UNPKG

mailauth

Version:

Email authentication library for Node.js

github.com/postalsys/mailauth

postalsys/mailauth

376 lines (321 loc) 13.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
'use strict'; const { spfVerify } = require('./spf-verify'); const os = require('node:os'); const dns = require('node:dns'); const libmime = require('libmime'); const Joi = require('joi'); const domainSchema = Joi.string().domain({ allowUnicode: false, tlds: false }); const { formatAuthHeaderRow, escapeCommentValue } = require('../tools'); const MAX_RESOLVE_COUNT = 10; const MAX_VOID_COUNT = 2; const formatHeaders = result => { let header = `Received-SPF: ${result.status.result}${result.status.comment ? ` (${escapeCommentValue(result.status.comment)})` : ''} client-ip=${ result['client-ip'] };`; return libmime.foldLines(header, 160); }; /** * Dual-stack DNS resolver for SPF A/AAAA mechanism queries * * When evaluating A or AAAA mechanisms, both record types should be considered * to determine if a lookup is "void" (empty). This prevents incorrectly counting * IPv4-only or IPv6-only hosts as void lookups. * * Behavior: * - Queries both A and AAAA records in parallel (optimization) * - Only counts as void if BOTH A and AAAA return ENOTFOUND/ENODATA * - Real errors (ETIMEOUT, EREFUSED) for the client's IP type are propagated * - Returns only the records matching the client's IP type (IPv4 → A, IPv6 → AAAA) * * Example: IPv6 client checking an IPv4-only host * - A query returns: 192.0.2.1 * - AAAA query returns: ENODATA (empty) * - Result: Returns empty AAAA array (no match), but does NOT count as void * * @param {Function} resolver - Base DNS resolver function * @param {String} domain - Domain to query * @param {Object} opts - Options object with clientIpType (4 or 6) * @returns {Promise<Array>} - Array of IP addresses matching client type * @throws {Error} - Throws on real DNS errors or when both A and AAAA are void */ let dualStackResolver = async (resolver, domain, opts) => { const isIPv6 = opts.clientIpType === 6; // Query both A and AAAA records in parallel for efficiency const [aResult, aaaaResult] = await Promise.allSettled([resolver(domain, 'A'), resolver(domain, 'AAAA')]); // Extract successful records and error details const aRecords = aResult.status === 'fulfilled' ? aResult.value : []; const aError = aResult.status === 'rejected' ? aResult.reason : null; const aaaaRecords = aaaaResult.status === 'fulfilled' ? aaaaResult.value : []; const aaaaError = aaaaResult.status === 'rejected' ? aaaaResult.reason : null; // Classify errors: void (no records exist) vs real (DNS server error) // Void errors: ENOTFOUND (no such domain), ENODATA (domain exists but no records) const aIsVoid = aError && (aError.code === 'ENOTFOUND' || aError.code === 'ENODATA'); const aaaaIsVoid = aaaaError && (aaaaError.code === 'ENOTFOUND' || aaaaError.code === 'ENODATA'); // Propagate real DNS errors for the record type matching the client's IP family // IPv6 client: throw AAAA errors (except void), ignore A errors if (isIPv6 && aaaaError && !aaaaIsVoid) { throw aaaaError; } // IPv4 client: throw A errors (except void), ignore AAAA errors if (!isIPv6 && aError && !aIsVoid) { throw aError; } // Only throw void error if BOTH record types are void // This prevents single-stack hosts from being counted as void lookups if (aIsVoid && aaaaIsVoid) { // Prefer the error matching client IP type for better error messages let voidError = isIPv6 ? aaaaError || aError : aError || aaaaError; throw voidError; } // Return only the records matching the client's IP type // Empty arrays are valid (host exists but doesn't match client IP type) return isIPv6 ? aaaaRecords : aRecords; }; /** * Creates a rate-limited DNS resolver with SPF-specific constraints * * SPF evaluation must enforce limits to prevent DoS: * - Maximum 10 DNS lookups per SPF check (mechanisms that trigger DNS: a, mx, ptr, exists, include, redirect) * - Maximum 2 "void" lookups (queries returning no records) * Mailauth allows to configure both if different limits are required. * * @param {Function} resolver - Base DNS resolver function (e.g., dns.promises.resolve) * @param {Number} maxResolveCount - Maximum DNS lookups allowed (default: 10) * @param {Number} maxVoidCount - Maximum void lookups allowed (default: 2) * @param {Boolean} ignoreFirst - If true, don't count the first DNS lookup (used for initial TXT record fetch) * @returns {Function} - Rate-limited resolver function with signature: (domain, type, opts) => Promise<Array> */ let limitedResolver = (resolver, maxResolveCount, maxVoidCount, ignoreFirst) => { let resolveCount = 0; let voidCount = 0; let subResolveCounts = {}; let firstCounted = !ignoreFirst; maxResolveCount = maxResolveCount || MAX_RESOLVE_COUNT; maxVoidCount = maxVoidCount || MAX_VOID_COUNT; let resolverFunc = async (domain, type, opts) => { // Increment DNS lookup counter // Note: Dual-stack queries (A+AAAA) still count as 1 lookup if (firstCounted) { resolveCount++; } else { firstCounted = true; } // Enforce maximum DNS lookup limit if (resolveCount > maxResolveCount) { let error = new Error('Too many DNS requests'); error.spfResult = { error: 'permerror', text: 'Too many DNS requests' }; throw error; } // Validate domain name format before querying // This is a lenient check to pass test suites and prevent obvious invalid queries try { if (!/^([\x20-\x2D\x2f-\x7e]+\.)