You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Peter M. Goldstein" <pe...@yahoo.com> on 2002/07/30 02:21:00 UTC
FW: Open relay with SMTP-AUTH
All,
I've just confirmed this on the latest code base. The cause is pretty
obvious - there is a comment in SMTPHandler.java:
// If this is a delivery failure notification (MAIL FROM:
<>)
// we don't enforce authentication
if (authRequired && state.get(SENDER) != null) {
Removing the (state.get(SENDER) != null) clause closes the open relay.
But can anyone clarify the comment? Is this comment referring to
messages being generated by the James server in response to local
delivery failures? Clearly the code as it stands in insecure...
--Peter
-----Original Message-----
From: bonadio@intersearch.com.br [mailto:bonadio@intersearch.com.br]
Sent: None
To: james-user@jakarta.apache.org
Subject: Open relay with SMTP-AUTH
Hello
I think I found a bug when using SMTP-AUTH
if you enable smtp-auth and sends a <> as the sender
the servers allows the relay of any message, if you
specify a correct email address the server enforces the authentication
I created a patch for this, is there any other solution?
following a session that shows the problem
Trying XXXXXX...
Connected to XXXXXXXXX.
Escape character is '^]'.
220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready Mon, 29
Jul 2002 20:31:04 -0400
helo test
250-myMailServer Hello test (XXXXXXX)
250 AUTH LOGIN PLAIN
mail from: <>
250 Sender <> OK
rcpt to: <ab...@abuse.org>
250 Recipient <ab...@abuse.org> OK
.....
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Peter M. Goldstein" <pe...@yahoo.com>.
Harmeet,
'MAIL FROM <>' is still supported now. It is also supported in such a
way as to prevent arbitrary relaying of emails with null senders.
The correct behavior is as was discussed on this list earlier:
Not using SMTP AUTH - all messages are sent and relayed
Using SMTP AUTH - Messages will null senders are treated as
unauthenticated messages. They are delivered locally, but not relayed.
Note that this change still allows you to setup James as an incoming
gateway for one or more SMTP servers (by listing the appropriate domains
in the local server list and using appropriate matchers/mailets to
deliver messages to the gatewayed servers). Outgoing gateway behavior
is unaffected.
This is both in accord with the RFC and the only way to prevent James
from being an open relay when using SMTP AUTH as the primary form of
authorization (as opposed to IP match). Tests with ordb.org confirm
this.
--Peter
> -----Original Message-----
> From: Harmeet Bedi [mailto:harmeet@kodemuse.com]
> Sent: Saturday, August 17, 2002 4:25 AM
> To: James Developers List
> Subject: Re: Open relay with SMTP-AUTH
>
> Want to expand on this: If 'MAIL FROM <>' is not supported, your
server
> will
> not get bounced messages from an External Server. It is a mandatory
part
> of
> the specification for SMTP Server.
>
> Harmeet
> ----- Original Message -----
> From: "Serge Knystautas" <se...@lokitech.com>
> To: "James Developers List" <ja...@jakarta.apache.org>;
> <fa...@alum.mit.edu>
> Sent: Monday, July 29, 2002 11:21 PM
> Subject: Re: Open relay with SMTP-AUTH
>
>
> > Even if you have a server that only is accepting SMTH AUTH, it's
still
> best
> > practices to accept "MAIL FROM: <>" messages (i.e., you can't just
> disable
> > that). That said, messages with a null sender should not leave your
> server,
> > so I think it's either a conf issue or a bug in some matcher that
isn't
> > probably capturing that and preventing the relaying.
> >
> > Serge Knystautas
> > Loki Technologies
> > http://www.lokitech.com/
> >
> > ----- Original Message -----
> > From: "Peter M. Goldstein" <pe...@yahoo.com>
> > To: "'James Developers List'" <ja...@jakarta.apache.org>
> > Sent: Monday, July 29, 2002 8:21 PM
> > Subject: FW: Open relay with SMTP-AUTH
> >
> >
> > >
> > > All,
> > >
> > > I've just confirmed this on the latest code base. The cause is
pretty
> > > obvious - there is a comment in SMTPHandler.java:
> > >
> > > // If this is a delivery failure notification (MAIL
FROM:
> > > <>)
> > > // we don't enforce authentication
> > > if (authRequired && state.get(SENDER) != null) {
> > >
> > > Removing the (state.get(SENDER) != null) clause closes the open
relay.
> > >
> > > But can anyone clarify the comment? Is this comment referring to
> > > messages being generated by the James server in response to local
> > > delivery failures? Clearly the code as it stands in insecure...
> > >
> > > --Peter
> > >
> > > -----Original Message-----
> > > From: bonadio@intersearch.com.br
[mailto:bonadio@intersearch.com.br]
> > > Sent: None
> > > To: james-user@jakarta.apache.org
> > > Subject: Open relay with SMTP-AUTH
> > >
> > >
> > > Hello
> > >
> > > I think I found a bug when using SMTP-AUTH
> > >
> > > if you enable smtp-auth and sends a <> as the sender
> > > the servers allows the relay of any message, if you
> > > specify a correct email address the server enforces the
authentication
> > >
> > > I created a patch for this, is there any other solution?
> > >
> > > following a session that shows the problem
> > >
> > > Trying XXXXXX...
> > > Connected to XXXXXXXXX.
> > > Escape character is '^]'.
> > > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready
Mon,
> 29
> > > Jul 2002 20:31:04 -0400
> > > helo test
> > > 250-myMailServer Hello test (XXXXXXX)
> > > 250 AUTH LOGIN PLAIN
> > > mail from: <>
> > > 250 Sender <> OK
> > > rcpt to: <ab...@abuse.org>
> > > 250 Recipient <ab...@abuse.org> OK
> > > .....
> > >
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail: <mailto:james-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:james-dev-
> help@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Open relay with SMTP-AUTH
Posted by Harmeet Bedi <ha...@kodemuse.com>.
Want to expand on this: If 'MAIL FROM <>' is not supported, your server will
not get bounced messages from an External Server. It is a mandatory part of
the specification for SMTP Server.
Harmeet
----- Original Message -----
From: "Serge Knystautas" <se...@lokitech.com>
To: "James Developers List" <ja...@jakarta.apache.org>;
<fa...@alum.mit.edu>
Sent: Monday, July 29, 2002 11:21 PM
Subject: Re: Open relay with SMTP-AUTH
> Even if you have a server that only is accepting SMTH AUTH, it's still
best
> practices to accept "MAIL FROM: <>" messages (i.e., you can't just disable
> that). That said, messages with a null sender should not leave your
server,
> so I think it's either a conf issue or a bug in some matcher that isn't
> probably capturing that and preventing the relaying.
>
> Serge Knystautas
> Loki Technologies
> http://www.lokitech.com/
>
> ----- Original Message -----
> From: "Peter M. Goldstein" <pe...@yahoo.com>
> To: "'James Developers List'" <ja...@jakarta.apache.org>
> Sent: Monday, July 29, 2002 8:21 PM
> Subject: FW: Open relay with SMTP-AUTH
>
>
> >
> > All,
> >
> > I've just confirmed this on the latest code base. The cause is pretty
> > obvious - there is a comment in SMTPHandler.java:
> >
> > // If this is a delivery failure notification (MAIL FROM:
> > <>)
> > // we don't enforce authentication
> > if (authRequired && state.get(SENDER) != null) {
> >
> > Removing the (state.get(SENDER) != null) clause closes the open relay.
> >
> > But can anyone clarify the comment? Is this comment referring to
> > messages being generated by the James server in response to local
> > delivery failures? Clearly the code as it stands in insecure...
> >
> > --Peter
> >
> > -----Original Message-----
> > From: bonadio@intersearch.com.br [mailto:bonadio@intersearch.com.br]
> > Sent: None
> > To: james-user@jakarta.apache.org
> > Subject: Open relay with SMTP-AUTH
> >
> >
> > Hello
> >
> > I think I found a bug when using SMTP-AUTH
> >
> > if you enable smtp-auth and sends a <> as the sender
> > the servers allows the relay of any message, if you
> > specify a correct email address the server enforces the authentication
> >
> > I created a patch for this, is there any other solution?
> >
> > following a session that shows the problem
> >
> > Trying XXXXXX...
> > Connected to XXXXXXXXX.
> > Escape character is '^]'.
> > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready Mon, 29
> > Jul 2002 20:31:04 -0400
> > helo test
> > 250-myMailServer Hello test (XXXXXXX)
> > 250 AUTH LOGIN PLAIN
> > mail from: <>
> > 250 Sender <> OK
> > rcpt to: <ab...@abuse.org>
> > 250 Recipient <ab...@abuse.org> OK
> > .....
> >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Peter M. Goldstein" <pe...@yahoo.com>.
Noel et al,
I do like this suggestion - it will make James very powerful and
flexible in its authentication handling.
When designing these properties please remember a couple of things:
i) There are a variety of SASL authentication mechanisms that may be
supported in the future, so any property passed to the matcher/mailet
should be fine-grained enough to specify the authentication mechanism
ii) The authenticated user id will also have to be preserved, not just
the fact of authentication. This sort of approach is necessary not only
to support identity verification, but also more complex constructs like
role-based mailing.
That said, I still think we need a simple, easy-to-configure way to
allow users to ensure that James is not used as an open relay. Power
and flexibility are important, but so is ease of use in standard
situations. As far as I can tell, that mechanism is the authRequired
parameter for the SMTP Handler.
I'd like to address the original problem. As far as I can tell
SMTPHandler should not need to treat messages with null senders any
differently than it treats other messages. This is because internally
generated bounce messages are placed directly on the spool, and
externally generated bounce messages should only be going to localhost
if authentication is required. Is that correct? Serge, what are your
thoughts?
--Peter
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: Wednesday, July 31, 2002 6:50 AM
> To: James Developers List
> Subject: RE: Open relay with SMTP-AUTH
>
> > The source of a mail is trusted if the mail is
> > 1. received through smtp from a local host - based on its ip
address
> > 2. received through smtp from an smtp authenticated host
> > 3. generated within james
>
> > As I know information about (1) is already available, but not
> > about(2) and (3).
>
> #1 is based upon the remote host IP. #3 is 127.0.0.1 (localhost). #2
is
> the missing property.
>
> --- Noel
>
>
> --
> To unsubscribe, e-mail: <mailto:james-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:james-dev-
> help@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Noel J. Bergman" <no...@devtech.com>.
> The source of a mail is trusted if the mail is
> 1. received through smtp from a local host - based on its ip address
> 2. received through smtp from an smtp authenticated host
> 3. generated within james
> As I know information about (1) is already available, but not
> about(2) and (3).
#1 is based upon the remote host IP. #3 is 127.0.0.1 (localhost). #2 is
the missing property.
--- Noel
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Open relay with SMTP-AUTH
Posted by Harmeet Bedi <ha...@kodemuse.com>.
----- Original Message -----
From: "Thomas Jachmann" <ho...@gmx.de>
> > The source of a mail is trusted if the mail is
> > 1. received through smtp from a local host - based on its ip address
> Concerning 1: There's the possibility of ip spoofing, so this isn't a
bullet
> proof indicator of the trustworthiness of a mail.
James may not be as prone to IP Spoofing as some other servers. One reason
is the lack of PIPELINE support. SMTP Protocol has a lot of to and fro
communication. Response to spoofed IP address could go to the real IP
address, and it may either not be ready to accept responses or this could
introduce timing/sequencing issues.
Harmeet
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by Thomas Jachmann <ho...@gmx.de>.
Oh, I see... you mean that the client never has to provide authentication
data. If it does, the data gets attached to the mail. Then a matcher can
check whether it needs authentication and check if the appropriate data is
present and valid or not. Right? Excuse me for not thinking properly.
Regards,
Thomas
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: Wednesday, July 31, 2002 3:50 PM
> To: James Developers List
> Subject: RE: Open relay with SMTP-AUTH
>
>
> Thomas,
>
> I don't believe that it is necessary to configure the SMTPHandler
> that way.
> What you want to do would be configured through appropriate
> matchers/mailets. To require AUTH regardless of circumstance, you would
> turn on authRequired. To require AUTH for relaying by non-local IP, you
> would use a matcher that checked for authorized mail if it failed the IP
> check. This is the JAMES philosophy: building blocks with appropriate
> infrastructure.
>
> --- Noel
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by Thomas Jachmann <ho...@gmx.de>.
Hi Noel,
by handling it this way, you have to ask all clients for authentication when
it is turned on. Later on, in the transport queue, you check if
authentication would have been necessary. But my approach was to let local
clients send mails without specifying authentication data while remote hosts
would have to authenticate in order to even deliver the mail. This is the
same than with local recipients. In the moment (at least with my
installation), if a host connects, it is asked to authenticate when
authentication is switched on. But normally you'd want to be able to deliver
mail to local accounts without the need to authenticate (which isn't
possible since other mail servers delivering mail have no local accounts to
authenticate with). Authentication is only needed when mail is going to be
relayed outwards. Or do I miss something?
Regards,
Thomas
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: Wednesday, July 31, 2002 3:50 PM
> To: James Developers List
> Subject: RE: Open relay with SMTP-AUTH
>
>
> Thomas,
>
> I don't believe that it is necessary to configure the SMTPHandler
> that way.
> What you want to do would be configured through appropriate
> matchers/mailets. To require AUTH regardless of circumstance, you would
> turn on authRequired. To require AUTH for relaying by non-local IP, you
> would use a matcher that checked for authorized mail if it failed the IP
> check. This is the JAMES philosophy: building blocks with appropriate
> infrastructure.
>
> --- Noel
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Noel J. Bergman" <no...@devtech.com>.
Thomas,
I don't believe that it is necessary to configure the SMTPHandler that way.
What you want to do would be configured through appropriate
matchers/mailets. To require AUTH regardless of circumstance, you would
turn on authRequired. To require AUTH for relaying by non-local IP, you
would use a matcher that checked for authorized mail if it failed the IP
check. This is the JAMES philosophy: building blocks with appropriate
infrastructure.
--- Noel
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by Thomas Jachmann <ho...@gmx.de>.
> The source of a mail is trusted if the mail is
> 1. received through smtp from a local host - based on its ip address
> 2. received through smtp from an smtp authenticated host
> 3. generated within james
Concerning 1: There's the possibility of ip spoofing, so this isn't a bullet
proof indicator of the trustworthiness of a mail. I don't know if this is an
issue, though. If it is, I'd like to see this criteria for relaying being
configurable. Maybe something like:
<authRequired>all|non-local|none</authRequired>
Then you'd be sure that every mail within the spool is authenticated
according to the administrator's view. Either it is allowed due to
configuration/authentication (your 1. and 2.) or it was inserted into the
spool directly by james (your 3.).
Regards,
Thomas
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Open relay with SMTP-AUTH
Posted by Hontvari Jozsef <ho...@solware.com>.
I think we need two additional property.
The source of a mail is trusted if the mail is
1. received through smtp from a local host - based on its ip address
2. received through smtp from an smtp authenticated host
3. generated within james
As I know information about (1) is already available, but not about(2) and
(3).
----- Original Message -----
From: "Noel J. Bergman" <no...@devtech.com>
To: "James Developers List" <ja...@jakarta.apache.org>
Sent: Wednesday, July 31, 2002 5:28 AM
Subject: RE: Open relay with SMTP-AUTH
> Serge,
>
> Instead of an X- header, why can't we add an "authenticatedSender" (pick a
> name) property to the mail object? That kind of metadata would travel
with
> the object (and clones) within the system, but can't be forged from the
> outside. Does the fact that we authenticated it have any meaning once it
> leaves JAMES? I don't think so. If it did, that would be part of the
RFC.
>
> Back in June, you and I were discussing Matcher <-> Mailet communication,
> and you mentioned that you wanted to add Mail.setAttribute() /
> Mail.getAttribute() to the Mailet API. Do you want me to add this now, or
> add a fixed property?
>
> --- Noel
>
> -----Original Message-----
> From: Serge Knystautas [mailto:sergek@lokitech.com]
> Sent: Tuesday, July 30, 2002 22:53
> To: James Developers List
> Subject: Re: Open relay with SMTP-AUTH
>
>
> Yeah, I agree. I never quite understood how SMTP AUTH was implemented
> effectively because there isn't an easy way to do that. I don't know...
> maybe add an "X-" header to the message itself to record that it's
> authenticated (and make sure there isn't one there already). But yeah,
> I agree with Noel's idea.
>
> --
> Serge Knystautas
> Loki Technologies - Unstoppable Websites
> http://www.lokitech.com/
>
> Noel J. Bergman wrote:
> > Peter,
> >
> > At a quick glance, it looks OK, but please ask Serge what he thinks.
And
> I
> > believe that I have an alternative solution.
> >
> > I don't like that right now we have to force SMTP AUTH for everyone
under
> > all circumstances, or not use it at all. I'd rather that AUTH was
> optional,
> > and that there was a way for the mail to be tagged with the meta-data
that
> > it was authenticated. That way, our configuration could toss people who
> > aren't on an acceptable IP to a processor that checked for AUTH, and if
> the
> > mail was tagged, it could pass it on for delivery.
> >
> > I don't mean to tag the message, e.g., with a forgable header. I mean
to
> > tag the mail object, e.g., with a new property. But right now once the
> mail
> > object has left the handler, there is nothing preserved to tell us that
it
> > was sent by an authenticated sender. The only reason why SMTP AUTH and
<>
> > turns JAMES into an open relay is that we have to disable
> > RemoteAddrInNetwork. If we could keep RemoteAddrInNetwork, and check
for
> > AUTH in the failure case, we could address this problem differently.
> >
> > --- Noel
> >
> > -----Original Message-----
> > From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
> > Sent: Tuesday, July 30, 2002 21:57
> > To: 'James Developers List'
> > Cc: farsight@alum.mit.edu
> > Subject: RE: Open relay with SMTP-AUTH
> >
> >
> >
> > Noel,
> >
> > Right. So locally generated bounces shouldn't traverse the gate logic
> > in SMTPHandler.java (and hence should be sent even if they have a null
> > Sender header) while bounces from other servers should only be delivered
> > locally if authRequired is true. So we can change the SMTPHandler code
> > as I suggested earlier and we should be ok. Your thoughts?
> >
> > --Peter
> >
> >
> >>-----Original Message-----
> >>From: Noel J. Bergman [mailto:noel@devtech.com]
> >>Sent: Tuesday, July 30, 2002 6:56 PM
> >>To: James Developers List
> >>Cc: farsight@alum.mit.edu
> >>Subject: RE: Open relay with SMTP-AUTH
> >>
> >>Peter,
> >>
> >>Internally, messages are sent by calling James.sendMail(), which calls
> >>spool.store() to put the message on the incoming message spool. If
> >>you look at SMTPHandler, you'll see that it does the same thing. It
calls
> >>mailServer.sendMail(), which it sounds as if you've already noticed.
> >>
> >> --- Noel
> >>
> >>-----Original Message-----
> >>From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
> >>Sent: Tuesday, July 30, 2002 20:48
> >>To: 'James Developers List'
> >>Subject: RE: Open relay with SMTP-AUTH
> >>
> >>
> >>
> >>Noel,
> >>
> >>That looks right. The relevant logic is in the SMTPHandler.
> >>
> >>Does the LocalDelivery bounce even invoke the SMTPHandler? I don't
> >
> > see
> >
> >>why it wouldn't just place an outgoing message on the spool directly.
> >>That's what it appears to do.
> >>
> >>I'm going to play with some configurations here and see what
> >
> > happens...
