Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@carlgo11/smtp-server
Advanced tools
A customizable and lightweight SMTP server designed for efficient email handling and extensibility. Built with modularity in mind, this server allows developers to easily integrate custom behavior through event-driven architecture, enabling seamless customization, whether it's for a small-scale personal project or a large-scale production environment.
Highly Customizable: Easily add your own business logic at different stages of the SMTP session. From filtering emails based on sender addresses to validating content before accepting the message, the callback system makes customization intuitive and powerful.
Event-Driven Architecture: Built on top of Node.js’s event model, this server emits events for each SMTP command, providing hooks to control and respond to every aspect of email handling, enabling advanced features like throttling, logging, and monitoring.
Lightweight and Efficient: Designed with performance in mind, the server is capable of handling multiple clients concurrently without heavy resource usage. By using async/await for non-blocking I/O, it ensures that each connection is processed quickly and efficiently.
Secure by Default: With built-in support for secure (TLS) connections, you can enforce STARTTLS
and other security policies to ensure that emails are transmitted safely over the network. The server is designed to be compatible with modern security practices.
Enhanced Status Code Support: Provides support for RFC-compliant enhanced status codes, making it easier to diagnose and handle issues related to email delivery.
Developer-Friendly: Comes with comprehensive examples and detailed documentation to help you quickly set up the server, understand how it works, and start customizing it for your specific needs. Whether you’re developing a new email processing system, integrating with an existing application, or learning about SMTP, this server makes it easy.
This SMTP server is perfect for:
The server begins by listening for incoming SMTP connections and provides hooks (callbacks) that allow you to manage the session. You have full control over each stage:
EHLO
, MAIL FROM
, RCPT TO
, DATA
—is processed. You can validate the content, enforce policies, or even reject messages based on specific conditions.STARTTLS
, allowing clients to upgrade their connection to a secure one. You can choose whether to require or enforce TLS.npm install @carlgo11/smtp-server
To integrate this SMTP server into your project, you can start the server and listen to various events to handle the email flow.
import {SMTPServer, Response} from '@carlgo11/smtp-server';
// Create server instance
const server = new SMTPServer({
tlsOptions: {
key: 'key.pem',
cert: 'cert.pem',
},
});
// Define event handlers
server.onConnect((session) => {
console.log(`Client connected: ${session.clientIP}`);
});
server.onEHLO((address, session) => {
console.log(`EHLO received from: ${address}`);
});
// Other hooks or event handlers...
//Start server on port 25
server.listen(25, null,() => {
Logger.info(`SMTP Server listening on ${context.port}`);
});
The SMTP server provides several hooks (callbacks) that you can implement to manage different stages of an SMTP session. Each callback corresponds to a specific phase of the email transfer process:
Hooks (callbacks) offer you to intervene during an event (such as EHLO) and pass or reject a client's request. The downside to this is that the server will freeze the conversation with the client until your code returns. All hooks support Promises (async/await).
Hook Name | Arguments | Description |
---|---|---|
onConnect | session | Triggered when a client connects to the server. |
onDisconnect | session | Triggered when a client disconnects from the server. |
onEHLO | address, session | Triggered when the server receives the EHLO command. |
onSecure | session | Triggered when a client initiates a STARTTLS connection. |
onMAILFROM | address, session | Triggered when the MAIL FROM command is issued. |
onRCPTTO | address, session | Triggered when the RCPT TO command is issued. |
onDATA | message, session | Triggered when the DATA phase begins. |
Here's a basic example of handling an incoming email:
server.onMAILFROM((address, session) => {
// Validate the sender's address
if (address.includes('blacklisted.com')) {
throw new Response('Sender address rejected', 550, [5, 7, 1]);
}
// You can return true if you want the server to send a default message.
return true;
});
server.onRCPTTO(async (address, session) => {
// Check if recipient is allowed
const allowed = await isAllowedRecipient(address);
if (!allowed) {
throw new Repsonse('Recipient does not exist', 550, [5, 1, 1]);
}
// If you return a Response, the default message is overwritten
return new Response('${address} OK', 250, [2, 1, 5])
});
Using events allows you to parse session events without freezing the client-server conversation. This is useful if you don't expect to reject a message, but just parse and store it.
Event Name | Arguments | Description |
---|---|---|
CONNECT | session | Emitted when a client connects. |
disconnect | session | Emitted when a client disconnects. |
secure | session | Emitted when a STARTTLS connection is established. |
command | session, message | Emitted for every incoming command. |
EHLO | session, domain | Emitted when EHLO command is received. |
MAIL | session, address | Emitted when MAIL FROM command is received. |
RCPT | session, address | Emitted when RCPT TO command is received. |
MESSAGE | session, message | Emitted when the message data is received. |
server.on('connect', (session) => {
console.log(`${session.clientIP} connected.`);
});
server.on('MAIL', (session, address) => {
console.log(`${session.id} set sender address to ${address}`);
});
The server supports customization by passing options directly to the server constructor. Below are some common configuration options:
port
: (Number) The port on which the server should listen (default is 25
).tlsOptions
: (Object) Options for TLS setup. Allowed values are the TLSSocket options.maxMessageSize
: (Number) Maximum allowed size of an email message.greeting
: (String) The greeting part of SMTP status codes. (default is the computer hostname).By default, the server provides basic logging of connections, disconnections, and commands received. You can enhance the logging by listening to events and writing custom log handlers.
Contributions are welcome! If you'd like to contribute:
This project is licensed under the GPLv3 License. See the LICENSE file for more information.
FAQs
Simple lightweight SMTP server written in Node.js
We found that @carlgo11/smtp-server demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.