE: THIS IS REQUIRED for inbound email.
rcpt_to.in_host_list
# Queue mail via smtp - see config/smtp_forward.ini for where your mail goes
#queue/smtp_forward
##### Custom Plugins ####
javascript/fooBar
tls
javascript / fooBar是我在coffeescript中编写的自定义插件,编译成js文件,意味着它映射到plugins / javascript / Mx25OutBoundActions.js
以下是plugins / javascript / fooBar.js
的内容(function() {
var DataBase, Password, User, database;
DataBase = require('./dataBase');
database = new DataBase();
User = null;
Password = null;
exports.hook_lookup_rdns = function(next, conn) {
return next(OK, '');
};
exports.hook_connect = function(next, conn, params) {
conn.remote_host = '';
return next(CONT, "The MX25 SMTP API is now ready.");
};
exports.register = function() {
this.loginfo('Test');
return this.inherits('auth/auth_base');
};
exports.hook_capablities = function(next, conn) {
var methods;
this.loginfo('Hello');
conn.capabilities.push('STARTTLS');
conn.notes.tls_enabled = 1;
if (conn.using_tls) {
this.loginfo('Connection Secure');
methods = ['PLAIN', 'LOGIN'];
conn.capabilities.push("AUTH " + (methods.join(' ')));
conn.notes.allowed_auth_methods = methods;
return next();
} else {
this.loginfo('Connection not secure');
return next(DENY, '5.7.1 Secure connection required');
}
};
exports.get_plain_passwd = function(user, cb) {
this.loginfo('*********');
this.loginfo(user);
this.loginfo('*********');
return cb(user);
};
exports.check_plain_passwd = function(conn, user, passwd, cb) {
this.loginfo("Hello!");
database.query('SELECT * FROM domains', function(error, results) {
var Password, User, flag, i, _i, _ref;
if (error == null) {
flag = 0;
for (i = _i = 0, _ref = results.length; 0 <= _ref ? _i <= _ref : _i >= _ref; i = 0 <= _ref ? ++_i : --_i) {
if (user === results[i].address && passwd === results[i].outbound_password) {
flag = 1;
break;
}
}
if (flag === 1) {
User = user;
Password = passwd;
return cb(true);
} else {
console.log('User not authenticated');
return next(DENY, '5.7.1 Invalid authentication credentials provided');
}
} else {
console.log("Error: ${error}.");
}
});
return cb(true);
};
});.call(this);
运行时遇到问题。 Haraka启动很好,但是当我运行命令时
swaks -f test@test.com -t myemail@gmail.com -s localhost -p 587 -au testname -ap t3$tPassword
在另一个议会中,我发现了swaks的错误
*** Host did not advertise authentication
Haraka的输出看起来像
[NOTICE] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] connect ip=::1 port=64243 local_ip=:: local_port=587
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] running lookup_rdns hooks
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] running lookup_rdns hook in javascript/fooBar plugin
[INFO] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] hook=lookup_rdns plugin=javascript/fooBar function=hook_lookup_rdns params="" retval=OK msg=""
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] running connect hooks
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] running connect hook in javascript/fooBar plugin
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] hook=connect plugin=javascript/fooBar function=hook_connect params="" retval=CONT msg="The MX25 SMTP API is now ready."
[PROTOCOL] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] S: 220 The MX25 SMTP API is now ready.
[PROTOCOL] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] C: EHLO richardas-mac-mini.local state=1
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] running ehlo hooks
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] running capabilities hooks
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] running capabilities hook in javascript/fooBar plugin
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] hook=capabilities plugin=javascript/fooBar function=hook_capabilities params="" retval=CONT msg=""
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] running capabilities hook in tls plugin
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] hook=capabilities plugin=tls function=hook_capabilities params="" retval=CONT msg=""
[PROTOCOL] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] S: 250-outbound.mx25.net Hello [::1], Haraka is at your service.
[PROTOCOL] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] S: 250-PIPELINING
[PROTOCOL] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] S: 250-8BITMIME
[PROTOCOL] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] S: 250-SIZE 500000
[PROTOCOL] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] S: 250 STARTTLS
[PROTOCOL] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] C: QUIT state=1
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] running quit hooks
[PROTOCOL] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] S: 221 outbound.mx25.net closing connection. Have a jolly good day.
[DEBUG] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] running disconnect hooks
[NOTICE] [3D27FD1C-B94A-4271-84EB-460B32598491] [core] disconnect ip=::1 rdns="" helo="richardas-mac-mini.local" relay=N early=N esmtp=Y tls=N pipe=N txns=0 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="" time=0.008
我迷失在这里。我已经仔细研究了Haraka关于这个主题的所有文档,以及我找到的源代码和几个示例项目。 Haraka为什么不授权我的身份验证呢?
修改
我有验证码。我最初没有包含它,因为我认为它与错误无关。即使它包括Haraka输出完全相同,并且函数的第一行中的this.loginfo调用不会出现。 Swaks产生的错误和输出也完全相同。在我把它包括在内之后读了Matt's。为了仔细检查这一点,我还尝试在exports.check_plain_passwd中注释掉所有代码,并且在所有情况下都返回了cb(true)。没有改变。我得到了相同的输出和相同的错误。
答案 0 :(得分:3)
您要尝试的第一件事是在调用-tls时使用swaks。在服务器日志中,我看到它通告STARTTLS(并且不通告AUTH),但客户端立即退出而不是协商TLS。如果存在真正的问题,这会将其隐藏起来。
答案 1 :(得分:2)
看起来你正在尝试添加身份验证而不是TLS - 因为你需要一个auth插件,例如auth / flat_file。另外根据TLS文档,它应该首先列在config / plugins文件中(其次是auth / flat_file) - 插件顺序很重要 - 它决定了运行顺序,你希望TLS成为第一件事
这里有关于auth_flat_file的文档:http://haraka.github.io/manual/plugins/auth/flat_file.html