> >
> >>--Peter
> >>
> >>
> >>>-----Original Message-----
> >>>From: Noel J. Bergman [mailto:noel@devtech.com]
> >>>Sent: Tuesday, July 30, 2002 4:39 PM
> >>>To: James Developers List
> >>>Cc: farsight@alum.mit.edu
> >>>Subject: RE: Open relay with SMTP-AUTH
> >>>
> >>>Seems like we have the following combination:
> >>>
> >>> local receiver remote receiver
> >>> local sender OK OK
> >>> remote sender OK DENY
> >>>
> >>>with respect to null senders, which is the same as for other
> >>
> > messages.
> >
> >>>Am I missing something?
> >>>
> >>> --- Noel
> >>>
> >>>-----Original Message-----
> >>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
> >>>Sent: Tuesday, July 30, 2002 16:03
> >>>To: James Developers List; farsight@alum.mit.edu
> >>>Subject: Re: Open relay with SMTP-AUTH
> >>>
> >>>
> >>>
> >>>>If we're going to enforce that mail will null senders does not
> >>>
> > leave
> >
> >>the
> >>
> >>>>host, then this should be:
> >>>
> >>>Maybe this assumption originates from me, sorry. It is not true. I
> >>
> >>have
> >>
> >>>fogotten that bounce messages generated by james also went through
> >>
> > the
> >
> >>>mailet spool (or am I wrong again?).
> >>>
> >>>At least the bounces generated locally by james must leave the
> >>
> > server
> >
> >>(and
> >>
> >>>the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
> >>>
> >>>I agree on that preventing open relay should not require adding
> >>
> >>mailets to
> >>
> >>>the default configuration file.
> >>>
> >>>----- Original Message -----
> >>>From: "Peter M. Goldstein" <pe...@yahoo.com>
> >>>To: "'James Developers List'" <ja...@jakarta.apache.org>
> >>>Sent: Tuesday, July 30, 2002 8:54 PM
> >>>Subject: RE: Open relay with SMTP-AUTH
> >>>
> >>>
> >>>
> >>>>All,
> >>>>
> >>>>From Serge's description it just seems that the not null sender
> >>>
> >>check is
> >>
> >>>>unnecessary. The code now is:
> >>>>
> >>>> // If this is a delivery failure notification (MAIL
> >>>
> >>FROM:
> >>
> >>>><>)
> >>>> // we don't enforce authentication
> >>>> if (authRequired && state.get(SENDER) != null) {
> >>>> // Make sure the mail is being sent locally if not
> >>>> // authenticated else reject.
> >>>> if (!state.containsKey(AUTH)) {
> >>>> String toDomain = recipientAddress.getHost();
> >>>> if (!mailServer.isLocalServer(toDomain)) {
> >>>> out.println("530 Authentication
> >>>
> > Required");
> >
> >>>> getLogger().error("Authentication is
> >>>
> >>required
> >>
> >>>>for mail request");
> >>>> return;
> >>>> }
> >>>> } else {
> >>>>
> >>>>If we're going to enforce that mail will null senders does not
> >>>
> > leave
> >
> >>the
> >>
> >>>>host, then this should be:
> >>>>
> >>>> // If this is a delivery failure notification (MAIL
> >>>
> >>FROM:
> >>
> >>>><>)
> >>>> // we don't enforce authentication
> >>>> if (authRequired) {
> >>>> // Make sure the mail is being sent locally if not
> >>>> // authenticated else reject.
> >>>> if (!state.containsKey(AUTH)) {
> >>>> String toDomain = recipientAddress.getHost();
> >>>> if (!mailServer.isLocalServer(toDomain)) {
> >>>> out.println("530 Authentication
> >>>
> > Required");
> >
> >>>> getLogger().error("Authentication is
> >>>
> >>required
> >>
> >>>>for mail request");
> >>>> return;
> >>>> }
> >>>> } else {
> >>>>
> >>>>
> >>>>I haven't looked at the LocalDelivery mailet, but I imagine it may
> >>>>require modification to ensure that mails with empty senders that
> >>>
> >>are
> >>
> >>>>routed to non-existent addresses don't bounce.
> >>>>
> >>>>I don't agree that this is a matcher issue. It shouldn't require
> >>>
> >>any
> >>
> >>>>complex configuration to prevent open relay behavior. Turning on
> >>>
> >>SMTP
> >>
> >>>>authentication is a standard and expected behavior to prevent open
> >>>
> >>relay
> >>
> >>>>behavior. Additional configuration of matchers is not.
> >>>>
> >>>>Any thoughts?
> >>>>
> >>>>--Peter
> >>>>
> >>>>
> >>>>>-----Original Message-----
> >>>>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
> >>>>>Sent: Tuesday, July 30, 2002 12:54 AM
> >>>>>To: James Developers List
> >>>>>Subject: Re: Open relay with SMTP-AUTH
> >>>>>
> >>>>>But is it possible at all to configure james correctly?
> >>>>>If he is using smtp authentication, likely he hasn't so called
> >>>>
> >>"local"
> >>
> >>>>>hosts.
> >>>>>
> >>>>>This is the required behaviour, when the mail from is empty
> >>>>
> > (i.e.
> >
> >>>>bounce
> >>>>
> >>>>>message):
> >>>>>-if the recipient is local then delivery the message
> >>>>>(-if the recipient is local, but the mailbox does not exist,
> >>>>
> > then
> >
> >>do
> >>
> >>>>>nothing, you must not bounce a bounce message)
> >>>>>
> >>>>>-if the recipient is not local but the remote host is
> >>>>
> >>authenticated
> >>
> >>>>then
> >>>>
> >>>>>relay the message (although I guess this rarely occurs)
> >>>>>-if the recipient is not local and the remote host is not
> >>>>
> >>>>authenticated
> >>>>
> >>>>>then
> >>>>>do nothing (usual servers simply would not accept the mail)
> >>>>>
> >>>>>BUT: there is no matcher which can decide if the sender is
> >>>>
> >>>>authenticated
> >>>>
> >>>>>or
> >>>>>not, so we cannot configure correctly.
> >>>>>
> >>>>>I think the best configuration - which can be done at this
> >>>>
> > moment
> >
> >>-
> >>
> >>>>simply
> >>>>
> >>>>>removes the message if the recipient isn't local and the sender
> >>>>
> > is
> >
> >>>>empty.
> >>>>
> >>>>>
> >>>>>
> >>>>>----- Original Message -----
> >>>>>From: "Serge Knystautas" <se...@lokitech.com>
> >>>>>To: "James Developers List" <ja...@jakarta.apache.org>;
> >>>>><fa...@alum.mit.edu>
> >>>>>Sent: Tuesday, July 30, 2002 8:21 AM
> >>>>>Subject: Re: Open relay with SMTP-AUTH
> >>>>>
> >>>>>
> >>>>>
> >>>>>>Even if you have a server that only is accepting SMTH AUTH,
> >>>>>
> > it's
> >
> >>>>still
> >>>>
> >>>>>best
> >>>>>
> >>>>>>practices to accept "MAIL FROM: <>" messages (i.e., you can't
> >>>>>
> >>just
> >>
> >>>>>disable
> >>>>>
> >>>>>>that). That said, messages with a null sender should not
> >>>>>
> > leave
> >
> >>your
> >>
> >>>>>server,
> >>>>>
> >>>>>>so I think it's either a conf issue or a bug in some matcher
> >>>>>
> >>that
> >>
> >>>>isn't
> >>>>
> >>>>>>probably capturing that and preventing the relaying.
> >>>>>>
> >>>>>>Serge Knystautas
> >>>>>>Loki Technologies
> >>>>>>http://www.lokitech.com/
> >>>>>>
> >>>>>>----- Original Message -----
> >>>>>>From: "Peter M. Goldstein" <pe...@yahoo.com>
> >>>>>>To: "'James Developers List'" <ja...@jakarta.apache.org>
> >>>>>>Sent: Monday, July 29, 2002 8:21 PM
> >>>>>>Subject: FW: Open relay with SMTP-AUTH
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>All,
> >>>>>>>
> >>>>>>>I've just confirmed this on the latest code base. The cause
> >>>>>>
> >>is
> >>
> >>>>pretty
> >>>>
> >>>>>>>obvious - there is a comment in SMTPHandler.java:
> >>>>>>>
> >>>>>>> // If this is a delivery failure notification
> >>>>>>
> >>(MAIL
> >>
> >>>>FROM:
> >>>>
> >>>>>>><>)
> >>>>>>> // we don't enforce authentication
> >>>>>>> if (authRequired && state.get(SENDER) != null) {
> >>>>>>>
> >>>>>>>Removing the (state.get(SENDER) != null) clause closes the
> >>>>>>
> >>open
> >>
> >>>>relay.
> >>>>
> >>>>>>>But can anyone clarify the comment? Is this comment
> >>>>>>
> > referring
> >
> >>to
> >>
> >>>>>>>messages being generated by the James server in response to
> >>>>>>
> >>local
> >>
> >>>>>>>delivery failures? Clearly the code as it stands in
> >>>>>>
> >>insecure...
> >>
> >>>>>>>--Peter
> >>>>>>>
> >>>>>>>-----Original Message-----
> >>>>>>>From: bonadio@intersearch.com.br
> >>>>>>
> >>>>[mailto:bonadio@intersearch.com.br]
> >>>>
> >>>>>>>Sent: None
> >>>>>>>To: james-user@jakarta.apache.org
> >>>>>>>Subject: Open relay with SMTP-AUTH
> >>>>>>>
> >>>>>>>
> >>>>>>>Hello
> >>>>>>>
> >>>>>>>I think I found a bug when using SMTP-AUTH
> >>>>>>>
> >>>>>>>if you enable smtp-auth and sends a <> as the sender
> >>>>>>>the servers allows the relay of any message, if you
> >>>>>>>specify a correct email address the server enforces the
> >>>>>>
> >>>>authentication
> >>>>
> >>>>>>>I created a patch for this, is there any other solution?
> >>>>>>>
> >>>>>>>following a session that shows the problem
> >>>>>>>
> >>>>>>>Trying XXXXXX...
> >>>>>>>Connected to XXXXXXXXX.
> >>>>>>>Escape character is '^]'.
> >>>>>>>220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs)
> >>>>>>
> >>ready
> >>
> >>>>Mon,
> >>>>
> >>>>>29
> >>>>>
> >>>>>>>Jul 2002 20:31:04 -0400
> >>>>>>>helo test
> >>>>>>>250-myMailServer Hello test (XXXXXXX)
> >>>>>>>250 AUTH LOGIN PLAIN
> >>>>>>>mail from: <>
> >>>>>>>250 Sender <> OK
> >>>>>>>rcpt to: <ab...@abuse.org>
> >>>>>>>250 Recipient <ab...@abuse.org> OK
> >>>>>>>.....
> >>>>>>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
String=>StringBuffer
Posted by "Peter M. Goldstein" <pe...@yahoo.com>.
All,
The Apache Anonymous CVS server appears to have become unresponsive
while I was finishing up generating my diffs, so the changes I promised
by the end of this week will be delayed. I'll probably be able to post
it to the list tomorrow if the server goes back up later today or
tomorrow.
--Peter
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: [VOTE] Changes to database table structure and class Mail
Posted by Danny Angus <da...@apache.org>.
> Specifically, we are proposing that org.apache.mailet.Mail now include
> support for a Map allowing attributes to be dynamically
> associated with mail
> instances. These attributes are different from X- headers, and
> are intended
> to be provide internal (and unforgable) communication of metadata
> within the
> James server.
>
> The map can be exposed via explicit methods, a la the Servlet API:
>
> public void setAttribute(String, Object);
> public Object getAttribute(String);
> public Object removeAttribute(String);
> public Enumeration getAttributeNames();
>
> by exposing the Map:
>
> public Map getAttributes();
>
> or by being a Map:
>
> public interface Mail extends Serializable, Cloneable, Map
+1 so far.
>
> I know what my suggestion would be, but I'm opening the topic for
> discussion. Regardless of how we expose it, the new Map would be
> stored as
> a BLOB in the table, thus stored/retrieved as a unit.
If its serializable it should be TEXT, MEDIUMTEXT or LONGTEXT, and the same
really applies to message body too. IMHO.
> Next, Serge is proposing that the error message be moved from a separate
> field to the attribute map. My proposal would be that any such properties
> be added to the Map, and have their set/get methods deprecated.
> What other
> properties, besides error, should be moved? Perhaps the remote host and
> remote address properties. I don't see any others that appear to be good
> candidates. Message state is separately queried, and I'd like to
> keep that
> lightweight query available.
>
> So ... we need to make a decision so that this can be implemented.
+1 error_message, remote_host, remote_address
>
> --- Noel
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
[VOTE] Changes to database table structure and class Mail
Posted by "Noel J. Bergman" <no...@devtech.com>.
Serge,
re: http://www.mail-archive.com/james-dev@jakarta.apache.org/msg02862.html
I can add a serializable Map (probably a HashMap) to Mail, and I can write a
utility to convert the database format to account for the table change(s).
Do I need a vote on this? I'd like not to do all the work, and have the
concept voted down.
Specifically, we are proposing that org.apache.mailet.Mail now include
support for a Map allowing attributes to be dynamically associated with mail
instances. These attributes are different from X- headers, and are intended
to be provide internal (and unforgable) communication of metadata within the
James server.
The map can be exposed via explicit methods, a la the Servlet API:
public void setAttribute(String, Object);
public Object getAttribute(String);
public Object removeAttribute(String);
public Enumeration getAttributeNames();
by exposing the Map:
public Map getAttributes();
or by being a Map:
public interface Mail extends Serializable, Cloneable, Map
I know what my suggestion would be, but I'm opening the topic for
discussion. Regardless of how we expose it, the new Map would be stored as
a BLOB in the table, thus stored/retrieved as a unit.
Next, Serge is proposing that the error message be moved from a separate
field to the attribute map. My proposal would be that any such properties
be added to the Map, and have their set/get methods deprecated. What other
properties, besides error, should be moved? Perhaps the remote host and
remote address properties. I don't see any others that appear to be good
candidates. Message state is separately queried, and I'd like to keep that
lightweight query available.
So ... we need to make a decision so that this can be implemented.
--- Noel
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Open relay with SMTP-AUTH
Posted by Serge Knystautas <se...@lokitech.com>.
Yeah, I think serializable Map is the way to go.
But... if you want a short term solution that doesn't require changing
the repositories (much), what you can do is migrate the independent
error field into one of the new generic attributes (which actually
should be done anyway). Then you can repurpose the existing error field
in the store to be the string representation of a Properties object. So
that field goes from "something bad happened" to "error=something bad
happened".
You'd need to increase the size of the field obviously, but then you
could even write a bit of exception handling in the store to have it
migrate from the individual String to the Properties object as it gets
resaved. Anyway, probably a bad idea since I do think a serializable
Map is the better long term solution, but it's a thought.
--
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com
Noel J. Bergman wrote:
> Serge,
>
> I reviewed the store code, and I see your point about stores. Not too bad
> for the file system stores, a bit more more work the JDBC stores.
>
> Obviously, this sort of change should be made once, so if we are going to
> add ANY attribute, we should add it as a container so that we don't need to
> keep doing this each time an attribute is added.
>
> The "easiest" thing is to add a Properties object to Mail objects.
> Alternatively, we could use a Hashmap to store keyed objects, but that gets
> us into the realm of having to make sure that all of the stored objects are
> Serializable, and I don't know if it really gains us anything to add the
> additional complication. Thoughts?
>
> Either way, the metadata would be stored as a single blob. The
> understanding will be that we cannot query based upon such metadata, because
> it won't have independent existance in the database, although I suppose one
> could fudge it in the case of a property table, since it is stored as string
> content.
>
> Are there any current properties that you'd move from the object into the
> map? I'm inclined to not buy into that much editing (and potential breaking
> of third party matchers/mailets), but I could always maintain the current
> interface; only the storage would change.
>
> --- Noel
>
> -----Original Message-----
> From: Serge Knystautas [mailto:sergek@lokitech.com]
> Sent: Wednesday, July 31, 2002 7:03
> To: James Developers List
> Subject: Re: Open relay with SMTP-AUTH
>
>
> Yeah, I think adding setAttribute/getAttribute would be very helpful.
> Certainly would help you sort this out. Then you could define a
> constant for the name of the attribute you would look for the SMTP-AUTH
> info. This is going to require changing the mail/spool stores though
> and might create some upgrade problems, which is probably the biggest
> reason it hasn't been done yet.
>
> --
> Serge Knystautas
> Loki Technologies - Unstoppable Websites
> http://www.lokitech.com/
>
> Noel J. Bergman wrote:
>
>>Serge,
>>
>>Instead of an X- header, why can't we add an "authenticatedSender" (pick a
>>name) property to the mail object? That kind of metadata would travel
>
> with
>
>>the object (and clones) within the system, but can't be forged from the
>>outside. Does the fact that we authenticated it have any meaning once it
>>leaves JAMES? I don't think so. If it did, that would be part of the
>
> RFC.
>
>>Back in June, you and I were discussing Matcher <-> Mailet communication,
>>and you mentioned that you wanted to add Mail.setAttribute() /
>>Mail.getAttribute() to the Mailet API. Do you want me to add this now, or
>>add a fixed property?
>>
>> --- Noel
>>
>>-----Original Message-----
>>From: Serge Knystautas [mailto:sergek@lokitech.com]
>>Sent: Tuesday, July 30, 2002 22:53
>>To: James Developers List
>>Subject: Re: Open relay with SMTP-AUTH
>>
>>
>>Yeah, I agree. I never quite understood how SMTP AUTH was implemented
>>effectively because there isn't an easy way to do that. I don't know...
>>maybe add an "X-" header to the message itself to record that it's
>>authenticated (and make sure there isn't one there already). But yeah,
>>I agree with Noel's idea.
>>
>>--
>>Serge Knystautas
>>Loki Technologies - Unstoppable Websites
>>http://www.lokitech.com/
>>
>>Noel J. Bergman wrote:
>>
>>
>>>Peter,
>>>
>>>At a quick glance, it looks OK, but please ask Serge what he thinks. And
>>
>>I
>>
>>
>>>believe that I have an alternative solution.
>>>
>>>I don't like that right now we have to force SMTP AUTH for everyone under
>>>all circumstances, or not use it at all. I'd rather that AUTH was
>>
>>optional,
>>
>>
>>>and that there was a way for the mail to be tagged with the meta-data that
>>>it was authenticated. That way, our configuration could toss people who
>>>aren't on an acceptable IP to a processor that checked for AUTH, and if
>>
>>the
>>
>>
>>>mail was tagged, it could pass it on for delivery.
>>>
>>>I don't mean to tag the message, e.g., with a forgable header. I mean to
>>>tag the mail object, e.g., with a new property. But right now once the
>>
>>mail
>>
>>
>>>object has left the handler, there is nothing preserved to tell us that it
>>>was sent by an authenticated sender. The only reason why SMTP AUTH and <>
>>>turns JAMES into an open relay is that we have to disable
>>>RemoteAddrInNetwork. If we could keep RemoteAddrInNetwork, and check for
>>>AUTH in the failure case, we could address this problem differently.
>>>
>>> --- Noel
>>>
>>>-----Original Message-----
>>>From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
>>>Sent: Tuesday, July 30, 2002 21:57
>>>To: 'James Developers List'
>>>Cc: farsight@alum.mit.edu
>>>Subject: RE: Open relay with SMTP-AUTH
>>>
>>>
>>>
>>>Noel,
>>>
>>>Right. So locally generated bounces shouldn't traverse the gate logic
>>>in SMTPHandler.java (and hence should be sent even if they have a null
>>>Sender header) while bounces from other servers should only be delivered
>>>locally if authRequired is true. So we can change the SMTPHandler code
>>>as I suggested earlier and we should be ok. Your thoughts?
