You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Guillermo Grandes (JIRA)" <se...@james.apache.org> on 2007/01/22 02:23:30 UTC
[jira] Created: (JAMES-768) DoS in MAIL / RCPT without domain
DoS in MAIL / RCPT without domain
---------------------------------
Key: JAMES-768
URL: https://issues.apache.org/jira/browse/JAMES-768
Project: James
Issue Type: Bug
Components: SMTPServer
Environment: James Trunk
Reporter: Guillermo Grandes
Priority: Critical
With each MAIL/RCPT without @Domain... the DomainList grow, grow, grow,... without limit... and log grows and grows still more...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: [jira] Commented: (JAMES-768) DoS in MAIL / RCPT without domain
Posted by Danny Angus <da...@apache.org>.
I think this only affects the trunk,
I also think it is a side-effect of a revision of Norman's which made
a change to use default domain.
I wonder whether the fix is to change the domain service, or to
*require* the missing config parameters.
Probably both.
d.
On 1/22/07, Guillermo Grandes (JIRA) <se...@james.apache.org> wrote:
>
> [ https://issues.apache.org/jira/browse/JAMES-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12466381 ]
>
> Guillermo Grandes commented on JAMES-768:
> -----------------------------------------
>
> I have added this parameters and... all is right!
>
> <James>
> <defaultDomain>localhost</defaultDomain>
> <helloName autodetect="false">localhost</helloName>
> [.....]
> </James>
>
> :-O
>
> > DoS in MAIL / RCPT without domain
> > ---------------------------------
> >
> > Key: JAMES-768
> > URL: https://issues.apache.org/jira/browse/JAMES-768
> > Project: James
> > Issue Type: Bug
> > Components: SMTPServer
> > Environment: James Trunk
> > Reporter: Guillermo Grandes
> > Priority: Critical
> >
> > With each MAIL/RCPT without @Domain... the DomainList grow, grow, grow,... without limit... and log grows and grows still more...
>
> --
> This message is automatically generated by JIRA.
> -
> If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
> -
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: [jira] Assigned: (JAMES-768) DoS in MAIL / RCPT without domain
Posted by Danny Angus <da...@apache.org>.
thanks :-)
I think its actually a problem with the domain service's unconditional
"add" methods rather than your change, which just uncovered it.
On 1/22/07, Norman Maurer (JIRA) <se...@james.apache.org> wrote:
> I will take care...
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
[jira] Commented: (JAMES-768) DoS in MAIL / RCPT without domain
Posted by "Guillermo Grandes (JIRA)" <se...@james.apache.org>.
[ https://issues.apache.org/jira/browse/JAMES-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12466376 ]
Guillermo Grandes commented on JAMES-768:
-----------------------------------------
How-To Reproduce:
Telnet localhost 25
HELO x
MAIL FROM: <x>
RCPT TO: <n1>
RCPT TO: <n2>
RCPT TO: <n...10>
In the 10th RCPT the domainlist it has grown up to 40 elements, and log have 220 lines (4 of first RCPT+8 of second+12 of third+16+...+40)
In number 50th it generates more than 5100 lines of logs, in 100th... 20200 lines, little DoS in only seconds.
See log of [domainlist] like this...