+[a-z]+[a-z\-0-9]*$/i.test(domain)) { throw new Error('Failed to validate domain'); } } catch (err) { err.spfResult = { error: 'permerror', text: `Invalid domain ${domain}` }; throw err; } // Execute DNS query with dual-stack optimization for A/AAAA queries try { // Use dual-stack resolver when: // 1. Query type is A or AAAA (address lookups) // 2. Client IP type is provided (4 for IPv4, 6 for IPv6) // This prevents single-stack hosts from being counted as void lookups if (opts?.clientIpType && (type === 'A' || type === 'AAAA')) { return await dualStackResolver(resolver, domain, opts); } else { // Standard single-query resolution for other record types (TXT, MX, PTR, etc.) and A if no client info provided. return await resolver(domain, type); } } catch (err) { switch (err.code) { case 'ENOTFOUND': // Domain does not exist case 'ENODATA': { // Domain exists but has no records of this type // Increment void lookup counter voidCount++; if (voidCount > maxVoidCount) { err.spfResult = { error: 'permerror', text: 'Too many void DNS results' }; throw err; } // Return empty array to continue SPF evaluation return []; } case 'ETIMEOUT': // DNS server timeout - temporary error err.spfResult = { error: 'temperror', text: 'DNS timeout' }; throw err; case 'EREFUSED': // DNS server refused query - temporary error err.spfResult = { error: 'temperror', text: `DNS request refused by server when resolving ${domain}` }; throw err; default: // Unknown error - propagate as-is throw err; } } }; resolverFunc.updateSubQueries = (type, count) => { if (!subResolveCounts[type]) { subResolveCounts[type] = count; } else { subResolveCounts[type] += count; } }; resolverFunc.getResolveCount = () => resolveCount; resolverFunc.getResolveLimit = () => maxResolveCount; resolverFunc.getSubResolveCounts = () => subResolveCounts; resolverFunc.getVoidCount = () => voidCount; return resolverFunc; }; /** * * @param {Object} opts * @param {String} opts.sender Email address * @param {String} opts.ip Client IP address * @param {String} opts.helo Client EHLO/HELO hostname * @param {String} [opts.mta] Hostname of the MTA or MX server that processes the message * @param {String} [opts.maxResolveCount=10] Maximum DNS lookups allowed * @param {String} [opts.maxVoidCount=2] Maximum empty DNS lookups allowed */ const verify = async opts => { let { sender, ip, helo, mta, maxResolveCount, maxVoidCount, resolver } = opts || {}; mta = mta || os.hostname(); sender = sender || `postmaster@${helo}`; // convert mapped IPv6 IP addresses to IPv4 let mappingMatch = (ip || '').toString().match(/^[:A-F]+:((\d+\.){3}\d+)$/i); if (mappingMatch) { ip = mappingMatch[1]; } let atPos = sender.indexOf('@'); if (atPos < 0) { sender = `postmaster@${sender}`; } else if (atPos === 0) { sender = `postmaster${sender}`; } let domain = sender.split('@').pop().toLowerCase().trim() || '-'; resolver = resolver || dns.promises.resolve; let status = { result: 'neutral', comment: false, // ptype properties smtp: { mailfrom: sender, helo } }; let verifyResolver = limitedResolver(resolver, maxResolveCount, maxVoidCount, true); let result; try { let validation = domainSchema.validate(domain); if (validation.error) { let err = validation.error; err.spfResult = { error: 'none', text: `Invalid domain ${domain}` }; throw err; } result = await spfVerify(domain, { sender, ip, mta, helo, // generate DNS handler resolver: verifyResolver, // allow to create sub resolvers createSubResolver: () => limitedResolver(resolver, maxResolveCount, maxVoidCount) }); } catch (err) { if (err.spfResult) { result = err.spfResult; } else { result = { error: 'temperror', text: err.message }; } } if (result && typeof result === 'object') { result.lookups = { limit: verifyResolver.getResolveLimit(), count: verifyResolver.getResolveCount(), void: verifyResolver.getVoidCount(), subqueries: verifyResolver.getSubResolveCounts() }; } let response = { domain, 'client-ip': ip }; if (helo) { response.helo = helo; } if (sender) { response['envelope-from'] = sender; } result = result || { // default is neutral qualifier: '?' }; switch (result.qualifier || result.error) { // qualifiers case '+': status.result = 'pass'; status.comment = `${mta}: domain of ${sender} designates ${ip} as permitted sender`; break; case '~': status.result = 'softfail'; status.comment = `${mta}: domain of transitioning ${sender} does not designate ${ip} as permitted sender`; break; case '-': status.result = 'fail'; status.comment = `${mta}: domain of ${sender} does not designate ${ip} as permitted sender`; break; case '?': status.result = 'neutral'; status.comment = `${mta}: ${ip} is neither permitted nor denied by domain of ${sender}`; break; // errors case 'none': status.result = 'none'; status.comment = `${mta}: ${domain} does not designate permitted sender hosts`; break; case 'permerror': status.result = 'permerror'; status.comment = `${mta}: permanent error in processing during lookup of ${sender}${result.text ? `: ${result.text}` : ''}`; break; case 'temperror': default: status.result = 'temperror'; status.comment = `${mta}: error in processing during lookup of ${sender}${result.text ? `: ${result.text}` : ''}`; break; } if (result.rr) { response.rr = result.rr; } response.status = status; response.header = formatHeaders(response); response.info = formatAuthHeaderRow('spf', status); if (typeof response.status.comment === 'boolean') { delete response.status.comment; } if (result.lookups) { response.lookups = result.lookups; } return response; }; module.exports = { spf: verify };