>>>
>>>--Peter
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Noel J. Bergman [mailto:noel@devtech.com]
>>>>Sent: Tuesday, July 30, 2002 6:56 PM
>>>>To: James Developers List
>>>>Cc: farsight@alum.mit.edu
>>>>Subject: RE: Open relay with SMTP-AUTH
>>>>
>>>>Peter,
>>>>
>>>>Internally, messages are sent by calling James.sendMail(), which calls
>>>>spool.store() to put the message on the incoming message spool. If
>>>>you look at SMTPHandler, you'll see that it does the same thing. It
>>>
> calls
>
>>>>mailServer.sendMail(), which it sounds as if you've already noticed.
>>>>
>>>> --- Noel
>>>>
>>>>-----Original Message-----
>>>>From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
>>>>Sent: Tuesday, July 30, 2002 20:48
>>>>To: 'James Developers List'
>>>>Subject: RE: Open relay with SMTP-AUTH
>>>>
>>>>
>>>>
>>>>Noel,
>>>>
>>>>That looks right. The relevant logic is in the SMTPHandler.
>>>>
>>>>Does the LocalDelivery bounce even invoke the SMTPHandler? I don't
>>>
>>>see
>>>
>>>
>>>
>>>>why it wouldn't just place an outgoing message on the spool directly.
>>>>That's what it appears to do.
>>>>
>>>>I'm going to play with some configurations here and see what
>>>
>>>happens...
>>>
>>>
>>>
>>>>--Peter
>>>>
>>>>
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>From: Noel J. Bergman [mailto:noel@devtech.com]
>>>>>Sent: Tuesday, July 30, 2002 4:39 PM
>>>>>To: James Developers List
>>>>>Cc: farsight@alum.mit.edu
>>>>>Subject: RE: Open relay with SMTP-AUTH
>>>>>
>>>>>Seems like we have the following combination:
>>>>>
>>>>> local receiver remote receiver
>>>>>local sender OK OK
>>>>>remote sender OK DENY
>>>>>
>>>>>with respect to null senders, which is the same as for other
>>>>
>>>messages.
>>>
>>>
>>>
>>>>>Am I missing something?
>>>>>
>>>>> --- Noel
>>>>>
>>>>>-----Original Message-----
>>>>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
>>>>>Sent: Tuesday, July 30, 2002 16:03
>>>>>To: James Developers List; farsight@alum.mit.edu
>>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>If we're going to enforce that mail will null senders does not
>>>>>
>>>leave
>>>
>>>
>>>
>>>>the
>>>>
>>>>
>>>>
>>>>>>host, then this should be:
>>>>>
>>>>>Maybe this assumption originates from me, sorry. It is not true. I
>>>>
>>>>have
>>>>
>>>>
>>>>
>>>>>fogotten that bounce messages generated by james also went through
>>>>
>>>the
>>>
>>>
>>>
>>>>>mailet spool (or am I wrong again?).
>>>>>
>>>>>At least the bounces generated locally by james must leave the
>>>>
>>>server
>>>
>>>
>>>
>>>>(and
>>>>
>>>>
>>>>
>>>>>the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
>>>>>
>>>>>I agree on that preventing open relay should not require adding
>>>>
>>>>mailets to
>>>>
>>>>
>>>>
>>>>>the default configuration file.
>>>>>
>>>>>----- Original Message -----
>>>>>From: "Peter M. Goldstein" <pe...@yahoo.com>
>>>>>To: "'James Developers List'" <ja...@jakarta.apache.org>
>>>>>Sent: Tuesday, July 30, 2002 8:54 PM
>>>>>Subject: RE: Open relay with SMTP-AUTH
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>All,
>>>>>>
>>>>>
>>>>>>>From Serge's description it just seems that the not null sender
>>>>>
>>>>
>>>>check is
>>>>
>>>>
>>>>
>>>>>>unnecessary. The code now is:
>>>>>>
>>>>>> // If this is a delivery failure notification (MAIL
>>>>>
>>>>FROM:
>>>>
>>>>
>>>>
>>>>>><>)
>>>>>> // we don't enforce authentication
>>>>>> if (authRequired && state.get(SENDER) != null) {
>>>>>> // Make sure the mail is being sent locally if not
>>>>>> // authenticated else reject.
>>>>>> if (!state.containsKey(AUTH)) {
>>>>>> String toDomain = recipientAddress.getHost();
>>>>>> if (!mailServer.isLocalServer(toDomain)) {
>>>>>> out.println("530 Authentication
>>>>>
>>>Required");
>>>
>>>
>>>
>>>>>> getLogger().error("Authentication is
>>>>>
>>>>required
>>>>
>>>>
>>>>
>>>>>>for mail request");
>>>>>> return;
>>>>>> }
>>>>>> } else {
>>>>>>
>>>>>>If we're going to enforce that mail will null senders does not
>>>>>
>>>leave
>>>
>>>
>>>
>>>>the
>>>>
>>>>
>>>>
>>>>>>host, then this should be:
>>>>>>
>>>>>> // If this is a delivery failure notification (MAIL
>>>>>
>>>>FROM:
>>>>
>>>>
>>>>
>>>>>><>)
>>>>>> // we don't enforce authentication
>>>>>> if (authRequired) {
>>>>>> // Make sure the mail is being sent locally if not
>>>>>> // authenticated else reject.
>>>>>> if (!state.containsKey(AUTH)) {
>>>>>> String toDomain = recipientAddress.getHost();
>>>>>> if (!mailServer.isLocalServer(toDomain)) {
>>>>>> out.println("530 Authentication
>>>>>
>>>Required");
>>>
>>>
>>>
>>>>>> getLogger().error("Authentication is
>>>>>
>>>>required
>>>>
>>>>
>>>>
>>>>>>for mail request");
>>>>>> return;
>>>>>> }
>>>>>> } else {
>>>>>>
>>>>>>
>>>>>>I haven't looked at the LocalDelivery mailet, but I imagine it may
>>>>>>require modification to ensure that mails with empty senders that
>>>>>
>>>>are
>>>>
>>>>
>>>>
>>>>>>routed to non-existent addresses don't bounce.
>>>>>>
>>>>>>I don't agree that this is a matcher issue. It shouldn't require
>>>>>
>>>>any
>>>>
>>>>
>>>>
>>>>>>complex configuration to prevent open relay behavior. Turning on
>>>>>
>>>>SMTP
>>>>
>>>>
>>>>
>>>>>>authentication is a standard and expected behavior to prevent open
>>>>>
>>>>relay
>>>>
>>>>
>>>>
>>>>>>behavior. Additional configuration of matchers is not.
>>>>>>
>>>>>>Any thoughts?
>>>>>>
>>>>>>--Peter
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>-----Original Message-----
>>>>>>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
>>>>>>>Sent: Tuesday, July 30, 2002 12:54 AM
>>>>>>>To: James Developers List
>>>>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>>>>
>>>>>>>But is it possible at all to configure james correctly?
>>>>>>>If he is using smtp authentication, likely he hasn't so called
>>>>>>
>>>>"local"
>>>>
>>>>
>>>>
>>>>>>>hosts.
>>>>>>>
>>>>>>>This is the required behaviour, when the mail from is empty
>>>>>>
>>>(i.e.
>>>
>>>
>>>
>>>>>>bounce
>>>>>>
>>>>>>
>>>>>>
>>>>>>>message):
>>>>>>>-if the recipient is local then delivery the message
>>>>>>>(-if the recipient is local, but the mailbox does not exist,
>>>>>>
>>>then
>>>
>>>
>>>
>>>>do
>>>>
>>>>
>>>>
>>>>>>>nothing, you must not bounce a bounce message)
>>>>>>>
>>>>>>>-if the recipient is not local but the remote host is
>>>>>>
>>>>authenticated
>>>>
>>>>
>>>>
>>>>>>then
>>>>>>
>>>>>>
>>>>>>
>>>>>>>relay the message (although I guess this rarely occurs)
>>>>>>>-if the recipient is not local and the remote host is not
>>>>>>
>>>>>>authenticated
>>>>>>
>>>>>>
>>>>>>
>>>>>>>then
>>>>>>>do nothing (usual servers simply would not accept the mail)
>>>>>>>
>>>>>>>BUT: there is no matcher which can decide if the sender is
>>>>>>
>>>>>>authenticated
>>>>>>
>>>>>>
>>>>>>
>>>>>>>or
>>>>>>>not, so we cannot configure correctly.
>>>>>>>
>>>>>>>I think the best configuration - which can be done at this
>>>>>>
>>>moment
>>>
>>>
>>>
>>>>-
>>>>
>>>>
>>>>
>>>>>>simply
>>>>>>
>>>>>>
>>>>>>
>>>>>>>removes the message if the recipient isn't local and the sender
>>>>>>
>>>is
>>>
>>>
>>>
>>>>>>empty.
>>>>>>
>>>>>>
>>>>>>
>>>>>>>----- Original Message -----
>>>>>>>From: "Serge Knystautas" <se...@lokitech.com>
>>>>>>>To: "James Developers List" <ja...@jakarta.apache.org>;
>>>>>>><fa...@alum.mit.edu>
>>>>>>>Sent: Tuesday, July 30, 2002 8:21 AM
>>>>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Even if you have a server that only is accepting SMTH AUTH,
>>>>>>>
>>>it's
>>>
>>>
>>>
>>>>>>still
>>>>>>
>>>>>>
>>>>>>
>>>>>>>best
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>practices to accept "MAIL FROM: <>" messages (i.e., you can't
>>>>>>>
>>>>just
>>>>
>>>>
>>>>
>>>>>>>disable
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>that). That said, messages with a null sender should not
>>>>>>>
>>>leave
>>>
>>>
>>>
>>>>your
>>>>
>>>>
>>>>
>>>>>>>server,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>so I think it's either a conf issue or a bug in some matcher
>>>>>>>
>>>>that
>>>>
>>>>
>>>>
>>>>>>isn't
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>probably capturing that and preventing the relaying.
>>>>>>>>
>>>>>>>>Serge Knystautas
>>>>>>>>Loki Technologies
>>>>>>>>http://www.lokitech.com/
>>>>>>>>
>>>>>>>>----- Original Message -----
>>>>>>>>From: "Peter M. Goldstein" <pe...@yahoo.com>
>>>>>>>>To: "'James Developers List'" <ja...@jakarta.apache.org>
>>>>>>>>Sent: Monday, July 29, 2002 8:21 PM
>>>>>>>>Subject: FW: Open relay with SMTP-AUTH
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>All,
>>>>>>>>>
>>>>>>>>>I've just confirmed this on the latest code base. The cause
>>>>>>>>
>>>>is
>>>>
>>>>
>>>>
>>>>>>pretty
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>obvious - there is a comment in SMTPHandler.java:
>>>>>>>>>
>>>>>>>>> // If this is a delivery failure notification
>>>>>>>>
>>>>(MAIL
>>>>
>>>>
>>>>
>>>>>>FROM:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>><>)
>>>>>>>>> // we don't enforce authentication
>>>>>>>>> if (authRequired && state.get(SENDER) != null) {
>>>>>>>>>
>>>>>>>>>Removing the (state.get(SENDER) != null) clause closes the
>>>>>>>>
>>>>open
>>>>
>>>>
>>>>
>>>>>>relay.
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>But can anyone clarify the comment? Is this comment
>>>>>>>>
>>>referring
>>>
>>>
>>>
>>>>to
>>>>
>>>>
>>>>
>>>>>>>>>messages being generated by the James server in response to
>>>>>>>>
>>>>local
>>>>
>>>>
>>>>
>>>>>>>>>delivery failures? Clearly the code as it stands in
>>>>>>>>
>>>>insecure...
>>>>
>>>>
>>>>
>>>>>>>>>--Peter
>>>>>>>>>
>>>>>>>>>-----Original Message-----
>>>>>>>>>From: bonadio@intersearch.com.br
>>>>>>>>
>>>>>>[mailto:bonadio@intersearch.com.br]
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>Sent: None
>>>>>>>>>To: james-user@jakarta.apache.org
>>>>>>>>>Subject: Open relay with SMTP-AUTH
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>Hello
>>>>>>>>>
>>>>>>>>>I think I found a bug when using SMTP-AUTH
>>>>>>>>>
>>>>>>>>>if you enable smtp-auth and sends a <> as the sender
>>>>>>>>>the servers allows the relay of any message, if you
>>>>>>>>>specify a correct email address the server enforces the
>>>>>>>>
>>>>>>authentication
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>I created a patch for this, is there any other solution?
>>>>>>>>>
>>>>>>>>>following a session that shows the problem
>>>>>>>>>
>>>>>>>>>Trying XXXXXX...
>>>>>>>>>Connected to XXXXXXXXX.
>>>>>>>>>Escape character is '^]'.
>>>>>>>>>220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs)
>>>>>>>>
>>>>ready
>>>>
>>>>
>>>>
>>>>>>Mon,
>>>>>>
>>>>>>
>>>>>>
>>>>>>>29
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>Jul 2002 20:31:04 -0400
>>>>>>>>>helo test
>>>>>>>>>250-myMailServer Hello test (XXXXXXX)
>>>>>>>>>250 AUTH LOGIN PLAIN
>>>>>>>>>mail from: <>
>>>>>>>>>250 Sender <> OK
>>>>>>>>>rcpt to: <ab...@abuse.org>
>>>>>>>>>250 Recipient <ab...@abuse.org> OK
>>>>>>>>>.....
>>>>>>>>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Noel J. Bergman" <no...@devtech.com>.
Serge,
I reviewed the store code, and I see your point about stores. Not too bad
for the file system stores, a bit more more work the JDBC stores.
Obviously, this sort of change should be made once, so if we are going to
add ANY attribute, we should add it as a container so that we don't need to
keep doing this each time an attribute is added.
The "easiest" thing is to add a Properties object to Mail objects.
Alternatively, we could use a Hashmap to store keyed objects, but that gets
us into the realm of having to make sure that all of the stored objects are
Serializable, and I don't know if it really gains us anything to add the
additional complication. Thoughts?
Either way, the metadata would be stored as a single blob. The
understanding will be that we cannot query based upon such metadata, because
it won't have independent existance in the database, although I suppose one
could fudge it in the case of a property table, since it is stored as string
content.
Are there any current properties that you'd move from the object into the
map? I'm inclined to not buy into that much editing (and potential breaking
of third party matchers/mailets), but I could always maintain the current
interface; only the storage would change.
--- Noel
-----Original Message-----
From: Serge Knystautas [mailto:sergek@lokitech.com]
Sent: Wednesday, July 31, 2002 7:03
To: James Developers List
Subject: Re: Open relay with SMTP-AUTH
Yeah, I think adding setAttribute/getAttribute would be very helpful.
Certainly would help you sort this out. Then you could define a
constant for the name of the attribute you would look for the SMTP-AUTH
info. This is going to require changing the mail/spool stores though
and might create some upgrade problems, which is probably the biggest
reason it hasn't been done yet.
--
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com/
Noel J. Bergman wrote:
> Serge,
>
> Instead of an X- header, why can't we add an "authenticatedSender" (pick a
> name) property to the mail object? That kind of metadata would travel
with
> the object (and clones) within the system, but can't be forged from the
> outside. Does the fact that we authenticated it have any meaning once it
> leaves JAMES? I don't think so. If it did, that would be part of the
RFC.
>
> Back in June, you and I were discussing Matcher <-> Mailet communication,
> and you mentioned that you wanted to add Mail.setAttribute() /
> Mail.getAttribute() to the Mailet API. Do you want me to add this now, or
> add a fixed property?
>
> --- Noel
>
> -----Original Message-----
> From: Serge Knystautas [mailto:sergek@lokitech.com]
> Sent: Tuesday, July 30, 2002 22:53
> To: James Developers List
> Subject: Re: Open relay with SMTP-AUTH
>
>
> Yeah, I agree. I never quite understood how SMTP AUTH was implemented
> effectively because there isn't an easy way to do that. I don't know...
> maybe add an "X-" header to the message itself to record that it's
> authenticated (and make sure there isn't one there already). But yeah,
> I agree with Noel's idea.
>
> --
> Serge Knystautas
> Loki Technologies - Unstoppable Websites
> http://www.lokitech.com/
>
> Noel J. Bergman wrote:
>
>>Peter,
>>
>>At a quick glance, it looks OK, but please ask Serge what he thinks. And
>
> I
>
>>believe that I have an alternative solution.
>>
>>I don't like that right now we have to force SMTP AUTH for everyone under
>>all circumstances, or not use it at all. I'd rather that AUTH was
>
> optional,
>
>>and that there was a way for the mail to be tagged with the meta-data that
>>it was authenticated. That way, our configuration could toss people who
>>aren't on an acceptable IP to a processor that checked for AUTH, and if
>
> the
>
>>mail was tagged, it could pass it on for delivery.
>>
>>I don't mean to tag the message, e.g., with a forgable header. I mean to
>>tag the mail object, e.g., with a new property. But right now once the
>
> mail
>
>>object has left the handler, there is nothing preserved to tell us that it
>>was sent by an authenticated sender. The only reason why SMTP AUTH and <>
>>turns JAMES into an open relay is that we have to disable
>>RemoteAddrInNetwork. If we could keep RemoteAddrInNetwork, and check for
>>AUTH in the failure case, we could address this problem differently.
>>
>> --- Noel
>>
>>-----Original Message-----
>>From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
>>Sent: Tuesday, July 30, 2002 21:57
>>To: 'James Developers List'
>>Cc: farsight@alum.mit.edu
>>Subject: RE: Open relay with SMTP-AUTH
>>
>>
>>
>>Noel,
>>
>>Right. So locally generated bounces shouldn't traverse the gate logic
>>in SMTPHandler.java (and hence should be sent even if they have a null
>>Sender header) while bounces from other servers should only be delivered
>>locally if authRequired is true. So we can change the SMTPHandler code
>>as I suggested earlier and we should be ok. Your thoughts?
>>
>>--Peter
>>
>>
>>
>>>-----Original Message-----
>>>From: Noel J. Bergman [mailto:noel@devtech.com]
>>>Sent: Tuesday, July 30, 2002 6:56 PM
>>>To: James Developers List
>>>Cc: farsight@alum.mit.edu
>>>Subject: RE: Open relay with SMTP-AUTH
>>>
>>>Peter,
>>>
>>>Internally, messages are sent by calling James.sendMail(), which calls
>>>spool.store() to put the message on the incoming message spool. If
>>>you look at SMTPHandler, you'll see that it does the same thing. It
calls
>>>mailServer.sendMail(), which it sounds as if you've already noticed.
>>>
>>> --- Noel
>>>
>>>-----Original Message-----
>>>From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
>>>Sent: Tuesday, July 30, 2002 20:48
>>>To: 'James Developers List'
>>>Subject: RE: Open relay with SMTP-AUTH
>>>
>>>
>>>
>>>Noel,
>>>
>>>That looks right. The relevant logic is in the SMTPHandler.
>>>
>>>Does the LocalDelivery bounce even invoke the SMTPHandler? I don't
>>
>>see
>>
>>
>>>why it wouldn't just place an outgoing message on the spool directly.
>>>That's what it appears to do.
>>>
>>>I'm going to play with some configurations here and see what
>>
>>happens...
>>
>>
>>>--Peter
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Noel J. Bergman [mailto:noel@devtech.com]
>>>>Sent: Tuesday, July 30, 2002 4:39 PM
>>>>To: James Developers List
>>>>Cc: farsight@alum.mit.edu
>>>>Subject: RE: Open relay with SMTP-AUTH
>>>>
>>>>Seems like we have the following combination:
>>>>
>>>> local receiver remote receiver
>>>> local sender OK OK
>>>> remote sender OK DENY
>>>>
>>>>with respect to null senders, which is the same as for other
>>>
>>messages.
>>
>>
>>>>Am I missing something?