2007-01-22 01:33:54,280 INFO [domainlist] Local host is: 10.1.xxx.87
2007-01-22 01:33:54,280 ERROR [domainlist] Cannot get IP address(es) for localhost
2007-01-22 01:33:54,282 INFO [domainlist] Handling mail for: localhost
----------------- this block will be repeated NNNN times -----------------
2007-01-22 01:33:54,283 INFO [domainlist] Handling mail for: 127.0.0.1
2007-01-22 01:33:54,283 INFO [domainlist] Handling mail for: 1xx.xxx.59.200
2007-01-22 01:33:54,283 INFO [domainlist] Handling mail for: 2xx.xxx.231.132
2007-01-22 01:33:54,283 INFO [domainlist] Handling mail for: 10.1.xxx.87
--- repeated ---
2007-01-22 01:33:54,283 INFO [domainlist] Handling mail for: 127.0.0.1
2007-01-22 01:33:54,283 INFO [domainlist] Handling mail for: 1xx.xxx.59.200
2007-01-22 01:33:54,283 INFO [domainlist] Handling mail for: 2xx.xxx.231.132
2007-01-22 01:33:54,283 INFO [domainlist] Handling mail for: 10.1.xxx.87
----------------- this block will be repeated NNNN times -----------------
My config.xml is like this:
<domainnames>
<domainname>localhost</domainname>
<domainname>127.0.0.1</domainname>
<domainname>1xx.xxx.59.200</domainname>
<domainname>2xx.xxx.231.132</domainname>
</domainnames>
<autodetect>false</autodetect>
<autodetectIP>false</autodetectIP>
<!-- DEPRECATED: servernames should be configured in the DomainList instance. See the domainlist -->
<!-- block configuration -->
<!--
<servernames autodetect="true" autodetectIP="true">
<servername>localhost</servername>
</servernames>
-->
Extracted fom /james/server/trunk/src/java/org/apache/james/smtpserver/core/filter/
> MailFilterCmdHandler.java & RcptFilterCmdHandler.java
if (sender.indexOf("@") < 0) {
sender = sender + "@" + session.getConfigurationData().getMailServer().getDefaultDomain();
}
I suppose that the problem must walk this way...
As workarround... I have changed config.xml
<servernames autodetect="false" autodetectIP="false">
<servername>localhost</servername>
</servernames>
And DomainList don't grow, but with each MAIL/RCPT it appears in the Log the following lines:
2007-01-22 02:14:30,985 INFO [domainlist] Local host is: 10.1.xxx.87
2007-01-22 02:14:30,986 INFO [domainlist] Handling mail for: localhost
2007-01-22 02:14:30,986 INFO [domainlist] Handling mail for: 127.0.0.1
2007-01-22 02:14:30,986 INFO [domainlist] Handling mail for: 1xx.xxx.59.200
2007-01-22 02:14:30,987 INFO [domainlist] Handling mail for: 2xx.xxx.231.132
> DoS in MAIL / RCPT without domain
> ---------------------------------
>
> Key: JAMES-768
> URL: https://issues.apache.org/jira/browse/JAMES-768
> Project: James
> Issue Type: Bug
> Components: SMTPServer
> Environment: James Trunk
> Reporter: Guillermo Grandes
> Priority: Critical
>
> With each MAIL/RCPT without @Domain... the DomainList grow, grow, grow,... without limit... and log grows and grows still more...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
[jira] Resolved: (JAMES-768) DoS in MAIL / RCPT without domain
Posted by "Norman Maurer (JIRA)" <se...@james.apache.org>.
[ https://issues.apache.org/jira/browse/JAMES-768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Norman Maurer resolved JAMES-768.
---------------------------------
Resolution: Fixed
Fix Version/s: Next Major
Change loglevel to debug.. Now it should be fixed. Thx for reporting
> DoS in MAIL / RCPT without domain
> ---------------------------------
>
> Key: JAMES-768
> URL: https://issues.apache.org/jira/browse/JAMES-768
> Project: James
> Issue Type: Bug
> Components: SMTPServer
> Environment: James Trunk
> Reporter: Guillermo Grandes
> Assigned To: Norman Maurer
> Priority: Critical
> Fix For: Next Major
>
>
> With each MAIL/RCPT without @Domain... the DomainList grow, grow, grow,... without limit... and log grows and grows still more...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
[jira] Commented: (JAMES-768) DoS in MAIL / RCPT without domain
Posted by "Danny Angus (JIRA)" <se...@james.apache.org>.
[ https://issues.apache.org/jira/browse/JAMES-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12466677 ]
Danny Angus commented on JAMES-768:
-----------------------------------
I agree that this cures the initial symptom of log flooding, but I don't think it resolves the DoS because the collection will grow in the background.
