connection.relaying = true #4
Description
I'm one of the Haraka committers and I just stumbled across your plugin.
In your plugin you're setting connection.relaying = true to force the use of Haraka's outbound module to deliver the mail to the aliases destination address. Whilst this might work, it's wrong to do it like this because you can easily create a security hole if your hook_rcpt function return's next() for any reason.
Your plugin is OK because it does a next(DENY) if the alias doesn't match, but if someone customized this, they could easily create this issue.
connection.relaying is a connection level variable, meaning once it is set - it persists across the lifetime of the connection.
The 'correct' way to do this is to remove the connection.relaying = true line and then add yourself a custom queue hook which does this:
var outbound = require('./outbound');
var constants = require('./constants');
exports.hook_queue = function (next, connection) {
var txn = connection.transaction;
outbound.send_email(txn, function(retval, msg) {
switch(retval) {
case constants.ok:
return next(OK, msg);
break;
case constants.deny:
return next(DENY, msg);
break;
default:
return next(DENYSOFT, msg);
}
});
}
That way you can safely fall through hook_rcpt with next() without creating an open relay.