>>>>
>>>> --- Noel
>>>>
>>>>-----Original Message-----
>>>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
>>>>Sent: Tuesday, July 30, 2002 16:03
>>>>To: James Developers List; farsight@alum.mit.edu
>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>
>>>>
>>>>
>>>>
>>>>>If we're going to enforce that mail will null senders does not
>>>>
>>leave
>>
>>
>>>the
>>>
>>>
>>>>>host, then this should be:
>>>>
>>>>Maybe this assumption originates from me, sorry. It is not true. I
>>>
>>>have
>>>
>>>
>>>>fogotten that bounce messages generated by james also went through
>>>
>>the
>>
>>
>>>>mailet spool (or am I wrong again?).
>>>>
>>>>At least the bounces generated locally by james must leave the
>>>
>>server
>>
>>
>>>(and
>>>
>>>
>>>>the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
>>>>
>>>>I agree on that preventing open relay should not require adding
>>>
>>>mailets to
>>>
>>>
>>>>the default configuration file.
>>>>
>>>>----- Original Message -----
>>>>From: "Peter M. Goldstein" <pe...@yahoo.com>
>>>>To: "'James Developers List'" <ja...@jakarta.apache.org>
>>>>Sent: Tuesday, July 30, 2002 8:54 PM
>>>>Subject: RE: Open relay with SMTP-AUTH
>>>>
>>>>
>>>>
>>>>
>>>>>All,
>>>>>
>>>>
>>>>>>From Serge's description it just seems that the not null sender
>>>>
>>>
>>>check is
>>>
>>>
>>>>>unnecessary. The code now is:
>>>>>
>>>>> // If this is a delivery failure notification (MAIL
>>>>
>>>FROM:
>>>
>>>
>>>>><>)
>>>>> // we don't enforce authentication
>>>>> if (authRequired && state.get(SENDER) != null) {
>>>>> // Make sure the mail is being sent locally if not
>>>>> // authenticated else reject.
>>>>> if (!state.containsKey(AUTH)) {
>>>>> String toDomain = recipientAddress.getHost();
>>>>> if (!mailServer.isLocalServer(toDomain)) {
>>>>> out.println("530 Authentication
>>>>
>>Required");
>>
>>
>>>>> getLogger().error("Authentication is
>>>>
>>>required
>>>
>>>
>>>>>for mail request");
>>>>> return;
>>>>> }
>>>>> } else {
>>>>>
>>>>>If we're going to enforce that mail will null senders does not
>>>>
>>leave
>>
>>
>>>the
>>>
>>>
>>>>>host, then this should be:
>>>>>
>>>>> // If this is a delivery failure notification (MAIL
>>>>
>>>FROM:
>>>
>>>
>>>>><>)
>>>>> // we don't enforce authentication
>>>>> if (authRequired) {
>>>>> // Make sure the mail is being sent locally if not
>>>>> // authenticated else reject.
>>>>> if (!state.containsKey(AUTH)) {
>>>>> String toDomain = recipientAddress.getHost();
>>>>> if (!mailServer.isLocalServer(toDomain)) {
>>>>> out.println("530 Authentication
>>>>
>>Required");
>>
>>
>>>>> getLogger().error("Authentication is
>>>>
>>>required
>>>
>>>
>>>>>for mail request");
>>>>> return;
>>>>> }
>>>>> } else {
>>>>>
>>>>>
>>>>>I haven't looked at the LocalDelivery mailet, but I imagine it may
>>>>>require modification to ensure that mails with empty senders that
>>>>
>>>are
>>>
>>>
>>>>>routed to non-existent addresses don't bounce.
>>>>>
>>>>>I don't agree that this is a matcher issue. It shouldn't require
>>>>
>>>any
>>>
>>>
>>>>>complex configuration to prevent open relay behavior. Turning on
>>>>
>>>SMTP
>>>
>>>
>>>>>authentication is a standard and expected behavior to prevent open
>>>>
>>>relay
>>>
>>>
>>>>>behavior. Additional configuration of matchers is not.
>>>>>
>>>>>Any thoughts?
>>>>>
>>>>>--Peter
>>>>>
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
>>>>>>Sent: Tuesday, July 30, 2002 12:54 AM
>>>>>>To: James Developers List
>>>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>>>
>>>>>>But is it possible at all to configure james correctly?
>>>>>>If he is using smtp authentication, likely he hasn't so called
>>>>>
>>>"local"
>>>
>>>
>>>>>>hosts.
>>>>>>
>>>>>>This is the required behaviour, when the mail from is empty
>>>>>
>>(i.e.
>>
>>
>>>>>bounce
>>>>>
>>>>>
>>>>>>message):
>>>>>>-if the recipient is local then delivery the message
>>>>>>(-if the recipient is local, but the mailbox does not exist,
>>>>>
>>then
>>
>>
>>>do
>>>
>>>
>>>>>>nothing, you must not bounce a bounce message)
>>>>>>
>>>>>>-if the recipient is not local but the remote host is
>>>>>
>>>authenticated
>>>
>>>
>>>>>then
>>>>>
>>>>>
>>>>>>relay the message (although I guess this rarely occurs)
>>>>>>-if the recipient is not local and the remote host is not
>>>>>
>>>>>authenticated
>>>>>
>>>>>
>>>>>>then
>>>>>>do nothing (usual servers simply would not accept the mail)
>>>>>>
>>>>>>BUT: there is no matcher which can decide if the sender is
>>>>>
>>>>>authenticated
>>>>>
>>>>>
>>>>>>or
>>>>>>not, so we cannot configure correctly.
>>>>>>
>>>>>>I think the best configuration - which can be done at this
>>>>>
>>moment
>>
>>
>>>-
>>>
>>>
>>>>>simply
>>>>>
>>>>>
>>>>>>removes the message if the recipient isn't local and the sender
>>>>>
>>is
>>
>>
>>>>>empty.
>>>>>
>>>>>
>>>>>>
>>>>>>----- Original Message -----
>>>>>>From: "Serge Knystautas" <se...@lokitech.com>
>>>>>>To: "James Developers List" <ja...@jakarta.apache.org>;
>>>>>><fa...@alum.mit.edu>
>>>>>>Sent: Tuesday, July 30, 2002 8:21 AM
>>>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Even if you have a server that only is accepting SMTH AUTH,
>>>>>>
>>it's
>>
>>
>>>>>still
>>>>>
>>>>>
>>>>>>best
>>>>>>
>>>>>>
>>>>>>>practices to accept "MAIL FROM: <>" messages (i.e., you can't
>>>>>>
>>>just
>>>
>>>
>>>>>>disable
>>>>>>
>>>>>>
>>>>>>>that). That said, messages with a null sender should not
>>>>>>
>>leave
>>
>>
>>>your
>>>
>>>
>>>>>>server,
>>>>>>
>>>>>>
>>>>>>>so I think it's either a conf issue or a bug in some matcher
>>>>>>
>>>that
>>>
>>>
>>>>>isn't
>>>>>
>>>>>
>>>>>>>probably capturing that and preventing the relaying.
>>>>>>>
>>>>>>>Serge Knystautas
>>>>>>>Loki Technologies
>>>>>>>http://www.lokitech.com/
>>>>>>>
>>>>>>>----- Original Message -----
>>>>>>>From: "Peter M. Goldstein" <pe...@yahoo.com>
>>>>>>>To: "'James Developers List'" <ja...@jakarta.apache.org>
>>>>>>>Sent: Monday, July 29, 2002 8:21 PM
>>>>>>>Subject: FW: Open relay with SMTP-AUTH
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>All,
>>>>>>>>
>>>>>>>>I've just confirmed this on the latest code base. The cause
>>>>>>>
>>>is
>>>
>>>
>>>>>pretty
>>>>>
>>>>>
>>>>>>>>obvious - there is a comment in SMTPHandler.java:
>>>>>>>>
>>>>>>>> // If this is a delivery failure notification
>>>>>>>
>>>(MAIL
>>>
>>>
>>>>>FROM:
>>>>>
>>>>>
>>>>>>>><>)
>>>>>>>> // we don't enforce authentication
>>>>>>>> if (authRequired && state.get(SENDER) != null) {
>>>>>>>>
>>>>>>>>Removing the (state.get(SENDER) != null) clause closes the
>>>>>>>
>>>open
>>>
>>>
>>>>>relay.
>>>>>
>>>>>
>>>>>>>>But can anyone clarify the comment? Is this comment
>>>>>>>
>>referring
>>
>>
>>>to
>>>
>>>
>>>>>>>>messages being generated by the James server in response to
>>>>>>>
>>>local
>>>
>>>
>>>>>>>>delivery failures? Clearly the code as it stands in
>>>>>>>
>>>insecure...
>>>
>>>
>>>>>>>>--Peter
>>>>>>>>
>>>>>>>>-----Original Message-----
>>>>>>>>From: bonadio@intersearch.com.br
>>>>>>>
>>>>>[mailto:bonadio@intersearch.com.br]
>>>>>
>>>>>
>>>>>>>>Sent: None
>>>>>>>>To: james-user@jakarta.apache.org
>>>>>>>>Subject: Open relay with SMTP-AUTH
>>>>>>>>
>>>>>>>>
>>>>>>>>Hello
>>>>>>>>
>>>>>>>>I think I found a bug when using SMTP-AUTH
>>>>>>>>
>>>>>>>>if you enable smtp-auth and sends a <> as the sender
>>>>>>>>the servers allows the relay of any message, if you
>>>>>>>>specify a correct email address the server enforces the
>>>>>>>
>>>>>authentication
>>>>>
>>>>>
>>>>>>>>I created a patch for this, is there any other solution?
>>>>>>>>
>>>>>>>>following a session that shows the problem
>>>>>>>>
>>>>>>>>Trying XXXXXX...
>>>>>>>>Connected to XXXXXXXXX.
>>>>>>>>Escape character is '^]'.
>>>>>>>>220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs)
>>>>>>>
>>>ready
>>>
>>>
>>>>>Mon,
>>>>>
>>>>>
>>>>>>29
>>>>>>
>>>>>>
>>>>>>>>Jul 2002 20:31:04 -0400
>>>>>>>>helo test
>>>>>>>>250-myMailServer Hello test (XXXXXXX)
>>>>>>>>250 AUTH LOGIN PLAIN
>>>>>>>>mail from: <>
>>>>>>>>250 Sender <> OK
>>>>>>>>rcpt to: <ab...@abuse.org>
>>>>>>>>250 Recipient <ab...@abuse.org> OK
>>>>>>>>.....
>>>>>>>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Open relay with SMTP-AUTH
Posted by Serge Knystautas <se...@lokitech.com>.
Yeah, I think adding setAttribute/getAttribute would be very helpful.
Certainly would help you sort this out. Then you could define a
constant for the name of the attribute you would look for the SMTP-AUTH
info. This is going to require changing the mail/spool stores though
and might create some upgrade problems, which is probably the biggest
reason it hasn't been done yet.
--
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com/
Noel J. Bergman wrote:
> Serge,
>
> Instead of an X- header, why can't we add an "authenticatedSender" (pick a
> name) property to the mail object? That kind of metadata would travel with
> the object (and clones) within the system, but can't be forged from the
> outside. Does the fact that we authenticated it have any meaning once it
> leaves JAMES? I don't think so. If it did, that would be part of the RFC.
>
> Back in June, you and I were discussing Matcher <-> Mailet communication,
> and you mentioned that you wanted to add Mail.setAttribute() /
> Mail.getAttribute() to the Mailet API. Do you want me to add this now, or
> add a fixed property?
>
> --- Noel
>
> -----Original Message-----
> From: Serge Knystautas [mailto:sergek@lokitech.com]
> Sent: Tuesday, July 30, 2002 22:53
> To: James Developers List
> Subject: Re: Open relay with SMTP-AUTH
>
>
> Yeah, I agree. I never quite understood how SMTP AUTH was implemented
> effectively because there isn't an easy way to do that. I don't know...
> maybe add an "X-" header to the message itself to record that it's
> authenticated (and make sure there isn't one there already). But yeah,
> I agree with Noel's idea.
>
> --
> Serge Knystautas
> Loki Technologies - Unstoppable Websites
> http://www.lokitech.com/
>
> Noel J. Bergman wrote:
>
>>Peter,
>>
>>At a quick glance, it looks OK, but please ask Serge what he thinks. And
>
> I
>
>>believe that I have an alternative solution.
>>
>>I don't like that right now we have to force SMTP AUTH for everyone under
>>all circumstances, or not use it at all. I'd rather that AUTH was
>
> optional,
>
>>and that there was a way for the mail to be tagged with the meta-data that
>>it was authenticated. That way, our configuration could toss people who
>>aren't on an acceptable IP to a processor that checked for AUTH, and if
>
> the
>
>>mail was tagged, it could pass it on for delivery.
>>
>>I don't mean to tag the message, e.g., with a forgable header. I mean to
>>tag the mail object, e.g., with a new property. But right now once the
>
> mail
>
>>object has left the handler, there is nothing preserved to tell us that it
>>was sent by an authenticated sender. The only reason why SMTP AUTH and <>
>>turns JAMES into an open relay is that we have to disable
>>RemoteAddrInNetwork. If we could keep RemoteAddrInNetwork, and check for
>>AUTH in the failure case, we could address this problem differently.
>>
>> --- Noel
>>
>>-----Original Message-----
>>From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
>>Sent: Tuesday, July 30, 2002 21:57
>>To: 'James Developers List'
>>Cc: farsight@alum.mit.edu
>>Subject: RE: Open relay with SMTP-AUTH
>>
>>
>>
>>Noel,
>>
>>Right. So locally generated bounces shouldn't traverse the gate logic
>>in SMTPHandler.java (and hence should be sent even if they have a null
>>Sender header) while bounces from other servers should only be delivered
>>locally if authRequired is true. So we can change the SMTPHandler code
>>as I suggested earlier and we should be ok. Your thoughts?
>>
>>--Peter
>>
>>
>>
>>>-----Original Message-----
>>>From: Noel J. Bergman [mailto:noel@devtech.com]
>>>Sent: Tuesday, July 30, 2002 6:56 PM
>>>To: James Developers List
>>>Cc: farsight@alum.mit.edu
>>>Subject: RE: Open relay with SMTP-AUTH
>>>
>>>Peter,
>>>
>>>Internally, messages are sent by calling James.sendMail(), which calls
>>>spool.store() to put the message on the incoming message spool. If
>>>you look at SMTPHandler, you'll see that it does the same thing. It calls
>>>mailServer.sendMail(), which it sounds as if you've already noticed.
>>>
>>> --- Noel
>>>
>>>-----Original Message-----
>>>From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
>>>Sent: Tuesday, July 30, 2002 20:48
>>>To: 'James Developers List'
>>>Subject: RE: Open relay with SMTP-AUTH
>>>
>>>
>>>
>>>Noel,
>>>
>>>That looks right. The relevant logic is in the SMTPHandler.
>>>
>>>Does the LocalDelivery bounce even invoke the SMTPHandler? I don't
>>
>>see
>>
>>
>>>why it wouldn't just place an outgoing message on the spool directly.
>>>That's what it appears to do.
>>>
>>>I'm going to play with some configurations here and see what
>>
>>happens...
>>
>>
>>>--Peter
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Noel J. Bergman [mailto:noel@devtech.com]
>>>>Sent: Tuesday, July 30, 2002 4:39 PM
>>>>To: James Developers List
>>>>Cc: farsight@alum.mit.edu
>>>>Subject: RE: Open relay with SMTP-AUTH
>>>>
>>>>Seems like we have the following combination:
>>>>
>>>> local receiver remote receiver
>>>> local sender OK OK
>>>> remote sender OK DENY
>>>>
>>>>with respect to null senders, which is the same as for other
>>>
>>messages.
>>
>>
>>>>Am I missing something?
>>>>
>>>> --- Noel
>>>>
>>>>-----Original Message-----
>>>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
>>>>Sent: Tuesday, July 30, 2002 16:03
>>>>To: James Developers List; farsight@alum.mit.edu
>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>
>>>>
>>>>
>>>>
>>>>>If we're going to enforce that mail will null senders does not
>>>>
>>leave
>>
>>
>>>the
>>>
>>>
>>>>>host, then this should be:
>>>>
>>>>Maybe this assumption originates from me, sorry. It is not true. I
>>>
>>>have
>>>
>>>
>>>>fogotten that bounce messages generated by james also went through
>>>
>>the
>>
>>
>>>>mailet spool (or am I wrong again?).
>>>>
>>>>At least the bounces generated locally by james must leave the
>>>
>>server
>>
>>
>>>(and
>>>
>>>
>>>>the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
>>>>
>>>>I agree on that preventing open relay should not require adding
>>>
>>>mailets to
>>>
>>>
>>>>the default configuration file.
>>>>
>>>>----- Original Message -----
>>>>From: "Peter M. Goldstein" <pe...@yahoo.com>
>>>>To: "'James Developers List'" <ja...@jakarta.apache.org>
>>>>Sent: Tuesday, July 30, 2002 8:54 PM
>>>>Subject: RE: Open relay with SMTP-AUTH
>>>>
>>>>
>>>>
>>>>
>>>>>All,
>>>>>
>>>>
>>>>>>From Serge's description it just seems that the not null sender
>>>>
>>>
>>>check is
>>>
>>>
>>>>>unnecessary. The code now is:
>>>>>
>>>>> // If this is a delivery failure notification (MAIL
>>>>
>>>FROM:
>>>
>>>
>>>>><>)
>>>>> // we don't enforce authentication
>>>>> if (authRequired && state.get(SENDER) != null) {
>>>>> // Make sure the mail is being sent locally if not
>>>>> // authenticated else reject.
>>>>> if (!state.containsKey(AUTH)) {
>>>>> String toDomain = recipientAddress.getHost();
>>>>> if (!mailServer.isLocalServer(toDomain)) {
>>>>> out.println("530 Authentication
>>>>
>>Required");
>>
>>
>>>>> getLogger().error("Authentication is
>>>>
>>>required
>>>
>>>
>>>>>for mail request");
>>>>> return;
>>>>> }
>>>>> } else {
>>>>>
>>>>>If we're going to enforce that mail will null senders does not
>>>>
>>leave
>>
>>
>>>the
>>>
>>>
>>>>>host, then this should be:
>>>>>
>>>>> // If this is a delivery failure notification (MAIL
>>>>
>>>FROM:
>>>
>>>
>>>>><>)
>>>>> // we don't enforce authentication
>>>>> if (authRequired) {
>>>>> // Make sure the mail is being sent locally if not
>>>>> // authenticated else reject.
>>>>> if (!state.containsKey(AUTH)) {
>>>>> String toDomain = recipientAddress.getHost();
>>>>> if (!mailServer.isLocalServer(toDomain)) {
>>>>> out.println("530 Authentication
>>>>
>>Required");
>>
>>
>>>>> getLogger().error("Authentication is
>>>>
>>>required
>>>
>>>
>>>>>for mail request");
>>>>> return;
>>>>> }
>>>>> } else {
>>>>>
>>>>>
>>>>>I haven't looked at the LocalDelivery mailet, but I imagine it may
>>>>>require modification to ensure that mails with empty senders that
>>>>
>>>are
>>>
>>>
>>>>>routed to non-existent addresses don't bounce.
>>>>>
>>>>>I don't agree that this is a matcher issue. It shouldn't require
>>>>
>>>any
>>>
>>>
>>>>>complex configuration to prevent open relay behavior. Turning on
>>>>
>>>SMTP
>>>
>>>
>>>>>authentication is a standard and expected behavior to prevent open
>>>>
>>>relay
>>>
>>>
>>>>>behavior. Additional configuration of matchers is not.
>>>>>
>>>>>Any thoughts?
