Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Haraka is a highly scalable node.js email server with a modular plugin architecture. Haraka can serve thousands of concurrent connections and deliver thousands of messages per second. Haraka and plugins are written in asynchronous JS and are very fast.
Haraka has very good spam protection (see plugins) and works well as a filtering MTA. It also works well as a MSA running on port 587 with auth and dkim_sign plugins enabled.
Haraka makes no attempt to be a mail store (like Exchange or Postfix/Exim/Qmail), a LDA, nor an IMAP server (like Dovecot or Courier). Haraka is typically used with such systems.
Haraka has a scalable outbound mail delivery engine built in. Mail
marked as relaying
(such as via an auth
plugin) is automatically
queued for outbound delivery.
Haraka's plugin architecture provides an easily extensible MTA that complements traditional MTAs that excel at managing mail stores but do not have sufficient filtering.
The plugin system makes it easy to code new features. A typical example
is providing qmail-like extended addresses to an Exchange system,
whereby you could receive mail as user-anyword@domain.com
, and yet
still have it correctly routed to user@domain.com
. This is a few lines of
code in Haraka.
Plugins are provided for running mail through SpamAssassin, validating HELO names, checking DNS Blocklists, and many others.
Haraka requires node.js to run. Install Haraka with npm:
# If the second command gives "nobody" errors, uncomment & run the next command
# npm -g config set user root
npm install -g Haraka
After installation, use the haraka
binary to set up the service.
First, create the service:
haraka -i /path/to/haraka_test
That creates the directory haraka_test
with config
and plugin
directories within. It also sets the host name used by Haraka
to the output of hostname
.
If hostname
is not correct, edit config/host_list
. For example,
to receive mail addressed to user@domain.com
, add domain.com
to the
config/host_list
file.
Finally, start Haraka using root permissions:
haraka -c /path/to/haraka_test
And it will run.
To choose which plugins run, edit config/plugins
. Plugins control the
overall behaviour of Haraka. By default, only messages to domains listed
in config/host_list
will be accepted and then delivered via the
smtp-forward
plugin. Configure the destination in config/smtp_forward.ini
.
haraka -h plugins/$name
The docs detail how each plugin is configured. After editing
config/plugins
, restart Haraka and enjoy!
If you are unable to use npm to install Haraka, you can run from git by following these steps:
First clone the repository:
$ git clone https://github.com/haraka/Haraka.git
$ cd Haraka
Install Haraka's node.js dependencies locally:
$ npm install
Edit config/plugins
and config/smtp.ini
to specify the plugins and
config you want.
Finally run Haraka:
$ node haraka.js
Haraka is MIT licensed - see the LICENSE file for details.
Haraka is a project started by Matt Sergeant, a 10 year veteran of the email and anti-spam world. Previous projects have been the project leader for SpamAssassin and a hacker on Qpsmtpd.
FAQs
An SMTP Server project.
The npm package Haraka receives a total of 1,346 weekly downloads. As such, Haraka popularity was classified as popular.
We found that Haraka demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.