Is the root cause not that the AbstractDomainList.getDomains will repeatedly add all of the local domains every time?
Look at this stripped out method (below) there's no condition to make sure the auto-detect only runs once.
It *might* be implied by an assumption that getDomains is only called in certain lifecycle start-up methods, but if so its use in MailFilterCmdHandler.java & RcptFilterCmdHandler.java proves that this is a fragile assumption which isn't documented or enforced.
If you agree, I'm happy to fix it, so you can assign this to me.
public List getDomains() {
...
if (domains != null) {
...
if (autoDetectIP == true) {
domains.addAll(DomainListUtil.getDomainsIP(domains,dns,getLogger()));
}
return domains;
}
}
> DoS in MAIL / RCPT without domain
> ---------------------------------
>
> Key: JAMES-768
> URL: https://issues.apache.org/jira/browse/JAMES-768
> Project: James
> Issue Type: Bug
> Components: SMTPServer
> Environment: James Trunk
> Reporter: Guillermo Grandes
> Assigned To: Norman Maurer
> Priority: Critical
> Fix For: Next Major
>
>
> With each MAIL/RCPT without @Domain... the DomainList grow, grow, grow,... without limit... and log grows and grows still more...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
[jira] Assigned: (JAMES-768) DoS in MAIL / RCPT without domain
Posted by "Norman Maurer (JIRA)" <se...@james.apache.org>.
[ https://issues.apache.org/jira/browse/JAMES-768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Norman Maurer reassigned JAMES-768:
-----------------------------------
Assignee: Norman Maurer
I will take care...
> DoS in MAIL / RCPT without domain
> ---------------------------------
>
> Key: JAMES-768
> URL: https://issues.apache.org/jira/browse/JAMES-768
> Project: James
> Issue Type: Bug
> Components: SMTPServer
> Environment: James Trunk
> Reporter: Guillermo Grandes
> Assigned To: Norman Maurer
> Priority: Critical
>
> With each MAIL/RCPT without @Domain... the DomainList grow, grow, grow,... without limit... and log grows and grows still more...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
[jira] Commented: (JAMES-768) DoS in MAIL / RCPT without domain
Posted by "Norman Maurer (JIRA)" <se...@james.apache.org>.
[ https://issues.apache.org/jira/browse/JAMES-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12467821 ]
Norman Maurer commented on JAMES-768:
-------------------------------------
You was right. When using the XMLDomainList the List growed everytime when getDomainList() was called. I fixed it by returning a new ArrayList everytime the getDomainList() is called.
> DoS in MAIL / RCPT without domain
> ---------------------------------
>
> Key: JAMES-768
> URL: https://issues.apache.org/jira/browse/JAMES-768
> Project: James
> Issue Type: Bug
> Components: SMTPServer
> Environment: James Trunk
> Reporter: Guillermo Grandes
> Assigned To: Norman Maurer
> Priority: Critical
> Fix For: Next Major
>
>
> With each MAIL/RCPT without @Domain... the DomainList grow, grow, grow,... without limit... and log grows and grows still more...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
[jira] Commented: (JAMES-768) DoS in MAIL / RCPT without domain
Posted by "Guillermo Grandes (JIRA)" <se...@james.apache.org>.
[ https://issues.apache.org/jira/browse/JAMES-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12466381 ]
Guillermo Grandes commented on JAMES-768:
-----------------------------------------
I have added this parameters and... all is right!
<James>
<defaultDomain>localhost</defaultDomain>
<helloName autodetect="false">localhost</helloName>
[.....]
</James>
:-O
> DoS in MAIL / RCPT without domain
> ---------------------------------
>
> Key: JAMES-768
> URL: https://issues.apache.org/jira/browse/JAMES-768
> Project: James
> Issue Type: Bug
> Components: SMTPServer
> Environment: James Trunk
> Reporter: Guillermo Grandes
> Priority: Critical
>
> With each MAIL/RCPT without @Domain... the DomainList grow, grow, grow,... without limit... and log grows and grows still more...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org