>>>>>
>>>>>--Peter
>>>>>
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
>>>>>>Sent: Tuesday, July 30, 2002 12:54 AM
>>>>>>To: James Developers List
>>>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>>>
>>>>>>But is it possible at all to configure james correctly?
>>>>>>If he is using smtp authentication, likely he hasn't so called
>>>>>
>>>"local"
>>>
>>>
>>>>>>hosts.
>>>>>>
>>>>>>This is the required behaviour, when the mail from is empty
>>>>>
>>(i.e.
>>
>>
>>>>>bounce
>>>>>
>>>>>
>>>>>>message):
>>>>>>-if the recipient is local then delivery the message
>>>>>>(-if the recipient is local, but the mailbox does not exist,
>>>>>
>>then
>>
>>
>>>do
>>>
>>>
>>>>>>nothing, you must not bounce a bounce message)
>>>>>>
>>>>>>-if the recipient is not local but the remote host is
>>>>>
>>>authenticated
>>>
>>>
>>>>>then
>>>>>
>>>>>
>>>>>>relay the message (although I guess this rarely occurs)
>>>>>>-if the recipient is not local and the remote host is not
>>>>>
>>>>>authenticated
>>>>>
>>>>>
>>>>>>then
>>>>>>do nothing (usual servers simply would not accept the mail)
>>>>>>
>>>>>>BUT: there is no matcher which can decide if the sender is
>>>>>
>>>>>authenticated
>>>>>
>>>>>
>>>>>>or
>>>>>>not, so we cannot configure correctly.
>>>>>>
>>>>>>I think the best configuration - which can be done at this
>>>>>
>>moment
>>
>>
>>>-
>>>
>>>
>>>>>simply
>>>>>
>>>>>
>>>>>>removes the message if the recipient isn't local and the sender
>>>>>
>>is
>>
>>
>>>>>empty.
>>>>>
>>>>>
>>>>>>
>>>>>>----- Original Message -----
>>>>>>From: "Serge Knystautas" <se...@lokitech.com>
>>>>>>To: "James Developers List" <ja...@jakarta.apache.org>;
>>>>>><fa...@alum.mit.edu>
>>>>>>Sent: Tuesday, July 30, 2002 8:21 AM
>>>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Even if you have a server that only is accepting SMTH AUTH,
>>>>>>
>>it's
>>
>>
>>>>>still
>>>>>
>>>>>
>>>>>>best
>>>>>>
>>>>>>
>>>>>>>practices to accept "MAIL FROM: <>" messages (i.e., you can't
>>>>>>
>>>just
>>>
>>>
>>>>>>disable
>>>>>>
>>>>>>
>>>>>>>that). That said, messages with a null sender should not
>>>>>>
>>leave
>>
>>
>>>your
>>>
>>>
>>>>>>server,
>>>>>>
>>>>>>
>>>>>>>so I think it's either a conf issue or a bug in some matcher
>>>>>>
>>>that
>>>
>>>
>>>>>isn't
>>>>>
>>>>>
>>>>>>>probably capturing that and preventing the relaying.
>>>>>>>
>>>>>>>Serge Knystautas
>>>>>>>Loki Technologies
>>>>>>>http://www.lokitech.com/
>>>>>>>
>>>>>>>----- Original Message -----
>>>>>>>From: "Peter M. Goldstein" <pe...@yahoo.com>
>>>>>>>To: "'James Developers List'" <ja...@jakarta.apache.org>
>>>>>>>Sent: Monday, July 29, 2002 8:21 PM
>>>>>>>Subject: FW: Open relay with SMTP-AUTH
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>All,
>>>>>>>>
>>>>>>>>I've just confirmed this on the latest code base. The cause
>>>>>>>
>>>is
>>>
>>>
>>>>>pretty
>>>>>
>>>>>
>>>>>>>>obvious - there is a comment in SMTPHandler.java:
>>>>>>>>
>>>>>>>> // If this is a delivery failure notification
>>>>>>>
>>>(MAIL
>>>
>>>
>>>>>FROM:
>>>>>
>>>>>
>>>>>>>><>)
>>>>>>>> // we don't enforce authentication
>>>>>>>> if (authRequired && state.get(SENDER) != null) {
>>>>>>>>
>>>>>>>>Removing the (state.get(SENDER) != null) clause closes the
>>>>>>>
>>>open
>>>
>>>
>>>>>relay.
>>>>>
>>>>>
>>>>>>>>But can anyone clarify the comment? Is this comment
>>>>>>>
>>referring
>>
>>
>>>to
>>>
>>>
>>>>>>>>messages being generated by the James server in response to
>>>>>>>
>>>local
>>>
>>>
>>>>>>>>delivery failures? Clearly the code as it stands in
>>>>>>>
>>>insecure...
>>>
>>>
>>>>>>>>--Peter
>>>>>>>>
>>>>>>>>-----Original Message-----
>>>>>>>>From: bonadio@intersearch.com.br
>>>>>>>
>>>>>[mailto:bonadio@intersearch.com.br]
>>>>>
>>>>>
>>>>>>>>Sent: None
>>>>>>>>To: james-user@jakarta.apache.org
>>>>>>>>Subject: Open relay with SMTP-AUTH
>>>>>>>>
>>>>>>>>
>>>>>>>>Hello
>>>>>>>>
>>>>>>>>I think I found a bug when using SMTP-AUTH
>>>>>>>>
>>>>>>>>if you enable smtp-auth and sends a <> as the sender
>>>>>>>>the servers allows the relay of any message, if you
>>>>>>>>specify a correct email address the server enforces the
>>>>>>>
>>>>>authentication
>>>>>
>>>>>
>>>>>>>>I created a patch for this, is there any other solution?
>>>>>>>>
>>>>>>>>following a session that shows the problem
>>>>>>>>
>>>>>>>>Trying XXXXXX...
>>>>>>>>Connected to XXXXXXXXX.
>>>>>>>>Escape character is '^]'.
>>>>>>>>220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs)
>>>>>>>
>>>ready
>>>
>>>
>>>>>Mon,
>>>>>
>>>>>
>>>>>>29
>>>>>>
>>>>>>
>>>>>>>>Jul 2002 20:31:04 -0400
>>>>>>>>helo test
>>>>>>>>250-myMailServer Hello test (XXXXXXX)
>>>>>>>>250 AUTH LOGIN PLAIN
>>>>>>>>mail from: <>
>>>>>>>>250 Sender <> OK
>>>>>>>>rcpt to: <ab...@abuse.org>
>>>>>>>>250 Recipient <ab...@abuse.org> OK
>>>>>>>>.....
>>>>>>>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Noel J. Bergman" <no...@devtech.com>.
Serge,
Instead of an X- header, why can't we add an "authenticatedSender" (pick a
name) property to the mail object? That kind of metadata would travel with
the object (and clones) within the system, but can't be forged from the
outside. Does the fact that we authenticated it have any meaning once it
leaves JAMES? I don't think so. If it did, that would be part of the RFC.
Back in June, you and I were discussing Matcher <-> Mailet communication,
and you mentioned that you wanted to add Mail.setAttribute() /
Mail.getAttribute() to the Mailet API. Do you want me to add this now, or
add a fixed property?
--- Noel
-----Original Message-----
From: Serge Knystautas [mailto:sergek@lokitech.com]
Sent: Tuesday, July 30, 2002 22:53
To: James Developers List
Subject: Re: Open relay with SMTP-AUTH
Yeah, I agree. I never quite understood how SMTP AUTH was implemented
effectively because there isn't an easy way to do that. I don't know...
maybe add an "X-" header to the message itself to record that it's
authenticated (and make sure there isn't one there already). But yeah,
I agree with Noel's idea.
--
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com/
Noel J. Bergman wrote:
> Peter,
>
> At a quick glance, it looks OK, but please ask Serge what he thinks. And
I
> believe that I have an alternative solution.
>
> I don't like that right now we have to force SMTP AUTH for everyone under
> all circumstances, or not use it at all. I'd rather that AUTH was
optional,
> and that there was a way for the mail to be tagged with the meta-data that
> it was authenticated. That way, our configuration could toss people who
> aren't on an acceptable IP to a processor that checked for AUTH, and if
the
> mail was tagged, it could pass it on for delivery.
>
> I don't mean to tag the message, e.g., with a forgable header. I mean to
> tag the mail object, e.g., with a new property. But right now once the
mail
> object has left the handler, there is nothing preserved to tell us that it
> was sent by an authenticated sender. The only reason why SMTP AUTH and <>
> turns JAMES into an open relay is that we have to disable
> RemoteAddrInNetwork. If we could keep RemoteAddrInNetwork, and check for
> AUTH in the failure case, we could address this problem differently.
>
> --- Noel
>
> -----Original Message-----
> From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
> Sent: Tuesday, July 30, 2002 21:57
> To: 'James Developers List'
> Cc: farsight@alum.mit.edu
> Subject: RE: Open relay with SMTP-AUTH
>
>
>
> Noel,
>
> Right. So locally generated bounces shouldn't traverse the gate logic
> in SMTPHandler.java (and hence should be sent even if they have a null
> Sender header) while bounces from other servers should only be delivered
> locally if authRequired is true. So we can change the SMTPHandler code
> as I suggested earlier and we should be ok. Your thoughts?
>
> --Peter
>
>
>>-----Original Message-----
>>From: Noel J. Bergman [mailto:noel@devtech.com]
>>Sent: Tuesday, July 30, 2002 6:56 PM
>>To: James Developers List
>>Cc: farsight@alum.mit.edu
>>Subject: RE: Open relay with SMTP-AUTH
>>
>>Peter,
>>
>>Internally, messages are sent by calling James.sendMail(), which calls
>>spool.store() to put the message on the incoming message spool. If
>>you look at SMTPHandler, you'll see that it does the same thing. It calls
>>mailServer.sendMail(), which it sounds as if you've already noticed.
>>
>> --- Noel
>>
>>-----Original Message-----
>>From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
>>Sent: Tuesday, July 30, 2002 20:48
>>To: 'James Developers List'
>>Subject: RE: Open relay with SMTP-AUTH
>>
>>
>>
>>Noel,
>>
>>That looks right. The relevant logic is in the SMTPHandler.
>>
>>Does the LocalDelivery bounce even invoke the SMTPHandler? I don't
>
> see
>
>>why it wouldn't just place an outgoing message on the spool directly.
>>That's what it appears to do.
>>
>>I'm going to play with some configurations here and see what
>
> happens...
>
>>--Peter
>>
>>
>>>-----Original Message-----
>>>From: Noel J. Bergman [mailto:noel@devtech.com]
>>>Sent: Tuesday, July 30, 2002 4:39 PM
>>>To: James Developers List
>>>Cc: farsight@alum.mit.edu
>>>Subject: RE: Open relay with SMTP-AUTH
>>>
>>>Seems like we have the following combination:
>>>
>>> local receiver remote receiver
>>> local sender OK OK
>>> remote sender OK DENY
>>>
>>>with respect to null senders, which is the same as for other
>>
> messages.
>
>>>Am I missing something?
>>>
>>> --- Noel
>>>
>>>-----Original Message-----
>>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
>>>Sent: Tuesday, July 30, 2002 16:03
>>>To: James Developers List; farsight@alum.mit.edu
>>>Subject: Re: Open relay with SMTP-AUTH
>>>
>>>
>>>
>>>>If we're going to enforce that mail will null senders does not
>>>
> leave
>
>>the
>>
>>>>host, then this should be:
>>>
>>>Maybe this assumption originates from me, sorry. It is not true. I
>>
>>have
>>
>>>fogotten that bounce messages generated by james also went through
>>
> the
>
>>>mailet spool (or am I wrong again?).
>>>
>>>At least the bounces generated locally by james must leave the
>>
> server
>
>>(and
>>
>>>the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
>>>
>>>I agree on that preventing open relay should not require adding
>>
>>mailets to
>>
>>>the default configuration file.
>>>
>>>----- Original Message -----
>>>From: "Peter M. Goldstein" <pe...@yahoo.com>
>>>To: "'James Developers List'" <ja...@jakarta.apache.org>
>>>Sent: Tuesday, July 30, 2002 8:54 PM
>>>Subject: RE: Open relay with SMTP-AUTH
>>>
>>>
>>>
>>>>All,
>>>>
>>>>>From Serge's description it just seems that the not null sender
>>>
>>check is
>>
>>>>unnecessary. The code now is:
>>>>
>>>> // If this is a delivery failure notification (MAIL
>>>
>>FROM:
>>
>>>><>)
>>>> // we don't enforce authentication
>>>> if (authRequired && state.get(SENDER) != null) {
>>>> // Make sure the mail is being sent locally if not
>>>> // authenticated else reject.
>>>> if (!state.containsKey(AUTH)) {
>>>> String toDomain = recipientAddress.getHost();
>>>> if (!mailServer.isLocalServer(toDomain)) {
>>>> out.println("530 Authentication
>>>
> Required");
>
>>>> getLogger().error("Authentication is
>>>
>>required
>>
>>>>for mail request");
>>>> return;
>>>> }
>>>> } else {
>>>>
>>>>If we're going to enforce that mail will null senders does not
>>>
> leave
>
>>the
>>
>>>>host, then this should be:
>>>>
>>>> // If this is a delivery failure notification (MAIL
>>>
>>FROM:
>>
>>>><>)
>>>> // we don't enforce authentication
>>>> if (authRequired) {
>>>> // Make sure the mail is being sent locally if not
>>>> // authenticated else reject.
>>>> if (!state.containsKey(AUTH)) {
>>>> String toDomain = recipientAddress.getHost();
>>>> if (!mailServer.isLocalServer(toDomain)) {
>>>> out.println("530 Authentication
>>>
> Required");
>
>>>> getLogger().error("Authentication is
>>>
>>required
>>
>>>>for mail request");
>>>> return;
>>>> }
>>>> } else {
>>>>
>>>>
>>>>I haven't looked at the LocalDelivery mailet, but I imagine it may
>>>>require modification to ensure that mails with empty senders that
>>>
>>are
>>
>>>>routed to non-existent addresses don't bounce.
>>>>
>>>>I don't agree that this is a matcher issue. It shouldn't require
>>>
>>any
>>
>>>>complex configuration to prevent open relay behavior. Turning on
>>>
>>SMTP
>>
>>>>authentication is a standard and expected behavior to prevent open
>>>
>>relay
>>
>>>>behavior. Additional configuration of matchers is not.
>>>>
>>>>Any thoughts?
>>>>
>>>>--Peter
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
>>>>>Sent: Tuesday, July 30, 2002 12:54 AM
>>>>>To: James Developers List
>>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>>
>>>>>But is it possible at all to configure james correctly?
>>>>>If he is using smtp authentication, likely he hasn't so called
>>>>
>>"local"
>>
>>>>>hosts.
>>>>>
>>>>>This is the required behaviour, when the mail from is empty
>>>>
> (i.e.
>
>>>>bounce
>>>>
>>>>>message):
>>>>>-if the recipient is local then delivery the message
>>>>>(-if the recipient is local, but the mailbox does not exist,
>>>>
> then
>
>>do
>>
>>>>>nothing, you must not bounce a bounce message)
>>>>>
>>>>>-if the recipient is not local but the remote host is
>>>>
>>authenticated
>>
>>>>then
>>>>
>>>>>relay the message (although I guess this rarely occurs)
>>>>>-if the recipient is not local and the remote host is not
>>>>
>>>>authenticated
>>>>
>>>>>then
>>>>>do nothing (usual servers simply would not accept the mail)
>>>>>
>>>>>BUT: there is no matcher which can decide if the sender is
>>>>
>>>>authenticated
>>>>
>>>>>or
>>>>>not, so we cannot configure correctly.
>>>>>
>>>>>I think the best configuration - which can be done at this
>>>>
> moment
>
>>-
>>
>>>>simply
>>>>
>>>>>removes the message if the recipient isn't local and the sender
>>>>
> is
>
>>>>empty.
>>>>
>>>>>
>>>>>
>>>>>----- Original Message -----
>>>>>From: "Serge Knystautas" <se...@lokitech.com>
>>>>>To: "James Developers List" <ja...@jakarta.apache.org>;
>>>>><fa...@alum.mit.edu>
>>>>>Sent: Tuesday, July 30, 2002 8:21 AM
>>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>>
>>>>>
>>>>>
>>>>>>Even if you have a server that only is accepting SMTH AUTH,
>>>>>
> it's
>
>>>>still
>>>>
>>>>>best
>>>>>
>>>>>>practices to accept "MAIL FROM: <>" messages (i.e., you can't
>>>>>
>>just
>>
>>>>>disable
>>>>>
>>>>>>that). That said, messages with a null sender should not
>>>>>
> leave
>
>>your
>>
>>>>>server,
>>>>>
>>>>>>so I think it's either a conf issue or a bug in some matcher
>>>>>
>>that
>>
>>>>isn't
>>>>
>>>>>>probably capturing that and preventing the relaying.
>>>>>>
>>>>>>Serge Knystautas
>>>>>>Loki Technologies
>>>>>>http://www.lokitech.com/
>>>>>>
>>>>>>----- Original Message -----
>>>>>>From: "Peter M. Goldstein" <pe...@yahoo.com>
>>>>>>To: "'James Developers List'" <ja...@jakarta.apache.org>
>>>>>>Sent: Monday, July 29, 2002 8:21 PM
>>>>>>Subject: FW: Open relay with SMTP-AUTH
>>>>>>
>>>>>>
>>>>>>
>>>>>>>All,
>>>>>>>
>>>>>>>I've just confirmed this on the latest code base. The cause
>>>>>>
>>is
>>
>>>>pretty
>>>>
>>>>>>>obvious - there is a comment in SMTPHandler.java:
>>>>>>>
>>>>>>> // If this is a delivery failure notification
>>>>>>
>>(MAIL
>>
>>>>FROM:
>>>>
>>>>>>><>)
>>>>>>> // we don't enforce authentication
>>>>>>> if (authRequired && state.get(SENDER) != null) {
>>>>>>>
>>>>>>>Removing the (state.get(SENDER) != null) clause closes the
>>>>>>
>>open
>>
>>>>relay.
>>>>
>>>>>>>But can anyone clarify the comment? Is this comment
>>>>>>
> referring
>
>>to
>>
>>>>>>>messages being generated by the James server in response to
>>>>>>
>>local
>>
>>>>>>>delivery failures? Clearly the code as it stands in
>>>>>>
>>insecure...
>>
>>>>>>>--Peter
>>>>>>>
>>>>>>>-----Original Message-----
>>>>>>>From: bonadio@intersearch.com.br
>>>>>>
>>>>[mailto:bonadio@intersearch.com.br]
>>>>
>>>>>>>Sent: None
>>>>>>>To: james-user@jakarta.apache.org
>>>>>>>Subject: Open relay with SMTP-AUTH
>>>>>>>
>>>>>>>
>>>>>>>Hello
>>>>>>>
>>>>>>>I think I found a bug when using SMTP-AUTH
>>>>>>>
>>>>>>>if you enable smtp-auth and sends a <> as the sender
>>>>>>>the servers allows the relay of any message, if you
>>>>>>>specify a correct email address the server enforces the
>>>>>>
>>>>authentication
>>>>
>>>>>>>I created a patch for this, is there any other solution?
>>>>>>>
>>>>>>>following a session that shows the problem
>>>>>>>
>>>>>>>Trying XXXXXX...
>>>>>>>Connected to XXXXXXXXX.
>>>>>>>Escape character is '^]'.
>>>>>>>220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs)
>>>>>>
>>ready
>>
>>>>Mon,
>>>>
>>>>>29
>>>>>
>>>>>>>Jul 2002 20:31:04 -0400
>>>>>>>helo test
>>>>>>>250-myMailServer Hello test (XXXXXXX)
>>>>>>>250 AUTH LOGIN PLAIN
>>>>>>>mail from: <>
>>>>>>>250 Sender <> OK
>>>>>>>rcpt to: <ab...@abuse.org>
>>>>>>>250 Recipient <ab...@abuse.org> OK
>>>>>>>.....
