You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by Rene Cordier <rc...@apache.org> on 2021/05/05 09:31:30 UTC
SMTP server configuration issue
Hello guys,
While running some performance tests against SMTP protocol, I crossed
what I believe being potentially an issue regarding the configuration of
SMTP in James through the smtpserver.xml file.
What I observed is that we have two params that, according to the
official doc, are supposed to be coupled together: authRequired and
verifyIdentity.
In our default shipped conf for the port 25 we have:
<authRequired>false</authRequired>
<verifyIdentity>true</verifyIdentity>
In the official doc, regarding verifyIdentity:
> "This is an optional tag with a boolean body. This option can only
> be
used if SMTP authentication is required. If the parameter is set to true
then the sender address for the submitted message will be verified
against the authenticated subject. Verify sender addresses, ensuring
that the sender address matches the user who has authenticated. It will
verify that the sender address matches the address of the user or one of
its alias (from user or domain aliases). This prevents a user of your
mail server from acting as someone else If unspecified, default value is
true."
The behavior I observed with this was that James was rehecting my SMTP
calls because the user was not identified. It seems to force the auth to
be able to verify identity, despite saying auth is not required and the
doc saying that verifyIdentity should only be used if auth is required.
So I believe something is wrong here.
I would see 3 ways to resolve that potentially here.
1. If authRequired is set to false, we should reject verifyIdenty=true,
as it makes no logical sense. People might need to update their James
running installation though (but easy)
2. If authRequired is set to false, we can silently ignore
verifyIdentity is set to true.
3. We keep this current behavior, but need to change the documentation
accordingly and add a warning log as well during James startup.
I personally prefer the first one, as this is the way it's documented
for now and I found it more logical. However, it's completely opened to
discussion (thus the mail).
Depending on the feedback, will create the according JIRA fix ticket.
Thank you all, have a good day!
Rene.
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: SMTP server configuration issue
Posted by Rene Cordier <rc...@apache.org>.
As there was no other feedback regarding this matter, as it seems Benoit
and myself reached a consensus on the first solution, I created a JIRA
ticket accordingly: https://issues.apache.org/jira/browse/JAMES-3579.
Rene.
On 05/05/2021 18:28, Tellier Benoit wrote:
> Hello René,
>
> Thanks for raising the topic here.
>
> Le 05/05/2021 à 16:31, Rene Cordier a écrit :
>> Hello guys,
>>
>> [...]
>>
>> 1. If authRequired is set to false, we should reject verifyIdenty=true,
>> as it makes no logical sense. People might need to update their James
>> running installation though (but easy)
>>
> By far my prefered option.
>
> Yes some people need to reconfigure smtpserver.xml but at least we don't
> take implicit decisions.
>
>> 2. If authRequired is set to false, we can silently ignore
>> verifyIdentity is set to true.
>
> The option that I like the least... It IMO gives a false sense of safety
> (you might believe senders are verified but they actually are not).
>
>> 3. We keep this current behavior, but need to change the documentation
>> accordingly and add a warning log as well during James startup.
>
> This look fine to me. Verifying senders implies forcing local users to
> authenticate (overwise the work-around is too simple...). However from
> an admin perspective it would be harder to diagnose some SMTP
> transaction being rejected compared to a server not starting.
>
>> I personally prefer the first one, as this is the way it's documented
>> for now and I found it more logical. However, it's completely opened to
>> discussion (thus the mail).
>>
>> Depending on the feedback, will create the according JIRA fix ticket.
>
> I think we can reuse JAMES-3525 as it is closely related...
>
> Cheers,
>
> Benoit
>
>>
>> Thank you all, have a good day!
>>
>> Rene.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-dev-help@james.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: SMTP server configuration issue
Posted by Tellier Benoit <bt...@apache.org>.
Hello René,
Thanks for raising the topic here.
Le 05/05/2021 à 16:31, Rene Cordier a écrit :
> Hello guys,
>
> [...]
>
> 1. If authRequired is set to false, we should reject verifyIdenty=true,
> as it makes no logical sense. People might need to update their James
> running installation though (but easy)
>
By far my prefered option.
Yes some people need to reconfigure smtpserver.xml but at least we don't
take implicit decisions.
> 2. If authRequired is set to false, we can silently ignore
> verifyIdentity is set to true.
The option that I like the least... It IMO gives a false sense of safety
(you might believe senders are verified but they actually are not).
> 3. We keep this current behavior, but need to change the documentation
> accordingly and add a warning log as well during James startup.
This look fine to me. Verifying senders implies forcing local users to
authenticate (overwise the work-around is too simple...). However from
an admin perspective it would be harder to diagnose some SMTP
transaction being rejected compared to a server not starting.
> I personally prefer the first one, as this is the way it's documented
> for now and I found it more logical. However, it's completely opened to
> discussion (thus the mail).
>
> Depending on the feedback, will create the according JIRA fix ticket.
I think we can reuse JAMES-3525 as it is closely related...
Cheers,
Benoit
>
> Thank you all, have a good day!
>
> Rene.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org