You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2020/01/06 03:09:00 UTC

[jira] [Commented] (JAMES-3017) James server exposes unsecured unmanaged TCP ports

    [ https://issues.apache.org/jira/browse/JAMES-3017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008508#comment-17008508 ] 

Benoit Tellier commented on JAMES-3017:
---------------------------------------

Hi,

Thanks for the report.

Port 9999 is JMX configured in jmx.properties file. Can be disabled with Guice products (means no CLI) not with spring. Port nb is configurable.

Port 993 is IMAPS, configured in imapserver.xml. Meets the requirement you listed.

Port 465 is SMTPS, configured in smtpserver.xml. Meets the requirement you listed.

I'd be curiours about ports 45530 32000 45167 and 46771. I suspect JMX to exposes some additional ports. See https://stackoverflow.com/questions/20884353/why-java-opens-3-ports-when-jmx-is-configured . Control over them can be gained via:
 - system property com.sun.management.jmxremote.port
 - system property com.sun.management.jmxremote.rmi.port
 -   -XX:+DisableAttachMechanism

Could you confirm these guesses? (tools like jconsole should allow you to inspect such details)

Best regards,

Benoit

> James server exposes unsecured unmanaged TCP ports
> --------------------------------------------------
>
>                 Key: JAMES-3017
>                 URL: https://issues.apache.org/jira/browse/JAMES-3017
>             Project: James Server
>          Issue Type: Bug
>            Reporter: Sergey B.
>            Priority: Minor
>
> James server listening some TCP ports, which are neither controlled nor documented.
> Below is the list of ports listening by my instance of the mail server.
> {code:java}
> root@0dad7fbbb1d7:~/james-server-app-3.3.0/bin# ss -lnt
> State       Recv-Q Send-Q                                 Local Address:Port                                                Peer Address:Port
> LISTEN      0      128                                        127.0.0.1:45530
> LISTEN      0      1                                          127.0.0.1:32000
> LISTEN      0      128                                                *:993
> LISTEN      0      50                                                 *:9999
> LISTEN      0      50                                                 *:45167
> LISTEN      0      128                                                *:465
> LISTEN      0      50                                                 *:46771
> {code}
> There is only one port that is really secured. For port to be secure it must meet following conditions.
>  # Port must be documented. Users should know what protocol and for what purposes are used.
>  # The protocol used to communicate through this port is secure.
>  # User should be able to bind it to specific network interface.
>  # User should be able to change its number.
>  # User should be able to completely disable it if it is not needed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org