>>>>>>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Open relay with SMTP-AUTH
Posted by Serge Knystautas <se...@lokitech.com>.
Yeah, I agree. I never quite understood how SMTP AUTH was implemented
effectively because there isn't an easy way to do that. I don't know...
maybe add an "X-" header to the message itself to record that it's
authenticated (and make sure there isn't one there already). But yeah,
I agree with Noel's idea.
--
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com/
Noel J. Bergman wrote:
> Peter,
>
> At a quick glance, it looks OK, but please ask Serge what he thinks. And I
> believe that I have an alternative solution.
>
> I don't like that right now we have to force SMTP AUTH for everyone under
> all circumstances, or not use it at all. I'd rather that AUTH was optional,
> and that there was a way for the mail to be tagged with the meta-data that
> it was authenticated. That way, our configuration could toss people who
> aren't on an acceptable IP to a processor that checked for AUTH, and if the
> mail was tagged, it could pass it on for delivery.
>
> I don't mean to tag the message, e.g., with a forgable header. I mean to
> tag the mail object, e.g., with a new property. But right now once the mail
> object has left the handler, there is nothing preserved to tell us that it
> was sent by an authenticated sender. The only reason why SMTP AUTH and <>
> turns JAMES into an open relay is that we have to disable
> RemoteAddrInNetwork. If we could keep RemoteAddrInNetwork, and check for
> AUTH in the failure case, we could address this problem differently.
>
> --- Noel
>
> -----Original Message-----
> From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
> Sent: Tuesday, July 30, 2002 21:57
> To: 'James Developers List'
> Cc: farsight@alum.mit.edu
> Subject: RE: Open relay with SMTP-AUTH
>
>
>
> Noel,
>
> Right. So locally generated bounces shouldn't traverse the gate logic
> in SMTPHandler.java (and hence should be sent even if they have a null
> Sender header) while bounces from other servers should only be delivered
> locally if authRequired is true. So we can change the SMTPHandler code
> as I suggested earlier and we should be ok. Your thoughts?
>
> --Peter
>
>
>>-----Original Message-----
>>From: Noel J. Bergman [mailto:noel@devtech.com]
>>Sent: Tuesday, July 30, 2002 6:56 PM
>>To: James Developers List
>>Cc: farsight@alum.mit.edu
>>Subject: RE: Open relay with SMTP-AUTH
>>
>>Peter,
>>
>>Internally, messages are sent by calling James.sendMail(), which calls
>>spool.store() to put the message on the incoming message spool. If
>>you look at SMTPHandler, you'll see that it does the same thing. It calls
>>mailServer.sendMail(), which it sounds as if you've already noticed.
>>
>> --- Noel
>>
>>-----Original Message-----
>>From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
>>Sent: Tuesday, July 30, 2002 20:48
>>To: 'James Developers List'
>>Subject: RE: Open relay with SMTP-AUTH
>>
>>
>>
>>Noel,
>>
>>That looks right. The relevant logic is in the SMTPHandler.
>>
>>Does the LocalDelivery bounce even invoke the SMTPHandler? I don't
>
> see
>
>>why it wouldn't just place an outgoing message on the spool directly.
>>That's what it appears to do.
>>
>>I'm going to play with some configurations here and see what
>
> happens...
>
>>--Peter
>>
>>
>>>-----Original Message-----
>>>From: Noel J. Bergman [mailto:noel@devtech.com]
>>>Sent: Tuesday, July 30, 2002 4:39 PM
>>>To: James Developers List
>>>Cc: farsight@alum.mit.edu
>>>Subject: RE: Open relay with SMTP-AUTH
>>>
>>>Seems like we have the following combination:
>>>
>>> local receiver remote receiver
>>> local sender OK OK
>>> remote sender OK DENY
>>>
>>>with respect to null senders, which is the same as for other
>>
> messages.
>
>>>Am I missing something?
>>>
>>> --- Noel
>>>
>>>-----Original Message-----
>>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
>>>Sent: Tuesday, July 30, 2002 16:03
>>>To: James Developers List; farsight@alum.mit.edu
>>>Subject: Re: Open relay with SMTP-AUTH
>>>
>>>
>>>
>>>>If we're going to enforce that mail will null senders does not
>>>
> leave
>
>>the
>>
>>>>host, then this should be:
>>>
>>>Maybe this assumption originates from me, sorry. It is not true. I
>>
>>have
>>
>>>fogotten that bounce messages generated by james also went through
>>
> the
>
>>>mailet spool (or am I wrong again?).
>>>
>>>At least the bounces generated locally by james must leave the
>>
> server
>
>>(and
>>
>>>the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
>>>
>>>I agree on that preventing open relay should not require adding
>>
>>mailets to
>>
>>>the default configuration file.
>>>
>>>----- Original Message -----
>>>From: "Peter M. Goldstein" <pe...@yahoo.com>
>>>To: "'James Developers List'" <ja...@jakarta.apache.org>
>>>Sent: Tuesday, July 30, 2002 8:54 PM
>>>Subject: RE: Open relay with SMTP-AUTH
>>>
>>>
>>>
>>>>All,
>>>>
>>>>>From Serge's description it just seems that the not null sender
>>>
>>check is
>>
>>>>unnecessary. The code now is:
>>>>
>>>> // If this is a delivery failure notification (MAIL
>>>
>>FROM:
>>
>>>><>)
>>>> // we don't enforce authentication
>>>> if (authRequired && state.get(SENDER) != null) {
>>>> // Make sure the mail is being sent locally if not
>>>> // authenticated else reject.
>>>> if (!state.containsKey(AUTH)) {
>>>> String toDomain = recipientAddress.getHost();
>>>> if (!mailServer.isLocalServer(toDomain)) {
>>>> out.println("530 Authentication
>>>
> Required");
>
>>>> getLogger().error("Authentication is
>>>
>>required
>>
>>>>for mail request");
>>>> return;
>>>> }
>>>> } else {
>>>>
>>>>If we're going to enforce that mail will null senders does not
>>>
> leave
>
>>the
>>
>>>>host, then this should be:
>>>>
>>>> // If this is a delivery failure notification (MAIL
>>>
>>FROM:
>>
>>>><>)
>>>> // we don't enforce authentication
>>>> if (authRequired) {
>>>> // Make sure the mail is being sent locally if not
>>>> // authenticated else reject.
>>>> if (!state.containsKey(AUTH)) {
>>>> String toDomain = recipientAddress.getHost();
>>>> if (!mailServer.isLocalServer(toDomain)) {
>>>> out.println("530 Authentication
>>>
> Required");
>
>>>> getLogger().error("Authentication is
>>>
>>required
>>
>>>>for mail request");
>>>> return;
>>>> }
>>>> } else {
>>>>
>>>>
>>>>I haven't looked at the LocalDelivery mailet, but I imagine it may
>>>>require modification to ensure that mails with empty senders that
>>>
>>are
>>
>>>>routed to non-existent addresses don't bounce.
>>>>
>>>>I don't agree that this is a matcher issue. It shouldn't require
>>>
>>any
>>
>>>>complex configuration to prevent open relay behavior. Turning on
>>>
>>SMTP
>>
>>>>authentication is a standard and expected behavior to prevent open
>>>
>>relay
>>
>>>>behavior. Additional configuration of matchers is not.
>>>>
>>>>Any thoughts?
>>>>
>>>>--Peter
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>From: Hontvari Jozsef [mailto:hontvari@solware.com]
>>>>>Sent: Tuesday, July 30, 2002 12:54 AM
>>>>>To: James Developers List
>>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>>
>>>>>But is it possible at all to configure james correctly?
>>>>>If he is using smtp authentication, likely he hasn't so called
>>>>
>>"local"
>>
>>>>>hosts.
>>>>>
>>>>>This is the required behaviour, when the mail from is empty
>>>>
> (i.e.
>
>>>>bounce
>>>>
>>>>>message):
>>>>>-if the recipient is local then delivery the message
>>>>>(-if the recipient is local, but the mailbox does not exist,
>>>>
> then
>
>>do
>>
>>>>>nothing, you must not bounce a bounce message)
>>>>>
>>>>>-if the recipient is not local but the remote host is
>>>>
>>authenticated
>>
>>>>then
>>>>
>>>>>relay the message (although I guess this rarely occurs)
>>>>>-if the recipient is not local and the remote host is not
>>>>
>>>>authenticated
>>>>
>>>>>then
>>>>>do nothing (usual servers simply would not accept the mail)
>>>>>
>>>>>BUT: there is no matcher which can decide if the sender is
>>>>
>>>>authenticated
>>>>
>>>>>or
>>>>>not, so we cannot configure correctly.
>>>>>
>>>>>I think the best configuration - which can be done at this
>>>>
> moment
>
>>-
>>
>>>>simply
>>>>
>>>>>removes the message if the recipient isn't local and the sender
>>>>
> is
>
>>>>empty.
>>>>
>>>>>
>>>>>
>>>>>----- Original Message -----
>>>>>From: "Serge Knystautas" <se...@lokitech.com>
>>>>>To: "James Developers List" <ja...@jakarta.apache.org>;
>>>>><fa...@alum.mit.edu>
>>>>>Sent: Tuesday, July 30, 2002 8:21 AM
>>>>>Subject: Re: Open relay with SMTP-AUTH
>>>>>
>>>>>
>>>>>
>>>>>>Even if you have a server that only is accepting SMTH AUTH,
>>>>>
> it's
>
>>>>still
>>>>
>>>>>best
>>>>>
>>>>>>practices to accept "MAIL FROM: <>" messages (i.e., you can't
>>>>>
>>just
>>
>>>>>disable
>>>>>
>>>>>>that). That said, messages with a null sender should not
>>>>>
> leave
>
>>your
>>
>>>>>server,
>>>>>
>>>>>>so I think it's either a conf issue or a bug in some matcher
>>>>>
>>that
>>
>>>>isn't
>>>>
>>>>>>probably capturing that and preventing the relaying.
>>>>>>
>>>>>>Serge Knystautas
>>>>>>Loki Technologies
>>>>>>http://www.lokitech.com/
>>>>>>
>>>>>>----- Original Message -----
>>>>>>From: "Peter M. Goldstein" <pe...@yahoo.com>
>>>>>>To: "'James Developers List'" <ja...@jakarta.apache.org>
>>>>>>Sent: Monday, July 29, 2002 8:21 PM
>>>>>>Subject: FW: Open relay with SMTP-AUTH
>>>>>>
>>>>>>
>>>>>>
>>>>>>>All,
>>>>>>>
>>>>>>>I've just confirmed this on the latest code base. The cause
>>>>>>
>>is
>>
>>>>pretty
>>>>
>>>>>>>obvious - there is a comment in SMTPHandler.java:
>>>>>>>
>>>>>>> // If this is a delivery failure notification
>>>>>>
>>(MAIL
>>
>>>>FROM:
>>>>
>>>>>>><>)
>>>>>>> // we don't enforce authentication
>>>>>>> if (authRequired && state.get(SENDER) != null) {
>>>>>>>
>>>>>>>Removing the (state.get(SENDER) != null) clause closes the
>>>>>>
>>open
>>
>>>>relay.
>>>>
>>>>>>>But can anyone clarify the comment? Is this comment
>>>>>>
> referring
>
>>to
>>
>>>>>>>messages being generated by the James server in response to
>>>>>>
>>local
>>
>>>>>>>delivery failures? Clearly the code as it stands in
>>>>>>
>>insecure...
>>
>>>>>>>--Peter
>>>>>>>
>>>>>>>-----Original Message-----
>>>>>>>From: bonadio@intersearch.com.br
>>>>>>
>>>>[mailto:bonadio@intersearch.com.br]
>>>>
>>>>>>>Sent: None
>>>>>>>To: james-user@jakarta.apache.org
>>>>>>>Subject: Open relay with SMTP-AUTH
>>>>>>>
>>>>>>>
>>>>>>>Hello
>>>>>>>
>>>>>>>I think I found a bug when using SMTP-AUTH
>>>>>>>
>>>>>>>if you enable smtp-auth and sends a <> as the sender
>>>>>>>the servers allows the relay of any message, if you
>>>>>>>specify a correct email address the server enforces the
>>>>>>
>>>>authentication
>>>>
>>>>>>>I created a patch for this, is there any other solution?
>>>>>>>
>>>>>>>following a session that shows the problem
>>>>>>>
>>>>>>>Trying XXXXXX...
>>>>>>>Connected to XXXXXXXXX.
>>>>>>>Escape character is '^]'.
>>>>>>>220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs)
>>>>>>
>>ready
>>
>>>>Mon,
>>>>
>>>>>29
>>>>>
>>>>>>>Jul 2002 20:31:04 -0400
>>>>>>>helo test
>>>>>>>250-myMailServer Hello test (XXXXXXX)
>>>>>>>250 AUTH LOGIN PLAIN
>>>>>>>mail from: <>
>>>>>>>250 Sender <> OK
>>>>>>>rcpt to: <ab...@abuse.org>
>>>>>>>250 Recipient <ab...@abuse.org> OK
>>>>>>>.....
>>>>>>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Noel J. Bergman" <no...@devtech.com>.
Peter,
At a quick glance, it looks OK, but please ask Serge what he thinks. And I
believe that I have an alternative solution.
I don't like that right now we have to force SMTP AUTH for everyone under
all circumstances, or not use it at all. I'd rather that AUTH was optional,
and that there was a way for the mail to be tagged with the meta-data that
it was authenticated. That way, our configuration could toss people who
aren't on an acceptable IP to a processor that checked for AUTH, and if the
mail was tagged, it could pass it on for delivery.
I don't mean to tag the message, e.g., with a forgable header. I mean to
tag the mail object, e.g., with a new property. But right now once the mail
object has left the handler, there is nothing preserved to tell us that it
was sent by an authenticated sender. The only reason why SMTP AUTH and <>
turns JAMES into an open relay is that we have to disable
RemoteAddrInNetwork. If we could keep RemoteAddrInNetwork, and check for
AUTH in the failure case, we could address this problem differently.
--- Noel
-----Original Message-----
From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
Sent: Tuesday, July 30, 2002 21:57
To: 'James Developers List'
Cc: farsight@alum.mit.edu
Subject: RE: Open relay with SMTP-AUTH
Noel,
Right. So locally generated bounces shouldn't traverse the gate logic
in SMTPHandler.java (and hence should be sent even if they have a null
Sender header) while bounces from other servers should only be delivered
locally if authRequired is true. So we can change the SMTPHandler code
as I suggested earlier and we should be ok. Your thoughts?
--Peter
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: Tuesday, July 30, 2002 6:56 PM
> To: James Developers List
> Cc: farsight@alum.mit.edu
> Subject: RE: Open relay with SMTP-AUTH
>
> Peter,
>
> Internally, messages are sent by calling James.sendMail(), which calls
> spool.store() to put the message on the incoming message spool. If
> you look at SMTPHandler, you'll see that it does the same thing. It calls
> mailServer.sendMail(), which it sounds as if you've already noticed.
>
> --- Noel
>
> -----Original Message-----
> From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
> Sent: Tuesday, July 30, 2002 20:48
> To: 'James Developers List'
> Subject: RE: Open relay with SMTP-AUTH
>
>
>
> Noel,
>
> That looks right. The relevant logic is in the SMTPHandler.
>
> Does the LocalDelivery bounce even invoke the SMTPHandler? I don't
see
> why it wouldn't just place an outgoing message on the spool directly.
> That's what it appears to do.
>
> I'm going to play with some configurations here and see what
happens...
>
> --Peter
>
> > -----Original Message-----
> > From: Noel J. Bergman [mailto:noel@devtech.com]
> > Sent: Tuesday, July 30, 2002 4:39 PM
> > To: James Developers List
> > Cc: farsight@alum.mit.edu
> > Subject: RE: Open relay with SMTP-AUTH
> >
> > Seems like we have the following combination:
> >
> > local receiver remote receiver
> > local sender OK OK
> > remote sender OK DENY
> >
> > with respect to null senders, which is the same as for other
messages.
> > Am I missing something?
> >
> > --- Noel
> >
> > -----Original Message-----
> > From: Hontvari Jozsef [mailto:hontvari@solware.com]
> > Sent: Tuesday, July 30, 2002 16:03
> > To: James Developers List; farsight@alum.mit.edu
> > Subject: Re: Open relay with SMTP-AUTH
> >
> >
> > > If we're going to enforce that mail will null senders does not
leave
> the
> > > host, then this should be:
> >
> > Maybe this assumption originates from me, sorry. It is not true. I
> have
> > fogotten that bounce messages generated by james also went through
the
> > mailet spool (or am I wrong again?).
> >
> > At least the bounces generated locally by james must leave the
server
> (and
> > the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
> >
> > I agree on that preventing open relay should not require adding
> mailets to
> > the default configuration file.
> >
> > ----- Original Message -----
> > From: "Peter M. Goldstein" <pe...@yahoo.com>
> > To: "'James Developers List'" <ja...@jakarta.apache.org>
> > Sent: Tuesday, July 30, 2002 8:54 PM
> > Subject: RE: Open relay with SMTP-AUTH
> >
> >
> > >
> > > All,
> > >
> > > From Serge's description it just seems that the not null sender
> check is
> > > unnecessary. The code now is:
> > >
> > > // If this is a delivery failure notification (MAIL
> FROM:
> > > <>)
> > > // we don't enforce authentication
> > > if (authRequired && state.get(SENDER) != null) {
> > > // Make sure the mail is being sent locally if not
> > > // authenticated else reject.
> > > if (!state.containsKey(AUTH)) {
> > > String toDomain = recipientAddress.getHost();
> > > if (!mailServer.isLocalServer(toDomain)) {
> > > out.println("530 Authentication
Required");
> > > getLogger().error("Authentication is
> required
> > > for mail request");
> > > return;
> > > }
> > > } else {
> > >
> > > If we're going to enforce that mail will null senders does not
leave
> the
> > > host, then this should be:
> > >
> > > // If this is a delivery failure notification (MAIL
> FROM:
> > > <>)
> > > // we don't enforce authentication
> > > if (authRequired) {
> > > // Make sure the mail is being sent locally if not
> > > // authenticated else reject.
> > > if (!state.containsKey(AUTH)) {
> > > String toDomain = recipientAddress.getHost();
> > > if (!mailServer.isLocalServer(toDomain)) {
> > > out.println("530 Authentication
Required");
> > > getLogger().error("Authentication is
> required
> > > for mail request");
> > > return;
> > > }
> > > } else {
> > >
> > >
> > > I haven't looked at the LocalDelivery mailet, but I imagine it may
> > > require modification to ensure that mails with empty senders that
> are
> > > routed to non-existent addresses don't bounce.
> > >
> > > I don't agree that this is a matcher issue. It shouldn't require
> any
> > > complex configuration to prevent open relay behavior. Turning on
> SMTP
> > > authentication is a standard and expected behavior to prevent open
> relay
> > > behavior. Additional configuration of matchers is not.
> > >
> > > Any thoughts?
> > >
> > > --Peter
> > >
> > > > -----Original Message-----
> > > > From: Hontvari Jozsef [mailto:hontvari@solware.com]
> > > > Sent: Tuesday, July 30, 2002 12:54 AM
> > > > To: James Developers List
> > > > Subject: Re: Open relay with SMTP-AUTH
> > > >
> > > > But is it possible at all to configure james correctly?
> > > > If he is using smtp authentication, likely he hasn't so called
> "local"
> > > > hosts.
> > > >
> > > > This is the required behaviour, when the mail from is empty
(i.e.
> > > bounce
> > > > message):
> > > > -if the recipient is local then delivery the message
> > > > (-if the recipient is local, but the mailbox does not exist,
then
> do
> > > > nothing, you must not bounce a bounce message)
> > > >
> > > > -if the recipient is not local but the remote host is
> authenticated
> > > then
> > > > relay the message (although I guess this rarely occurs)
> > > > -if the recipient is not local and the remote host is not
> > > authenticated
> > > > then
> > > > do nothing (usual servers simply would not accept the mail)
> > > >
> > > > BUT: there is no matcher which can decide if the sender is
> > > authenticated
> > > > or
> > > > not, so we cannot configure correctly.
> > > >
> > > > I think the best configuration - which can be done at this
moment
> -
> > > simply
> > > > removes the message if the recipient isn't local and the sender
is
> > > empty.
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Serge Knystautas" <se...@lokitech.com>
> > > > To: "James Developers List" <ja...@jakarta.apache.org>;
> > > > <fa...@alum.mit.edu>
> > > > Sent: Tuesday, July 30, 2002 8:21 AM
> > > > Subject: Re: Open relay with SMTP-AUTH
> > > >
> > > >
> > > > > Even if you have a server that only is accepting SMTH AUTH,
it's
> > > still
> > > > best
> > > > > practices to accept "MAIL FROM: <>" messages (i.e., you can't
> just
> > > > disable
> > > > > that). That said, messages with a null sender should not
leave
> your
> > > > server,
> > > > > so I think it's either a conf issue or a bug in some matcher
> that
> > > isn't
> > > > > probably capturing that and preventing the relaying.
> > > > >
> > > > > Serge Knystautas
> > > > > Loki Technologies
> > > > > http://www.lokitech.com/
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Peter M. Goldstein" <pe...@yahoo.com>
> > > > > To: "'James Developers List'" <ja...@jakarta.apache.org>
> > > > > Sent: Monday, July 29, 2002 8:21 PM
> > > > > Subject: FW: Open relay with SMTP-AUTH
> > > > >
> > > > >
> > > > > >
> > > > > > All,
> > > > > >
> > > > > > I've just confirmed this on the latest code base. The cause
> is
> > > pretty
> > > > > > obvious - there is a comment in SMTPHandler.java:
> > > > > >
> > > > > > // If this is a delivery failure notification
> (MAIL
> > > FROM:
> > > > > > <>)
> > > > > > // we don't enforce authentication
> > > > > > if (authRequired && state.get(SENDER) != null) {
> > > > > >
> > > > > > Removing the (state.get(SENDER) != null) clause closes the
> open
> > > relay.
> > > > > >
> > > > > > But can anyone clarify the comment? Is this comment
referring
> to
> > > > > > messages being generated by the James server in response to
> local
> > > > > > delivery failures? Clearly the code as it stands in
> insecure...
> > > > > >
> > > > > > --Peter
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: bonadio@intersearch.com.br
> > > [mailto:bonadio@intersearch.com.br]
> > > > > > Sent: None
> > > > > > To: james-user@jakarta.apache.org
> > > > > > Subject: Open relay with SMTP-AUTH
> > > > > >
> > > > > >
> > > > > > Hello
> > > > > >
> > > > > > I think I found a bug when using SMTP-AUTH
> > > > > >
> > > > > > if you enable smtp-auth and sends a <> as the sender
> > > > > > the servers allows the relay of any message, if you
> > > > > > specify a correct email address the server enforces the
> > > authentication
> > > > > >
> > > > > > I created a patch for this, is there any other solution?
> > > > > >
> > > > > > following a session that shows the problem
> > > > > >
> > > > > > Trying XXXXXX...
> > > > > > Connected to XXXXXXXXX.
> > > > > > Escape character is '^]'.
> > > > > > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs)
> ready
> > > Mon,
> > > > 29
> > > > > > Jul 2002 20:31:04 -0400
> > > > > > helo test
> > > > > > 250-myMailServer Hello test (XXXXXXX)
> > > > > > 250 AUTH LOGIN PLAIN
> > > > > > mail from: <>
> > > > > > 250 Sender <> OK
> > > > > > rcpt to: <ab...@abuse.org>
> > > > > > 250 Recipient <ab...@abuse.org> OK
> > > > > > .....
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Peter M. Goldstein" <pe...@yahoo.com>.
Noel,
Right. So locally generated bounces shouldn't traverse the gate logic
in SMTPHandler.java (and hence should be sent even if they have a null
Sender header) while bounces from other servers should only be delivered
locally if authRequired is true. So we can change the SMTPHandler code
as I suggested earlier and we should be ok. Your thoughts?
--Peter
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: Tuesday, July 30, 2002 6:56 PM
> To: James Developers List
> Cc: farsight@alum.mit.edu
> Subject: RE: Open relay with SMTP-AUTH
>
> Peter,
>
> Internally, messages are sent by calling James.sendMail(), which calls
> spool.store() to put the message on the incoming message spool. If
you
> look
> at SMTPHandler, you'll see that it does the same thing. It calls
> mailServer.sendMail(), which it sounds as if you've already noticed.
>
> --- Noel
>
> -----Original Message-----
> From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
> Sent: Tuesday, July 30, 2002 20:48
> To: 'James Developers List'
> Subject: RE: Open relay with SMTP-AUTH
>
>
>
> Noel,
>
> That looks right. The relevant logic is in the SMTPHandler.
>
> Does the LocalDelivery bounce even invoke the SMTPHandler? I don't
see
> why it wouldn't just place an outgoing message on the spool directly.
> That's what it appears to do.
>
> I'm going to play with some configurations here and see what
happens...
>
> --Peter
>
> > -----Original Message-----
> > From: Noel J. Bergman [mailto:noel@devtech.com]
> > Sent: Tuesday, July 30, 2002 4:39 PM
> > To: James Developers List
> > Cc: farsight@alum.mit.edu
> > Subject: RE: Open relay with SMTP-AUTH
> >
> > Seems like we have the following combination:
> >
> > local receiver remote receiver
> > local sender OK OK
> > remote sender OK DENY
> >
> > with respect to null senders, which is the same as for other
messages.
> > Am I missing something?
> >
> > --- Noel
> >
> > -----Original Message-----
> > From: Hontvari Jozsef [mailto:hontvari@solware.com]
> > Sent: Tuesday, July 30, 2002 16:03
> > To: James Developers List; farsight@alum.mit.edu
> > Subject: Re: Open relay with SMTP-AUTH
> >
> >
> > > If we're going to enforce that mail will null senders does not
leave
> the
> > > host, then this should be:
> >
> > Maybe this assumption originates from me, sorry. It is not true. I
> have
> > fogotten that bounce messages generated by james also went through
the
> > mailet spool (or am I wrong again?).
> >
> > At least the bounces generated locally by james must leave the
server
> (and
> > the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
> >
> > I agree on that preventing open relay should not require adding
> mailets to
> > the default configuration file.
> >
> > ----- Original Message -----
> > From: "Peter M. Goldstein" <pe...@yahoo.com>
> > To: "'James Developers List'" <ja...@jakarta.apache.org>
> > Sent: Tuesday, July 30, 2002 8:54 PM
> > Subject: RE: Open relay with SMTP-AUTH
> >
> >
> > >
> > > All,
> > >
> > > From Serge's description it just seems that the not null sender
> check is
> > > unnecessary. The code now is:
> > >
> > > // If this is a delivery failure notification (MAIL
> FROM:
> > > <>)
> > > // we don't enforce authentication
> > > if (authRequired && state.get(SENDER) != null) {
> > > // Make sure the mail is being sent locally if not
> > > // authenticated else reject.
> > > if (!state.containsKey(AUTH)) {
> > > String toDomain = recipientAddress.getHost();
> > > if (!mailServer.isLocalServer(toDomain)) {
> > > out.println("530 Authentication
Required");
> > > getLogger().error("Authentication is
> required
> > > for mail request");
> > > return;
> > > }
> > > } else {
> > >
> > > If we're going to enforce that mail will null senders does not
leave
> the
> > > host, then this should be:
> > >
> > > // If this is a delivery failure notification (MAIL
> FROM:
> > > <>)
> > > // we don't enforce authentication
> > > if (authRequired) {
> > > // Make sure the mail is being sent locally if not
> > > // authenticated else reject.
> > > if (!state.containsKey(AUTH)) {
> > > String toDomain = recipientAddress.getHost();
> > > if (!mailServer.isLocalServer(toDomain)) {
> > > out.println("530 Authentication
Required");
> > > getLogger().error("Authentication is
> required
> > > for mail request");
> > > return;
> > > }
> > > } else {
> > >
> > >
> > > I haven't looked at the LocalDelivery mailet, but I imagine it may
> > > require modification to ensure that mails with empty senders that
> are
> > > routed to non-existent addresses don't bounce.
> > >
> > > I don't agree that this is a matcher issue. It shouldn't require
> any
> > > complex configuration to prevent open relay behavior. Turning on
> SMTP
> > > authentication is a standard and expected behavior to prevent open
> relay
> > > behavior. Additional configuration of matchers is not.
> > >
> > > Any thoughts?
> > >
> > > --Peter
> > >
> > > > -----Original Message-----
> > > > From: Hontvari Jozsef [mailto:hontvari@solware.com]
> > > > Sent: Tuesday, July 30, 2002 12:54 AM
> > > > To: James Developers List
> > > > Subject: Re: Open relay with SMTP-AUTH
> > > >
> > > > But is it possible at all to configure james correctly?
> > > > If he is using smtp authentication, likely he hasn't so called
> "local"
> > > > hosts.
> > > >
> > > > This is the required behaviour, when the mail from is empty
(i.e.
> > > bounce
> > > > message):
> > > > -if the recipient is local then delivery the message
> > > > (-if the recipient is local, but the mailbox does not exist,
then
> do
> > > > nothing, you must not bounce a bounce message)
> > > >
> > > > -if the recipient is not local but the remote host is
> authenticated
> > > then
> > > > relay the message (although I guess this rarely occurs)
> > > > -if the recipient is not local and the remote host is not
> > > authenticated
> > > > then
> > > > do nothing (usual servers simply would not accept the mail)
> > > >
> > > > BUT: there is no matcher which can decide if the sender is
> > > authenticated
> > > > or
> > > > not, so we cannot configure correctly.
> > > >
> > > > I think the best configuration - which can be done at this
moment
> -
> > > simply
> > > > removes the message if the recipient isn't local and the sender
is
> > > empty.
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Serge Knystautas" <se...@lokitech.com>
> > > > To: "James Developers List" <ja...@jakarta.apache.org>;
> > > > <fa...@alum.mit.edu>
> > > > Sent: Tuesday, July 30, 2002 8:21 AM
> > > > Subject: Re: Open relay with SMTP-AUTH
> > > >
> > > >
> > > > > Even if you have a server that only is accepting SMTH AUTH,
it's
> > > still
> > > > best
> > > > > practices to accept "MAIL FROM: <>" messages (i.e., you can't
> just
> > > > disable
> > > > > that). That said, messages with a null sender should not
leave
> your
> > > > server,
> > > > > so I think it's either a conf issue or a bug in some matcher
> that
> > > isn't
> > > > > probably capturing that and preventing the relaying.
> > > > >
> > > > > Serge Knystautas
> > > > > Loki Technologies
> > > > > http://www.lokitech.com/
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Peter M. Goldstein" <pe...@yahoo.com>
> > > > > To: "'James Developers List'" <ja...@jakarta.apache.org>
> > > > > Sent: Monday, July 29, 2002 8:21 PM
> > > > > Subject: FW: Open relay with SMTP-AUTH
> > > > >
> > > > >
> > > > > >
> > > > > > All,
> > > > > >
> > > > > > I've just confirmed this on the latest code base. The cause
> is
> > > pretty
> > > > > > obvious - there is a comment in SMTPHandler.java:
> > > > > >
> > > > > > // If this is a delivery failure notification
> (MAIL
> > > FROM:
> > > > > > <>)
> > > > > > // we don't enforce authentication
> > > > > > if (authRequired && state.get(SENDER) != null) {
> > > > > >
> > > > > > Removing the (state.get(SENDER) != null) clause closes the
> open
> > > relay.
> > > > > >
> > > > > > But can anyone clarify the comment? Is this comment
referring
> to
> > > > > > messages being generated by the James server in response to
> local
> > > > > > delivery failures? Clearly the code as it stands in
> insecure...
> > > > > >
> > > > > > --Peter
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: bonadio@intersearch.com.br
> > > [mailto:bonadio@intersearch.com.br]
> > > > > > Sent: None
> > > > > > To: james-user@jakarta.apache.org
> > > > > > Subject: Open relay with SMTP-AUTH
> > > > > >
> > > > > >
> > > > > > Hello
> > > > > >
> > > > > > I think I found a bug when using SMTP-AUTH
> > > > > >
> > > > > > if you enable smtp-auth and sends a <> as the sender
> > > > > > the servers allows the relay of any message, if you
> > > > > > specify a correct email address the server enforces the
> > > authentication
> > > > > >
> > > > > > I created a patch for this, is there any other solution?
> > > > > >
> > > > > > following a session that shows the problem
> > > > > >
> > > > > > Trying XXXXXX...
> > > > > > Connected to XXXXXXXXX.
> > > > > > Escape character is '^]'.
> > > > > > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs)
> ready
> > > Mon,
> > > > 29
> > > > > > Jul 2002 20:31:04 -0400
> > > > > > helo test
> > > > > > 250-myMailServer Hello test (XXXXXXX)
> > > > > > 250 AUTH LOGIN PLAIN
> > > > > > mail from: <>
> > > > > > 250 Sender <> OK
> > > > > > rcpt to: <ab...@abuse.org>
> > > > > > 250 Recipient <ab...@abuse.org> OK
> > > > > > .....
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > To unsubscribe, e-mail:
> > > > > <ma...@jakarta.apache.org>
> > > > > > For additional commands, e-mail:
> > > > > <ma...@jakarta.apache.org>
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > To unsubscribe, e-mail:
> > > > <ma...@jakarta.apache.org>
> > > > > For additional commands, e-mail:
> > > > <ma...@jakarta.apache.org>
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail: <mailto:james-dev-
> > > > unsubscribe@jakarta.apache.org>
> > > > For additional commands, e-mail: <mailto:james-dev-
> > > > help@jakarta.apache.org>
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail: <mailto:james-dev-
> > unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:james-dev-
> > help@jakarta.apache.org>
> >
> >
> > --
> > To unsubscribe, e-mail: <mailto:james-dev-
> > unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:james-dev-
> > help@jakarta.apache.org>
>
>
>
> --
> To unsubscribe, e-mail: <mailto:james-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:james-dev-
> help@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail: <mailto:james-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:james-dev-
> help@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Noel J. Bergman" <no...@devtech.com>.
Peter,
Internally, messages are sent by calling James.sendMail(), which calls
spool.store() to put the message on the incoming message spool. If you look
at SMTPHandler, you'll see that it does the same thing. It calls
mailServer.sendMail(), which it sounds as if you've already noticed.
--- Noel
-----Original Message-----
From: Peter M. Goldstein [mailto:peter_m_goldstein@yahoo.com]
Sent: Tuesday, July 30, 2002 20:48
To: 'James Developers List'
Subject: RE: Open relay with SMTP-AUTH
Noel,
That looks right. The relevant logic is in the SMTPHandler.
Does the LocalDelivery bounce even invoke the SMTPHandler? I don't see
why it wouldn't just place an outgoing message on the spool directly.
That's what it appears to do.
I'm going to play with some configurations here and see what happens...
--Peter
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: Tuesday, July 30, 2002 4:39 PM
> To: James Developers List
> Cc: farsight@alum.mit.edu
> Subject: RE: Open relay with SMTP-AUTH
>
> Seems like we have the following combination:
>
> local receiver remote receiver
> local sender OK OK
> remote sender OK DENY
>
> with respect to null senders, which is the same as for other messages.
> Am I missing something?
>
> --- Noel
>
> -----Original Message-----
> From: Hontvari Jozsef [mailto:hontvari@solware.com]
> Sent: Tuesday, July 30, 2002 16:03
> To: James Developers List; farsight@alum.mit.edu
> Subject: Re: Open relay with SMTP-AUTH
>
>
> > If we're going to enforce that mail will null senders does not leave
the
> > host, then this should be:
>
> Maybe this assumption originates from me, sorry. It is not true. I
have
> fogotten that bounce messages generated by james also went through the
> mailet spool (or am I wrong again?).
>
> At least the bounces generated locally by james must leave the server
(and
> the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
>
> I agree on that preventing open relay should not require adding
mailets to
> the default configuration file.
>
> ----- Original Message -----
> From: "Peter M. Goldstein" <pe...@yahoo.com>
> To: "'James Developers List'" <ja...@jakarta.apache.org>
> Sent: Tuesday, July 30, 2002 8:54 PM
> Subject: RE: Open relay with SMTP-AUTH
>
>
> >
> > All,
> >
> > From Serge's description it just seems that the not null sender
check is
> > unnecessary. The code now is:
> >
> > // If this is a delivery failure notification (MAIL
FROM:
> > <>)
> > // we don't enforce authentication
> > if (authRequired && state.get(SENDER) != null) {
> > // Make sure the mail is being sent locally if not
> > // authenticated else reject.
> > if (!state.containsKey(AUTH)) {
> > String toDomain = recipientAddress.getHost();
> > if (!mailServer.isLocalServer(toDomain)) {
> > out.println("530 Authentication Required");
> > getLogger().error("Authentication is
required
> > for mail request");
> > return;
> > }
> > } else {
> >
> > If we're going to enforce that mail will null senders does not leave
the
> > host, then this should be:
> >
> > // If this is a delivery failure notification (MAIL
FROM:
> > <>)
> > // we don't enforce authentication
> > if (authRequired) {
> > // Make sure the mail is being sent locally if not
> > // authenticated else reject.
> > if (!state.containsKey(AUTH)) {
> > String toDomain = recipientAddress.getHost();
> > if (!mailServer.isLocalServer(toDomain)) {
> > out.println("530 Authentication Required");
> > getLogger().error("Authentication is
required
> > for mail request");
> > return;
> > }
> > } else {
> >
> >
> > I haven't looked at the LocalDelivery mailet, but I imagine it may
> > require modification to ensure that mails with empty senders that
are
> > routed to non-existent addresses don't bounce.
> >
> > I don't agree that this is a matcher issue. It shouldn't require
any
> > complex configuration to prevent open relay behavior. Turning on
SMTP
> > authentication is a standard and expected behavior to prevent open
relay
> > behavior. Additional configuration of matchers is not.
> >
> > Any thoughts?
> >
> > --Peter
> >
> > > -----Original Message-----
> > > From: Hontvari Jozsef [mailto:hontvari@solware.com]
> > > Sent: Tuesday, July 30, 2002 12:54 AM
> > > To: James Developers List
> > > Subject: Re: Open relay with SMTP-AUTH
> > >
> > > But is it possible at all to configure james correctly?
> > > If he is using smtp authentication, likely he hasn't so called
"local"
> > > hosts.
> > >
> > > This is the required behaviour, when the mail from is empty (i.e.
> > bounce
> > > message):
> > > -if the recipient is local then delivery the message
> > > (-if the recipient is local, but the mailbox does not exist, then
do
> > > nothing, you must not bounce a bounce message)
> > >
> > > -if the recipient is not local but the remote host is
authenticated
> > then
> > > relay the message (although I guess this rarely occurs)
> > > -if the recipient is not local and the remote host is not
> > authenticated
> > > then
> > > do nothing (usual servers simply would not accept the mail)
> > >
> > > BUT: there is no matcher which can decide if the sender is
> > authenticated
> > > or
> > > not, so we cannot configure correctly.
> > >
> > > I think the best configuration - which can be done at this moment
-
> > simply
> > > removes the message if the recipient isn't local and the sender is
> > empty.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Serge Knystautas" <se...@lokitech.com>
> > > To: "James Developers List" <ja...@jakarta.apache.org>;
> > > <fa...@alum.mit.edu>
> > > Sent: Tuesday, July 30, 2002 8:21 AM
> > > Subject: Re: Open relay with SMTP-AUTH
> > >
> > >
> > > > Even if you have a server that only is accepting SMTH AUTH, it's
> > still
> > > best
> > > > practices to accept "MAIL FROM: <>" messages (i.e., you can't
just
> > > disable
> > > > that). That said, messages with a null sender should not leave
your
> > > server,
> > > > so I think it's either a conf issue or a bug in some matcher
that
> > isn't
> > > > probably capturing that and preventing the relaying.
> > > >
> > > > Serge Knystautas
> > > > Loki Technologies
> > > > http://www.lokitech.com/
> > > >
> > > > ----- Original Message -----
> > > > From: "Peter M. Goldstein" <pe...@yahoo.com>
> > > > To: "'James Developers List'" <ja...@jakarta.apache.org>
> > > > Sent: Monday, July 29, 2002 8:21 PM
> > > > Subject: FW: Open relay with SMTP-AUTH
> > > >
> > > >
> > > > >
> > > > > All,
> > > > >
> > > > > I've just confirmed this on the latest code base. The cause
is
> > pretty
> > > > > obvious - there is a comment in SMTPHandler.java:
> > > > >
> > > > > // If this is a delivery failure notification
(MAIL
> > FROM:
> > > > > <>)
> > > > > // we don't enforce authentication
> > > > > if (authRequired && state.get(SENDER) != null) {
> > > > >
> > > > > Removing the (state.get(SENDER) != null) clause closes the
open
> > relay.
> > > > >
> > > > > But can anyone clarify the comment? Is this comment referring
to
> > > > > messages being generated by the James server in response to
local
> > > > > delivery failures? Clearly the code as it stands in
insecure...
> > > > >
> > > > > --Peter
> > > > >
> > > > > -----Original Message-----
> > > > > From: bonadio@intersearch.com.br
> > [mailto:bonadio@intersearch.com.br]
> > > > > Sent: None
> > > > > To: james-user@jakarta.apache.org
> > > > > Subject: Open relay with SMTP-AUTH
> > > > >
> > > > >
> > > > > Hello
> > > > >
> > > > > I think I found a bug when using SMTP-AUTH
> > > > >
> > > > > if you enable smtp-auth and sends a <> as the sender
> > > > > the servers allows the relay of any message, if you
> > > > > specify a correct email address the server enforces the
> > authentication
> > > > >
> > > > > I created a patch for this, is there any other solution?
> > > > >
> > > > > following a session that shows the problem
> > > > >
> > > > > Trying XXXXXX...
> > > > > Connected to XXXXXXXXX.
> > > > > Escape character is '^]'.
> > > > > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs)
ready
> > Mon,
> > > 29
> > > > > Jul 2002 20:31:04 -0400
> > > > > helo test
> > > > > 250-myMailServer Hello test (XXXXXXX)
> > > > > 250 AUTH LOGIN PLAIN
> > > > > mail from: <>
> > > > > 250 Sender <> OK
> > > > > rcpt to: <ab...@abuse.org>
> > > > > 250 Recipient <ab...@abuse.org> OK
> > > > > .....
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > To unsubscribe, e-mail:
> > > > <ma...@jakarta.apache.org>
> > > > > For additional commands, e-mail:
> > > > <ma...@jakarta.apache.org>
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <ma...@jakarta.apache.org>
> > > > For additional commands, e-mail:
> > > <ma...@jakarta.apache.org>
> > > >
> > > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail: <mailto:james-dev-
> > > unsubscribe@jakarta.apache.org>
> > > For additional commands, e-mail: <mailto:james-dev-
> > > help@jakarta.apache.org>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail: <mailto:james-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:james-dev-
> help@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail: <mailto:james-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:james-dev-
> help@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Peter M. Goldstein" <pe...@yahoo.com>.
Noel,
That looks right. The relevant logic is in the SMTPHandler.
Does the LocalDelivery bounce even invoke the SMTPHandler? I don't see
why it wouldn't just place an outgoing message on the spool directly.
That's what it appears to do.
I'm going to play with some configurations here and see what happens...
--Peter
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: Tuesday, July 30, 2002 4:39 PM
> To: James Developers List
> Cc: farsight@alum.mit.edu
> Subject: RE: Open relay with SMTP-AUTH
>
> Seems like we have the following combination:
>
> local receiver remote receiver
> local sender OK OK
> remote sender OK DENY
>
> with respect to null senders, which is the same as for other messages.
Am
> I
> missing something?
>
> --- Noel
>
> -----Original Message-----
> From: Hontvari Jozsef [mailto:hontvari@solware.com]
> Sent: Tuesday, July 30, 2002 16:03
> To: James Developers List; farsight@alum.mit.edu
> Subject: Re: Open relay with SMTP-AUTH
>
>
> > If we're going to enforce that mail will null senders does not leave
the
> > host, then this should be:
>
> Maybe this assumption originates from me, sorry. It is not true. I
have
> fogotten that bounce messages generated by james also went through the
> mailet spool (or am I wrong again?).
>
> At least the bounces generated locally by james must leave the server
(and
> the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
>
> I agree on that preventing open relay should not require adding
mailets to
> the default configuration file.
>
> ----- Original Message -----
> From: "Peter M. Goldstein" <pe...@yahoo.com>
> To: "'James Developers List'" <ja...@jakarta.apache.org>
> Sent: Tuesday, July 30, 2002 8:54 PM
> Subject: RE: Open relay with SMTP-AUTH
>
>
> >
> > All,
> >
> > From Serge's description it just seems that the not null sender
check is
> > unnecessary. The code now is:
> >
> > // If this is a delivery failure notification (MAIL
FROM:
> > <>)
> > // we don't enforce authentication
> > if (authRequired && state.get(SENDER) != null) {
> > // Make sure the mail is being sent locally if not
> > // authenticated else reject.
> > if (!state.containsKey(AUTH)) {
> > String toDomain = recipientAddress.getHost();
> > if (!mailServer.isLocalServer(toDomain)) {
> > out.println("530 Authentication Required");
> > getLogger().error("Authentication is
required
> > for mail request");
> > return;
> > }
> > } else {
> >
> > If we're going to enforce that mail will null senders does not leave
the
> > host, then this should be:
> >
> > // If this is a delivery failure notification (MAIL
FROM:
> > <>)
> > // we don't enforce authentication
> > if (authRequired) {
> > // Make sure the mail is being sent locally if not
> > // authenticated else reject.
> > if (!state.containsKey(AUTH)) {
> > String toDomain = recipientAddress.getHost();
> > if (!mailServer.isLocalServer(toDomain)) {
> > out.println("530 Authentication Required");
> > getLogger().error("Authentication is
required
> > for mail request");
> > return;
> > }
> > } else {
> >
> >
> > I haven't looked at the LocalDelivery mailet, but I imagine it may
> > require modification to ensure that mails with empty senders that
are
> > routed to non-existent addresses don't bounce.
> >
> > I don't agree that this is a matcher issue. It shouldn't require
any
> > complex configuration to prevent open relay behavior. Turning on
SMTP
> > authentication is a standard and expected behavior to prevent open
relay
> > behavior. Additional configuration of matchers is not.
> >
> > Any thoughts?
> >
> > --Peter
> >
> > > -----Original Message-----
> > > From: Hontvari Jozsef [mailto:hontvari@solware.com]
> > > Sent: Tuesday, July 30, 2002 12:54 AM
> > > To: James Developers List
> > > Subject: Re: Open relay with SMTP-AUTH
> > >
> > > But is it possible at all to configure james correctly?
> > > If he is using smtp authentication, likely he hasn't so called
"local"
> > > hosts.
> > >
> > > This is the required behaviour, when the mail from is empty (i.e.
> > bounce
> > > message):
> > > -if the recipient is local then delivery the message
> > > (-if the recipient is local, but the mailbox does not exist, then
do
> > > nothing, you must not bounce a bounce message)
> > >
> > > -if the recipient is not local but the remote host is
authenticated
> > then
> > > relay the message (although I guess this rarely occurs)
> > > -if the recipient is not local and the remote host is not
> > authenticated
> > > then
> > > do nothing (usual servers simply would not accept the mail)
> > >
> > > BUT: there is no matcher which can decide if the sender is
> > authenticated
> > > or
> > > not, so we cannot configure correctly.
> > >
> > > I think the best configuration - which can be done at this moment
-
> > simply
> > > removes the message if the recipient isn't local and the sender is
> > empty.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Serge Knystautas" <se...@lokitech.com>
> > > To: "James Developers List" <ja...@jakarta.apache.org>;
> > > <fa...@alum.mit.edu>
> > > Sent: Tuesday, July 30, 2002 8:21 AM
> > > Subject: Re: Open relay with SMTP-AUTH
> > >
> > >
> > > > Even if you have a server that only is accepting SMTH AUTH, it's
> > still
> > > best
> > > > practices to accept "MAIL FROM: <>" messages (i.e., you can't
just
> > > disable
> > > > that). That said, messages with a null sender should not leave
your
> > > server,
> > > > so I think it's either a conf issue or a bug in some matcher
that
> > isn't
> > > > probably capturing that and preventing the relaying.
> > > >
> > > > Serge Knystautas
> > > > Loki Technologies
> > > > http://www.lokitech.com/
> > > >
> > > > ----- Original Message -----
> > > > From: "Peter M. Goldstein" <pe...@yahoo.com>
> > > > To: "'James Developers List'" <ja...@jakarta.apache.org>
> > > > Sent: Monday, July 29, 2002 8:21 PM
> > > > Subject: FW: Open relay with SMTP-AUTH
> > > >
> > > >
> > > > >
> > > > > All,
> > > > >
> > > > > I've just confirmed this on the latest code base. The cause
is
> > pretty
> > > > > obvious - there is a comment in SMTPHandler.java:
> > > > >
> > > > > // If this is a delivery failure notification
(MAIL
> > FROM:
> > > > > <>)
> > > > > // we don't enforce authentication
> > > > > if (authRequired && state.get(SENDER) != null) {
> > > > >
> > > > > Removing the (state.get(SENDER) != null) clause closes the
open
> > relay.
> > > > >
> > > > > But can anyone clarify the comment? Is this comment referring
to
> > > > > messages being generated by the James server in response to
local
> > > > > delivery failures? Clearly the code as it stands in
insecure...
> > > > >
> > > > > --Peter
> > > > >
> > > > > -----Original Message-----
> > > > > From: bonadio@intersearch.com.br
> > [mailto:bonadio@intersearch.com.br]
> > > > > Sent: None
> > > > > To: james-user@jakarta.apache.org
> > > > > Subject: Open relay with SMTP-AUTH
> > > > >
> > > > >
> > > > > Hello
> > > > >
> > > > > I think I found a bug when using SMTP-AUTH
> > > > >
> > > > > if you enable smtp-auth and sends a <> as the sender
> > > > > the servers allows the relay of any message, if you
> > > > > specify a correct email address the server enforces the
> > authentication
> > > > >
> > > > > I created a patch for this, is there any other solution?
> > > > >
> > > > > following a session that shows the problem
> > > > >
> > > > > Trying XXXXXX...
> > > > > Connected to XXXXXXXXX.
> > > > > Escape character is '^]'.
> > > > > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs)
ready
> > Mon,
> > > 29
> > > > > Jul 2002 20:31:04 -0400
> > > > > helo test
> > > > > 250-myMailServer Hello test (XXXXXXX)
> > > > > 250 AUTH LOGIN PLAIN
> > > > > mail from: <>
> > > > > 250 Sender <> OK
> > > > > rcpt to: <ab...@abuse.org>
> > > > > 250 Recipient <ab...@abuse.org> OK
> > > > > .....
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > To unsubscribe, e-mail:
> > > > <ma...@jakarta.apache.org>
> > > > > For additional commands, e-mail:
> > > > <ma...@jakarta.apache.org>
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <ma...@jakarta.apache.org>
> > > > For additional commands, e-mail:
> > > <ma...@jakarta.apache.org>
> > > >
> > > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail: <mailto:james-dev-
> > > unsubscribe@jakarta.apache.org>
> > > For additional commands, e-mail: <mailto:james-dev-
> > > help@jakarta.apache.org>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail: <mailto:james-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:james-dev-
> help@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail: <mailto:james-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:james-dev-
> help@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Noel J. Bergman" <no...@devtech.com>.
Seems like we have the following combination:
local receiver remote receiver
local sender OK OK
remote sender OK DENY
with respect to null senders, which is the same as for other messages. Am I
missing something?
--- Noel
-----Original Message-----
From: Hontvari Jozsef [mailto:hontvari@solware.com]
Sent: Tuesday, July 30, 2002 16:03
To: James Developers List; farsight@alum.mit.edu
Subject: Re: Open relay with SMTP-AUTH
> If we're going to enforce that mail will null senders does not leave the
> host, then this should be:
Maybe this assumption originates from me, sorry. It is not true. I have
fogotten that bounce messages generated by james also went through the
mailet spool (or am I wrong again?).
At least the bounces generated locally by james must leave the server (and
the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
I agree on that preventing open relay should not require adding mailets to
the default configuration file.
----- Original Message -----
From: "Peter M. Goldstein" <pe...@yahoo.com>
To: "'James Developers List'" <ja...@jakarta.apache.org>
Sent: Tuesday, July 30, 2002 8:54 PM
Subject: RE: Open relay with SMTP-AUTH
>
> All,
>
> From Serge's description it just seems that the not null sender check is
> unnecessary. The code now is:
>
> // If this is a delivery failure notification (MAIL FROM:
> <>)
> // we don't enforce authentication
> if (authRequired && state.get(SENDER) != null) {
> // Make sure the mail is being sent locally if not
> // authenticated else reject.
> if (!state.containsKey(AUTH)) {
> String toDomain = recipientAddress.getHost();
> if (!mailServer.isLocalServer(toDomain)) {
> out.println("530 Authentication Required");
> getLogger().error("Authentication is required
> for mail request");
> return;
> }
> } else {
>
> If we're going to enforce that mail will null senders does not leave the
> host, then this should be:
>
> // If this is a delivery failure notification (MAIL FROM:
> <>)
> // we don't enforce authentication
> if (authRequired) {
> // Make sure the mail is being sent locally if not
> // authenticated else reject.
> if (!state.containsKey(AUTH)) {
> String toDomain = recipientAddress.getHost();
> if (!mailServer.isLocalServer(toDomain)) {
> out.println("530 Authentication Required");
> getLogger().error("Authentication is required
> for mail request");
> return;
> }
> } else {
>
>
> I haven't looked at the LocalDelivery mailet, but I imagine it may
> require modification to ensure that mails with empty senders that are
> routed to non-existent addresses don't bounce.
>
> I don't agree that this is a matcher issue. It shouldn't require any
> complex configuration to prevent open relay behavior. Turning on SMTP
> authentication is a standard and expected behavior to prevent open relay
> behavior. Additional configuration of matchers is not.
>
> Any thoughts?
>
> --Peter
>
> > -----Original Message-----
> > From: Hontvari Jozsef [mailto:hontvari@solware.com]
> > Sent: Tuesday, July 30, 2002 12:54 AM
> > To: James Developers List
> > Subject: Re: Open relay with SMTP-AUTH
> >
> > But is it possible at all to configure james correctly?
> > If he is using smtp authentication, likely he hasn't so called "local"
> > hosts.
> >
> > This is the required behaviour, when the mail from is empty (i.e.
> bounce
> > message):
> > -if the recipient is local then delivery the message
> > (-if the recipient is local, but the mailbox does not exist, then do
> > nothing, you must not bounce a bounce message)
> >
> > -if the recipient is not local but the remote host is authenticated
> then
> > relay the message (although I guess this rarely occurs)
> > -if the recipient is not local and the remote host is not
> authenticated
> > then
> > do nothing (usual servers simply would not accept the mail)
> >
> > BUT: there is no matcher which can decide if the sender is
> authenticated
> > or
> > not, so we cannot configure correctly.
> >
> > I think the best configuration - which can be done at this moment -
> simply
> > removes the message if the recipient isn't local and the sender is
> empty.
> >
> >
> >
> > ----- Original Message -----
> > From: "Serge Knystautas" <se...@lokitech.com>
> > To: "James Developers List" <ja...@jakarta.apache.org>;
> > <fa...@alum.mit.edu>
> > Sent: Tuesday, July 30, 2002 8:21 AM
> > Subject: Re: Open relay with SMTP-AUTH
> >
> >
> > > Even if you have a server that only is accepting SMTH AUTH, it's
> still
> > best
> > > practices to accept "MAIL FROM: <>" messages (i.e., you can't just
> > disable
> > > that). That said, messages with a null sender should not leave your
> > server,
> > > so I think it's either a conf issue or a bug in some matcher that
> isn't
> > > probably capturing that and preventing the relaying.
> > >
> > > Serge Knystautas
> > > Loki Technologies
> > > http://www.lokitech.com/
> > >
> > > ----- Original Message -----
> > > From: "Peter M. Goldstein" <pe...@yahoo.com>
> > > To: "'James Developers List'" <ja...@jakarta.apache.org>
> > > Sent: Monday, July 29, 2002 8:21 PM
> > > Subject: FW: Open relay with SMTP-AUTH
> > >
> > >
> > > >
> > > > All,
> > > >
> > > > I've just confirmed this on the latest code base. The cause is
> pretty
> > > > obvious - there is a comment in SMTPHandler.java:
> > > >
> > > > // If this is a delivery failure notification (MAIL
> FROM:
> > > > <>)
> > > > // we don't enforce authentication
> > > > if (authRequired && state.get(SENDER) != null) {
> > > >
> > > > Removing the (state.get(SENDER) != null) clause closes the open
> relay.
> > > >
> > > > But can anyone clarify the comment? Is this comment referring to
> > > > messages being generated by the James server in response to local
> > > > delivery failures? Clearly the code as it stands in insecure...
> > > >
> > > > --Peter
> > > >
> > > > -----Original Message-----
> > > > From: bonadio@intersearch.com.br
> [mailto:bonadio@intersearch.com.br]
> > > > Sent: None
> > > > To: james-user@jakarta.apache.org
> > > > Subject: Open relay with SMTP-AUTH
> > > >
> > > >
> > > > Hello
> > > >
> > > > I think I found a bug when using SMTP-AUTH
> > > >
> > > > if you enable smtp-auth and sends a <> as the sender
> > > > the servers allows the relay of any message, if you
> > > > specify a correct email address the server enforces the
> authentication
> > > >
> > > > I created a patch for this, is there any other solution?
> > > >
> > > > following a session that shows the problem
> > > >
> > > > Trying XXXXXX...
> > > > Connected to XXXXXXXXX.
> > > > Escape character is '^]'.
> > > > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready
> Mon,
> > 29
> > > > Jul 2002 20:31:04 -0400
> > > > helo test
> > > > 250-myMailServer Hello test (XXXXXXX)
> > > > 250 AUTH LOGIN PLAIN
> > > > mail from: <>
> > > > 250 Sender <> OK
> > > > rcpt to: <ab...@abuse.org>
> > > > 250 Recipient <ab...@abuse.org> OK
> > > > .....
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <ma...@jakarta.apache.org>
> > > > For additional commands, e-mail:
> > > <ma...@jakarta.apache.org>
> > > >
> > > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail: <mailto:james-dev-
> > unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:james-dev-
> > help@jakarta.apache.org>
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Open relay with SMTP-AUTH
Posted by Hontvari Jozsef <ho...@solware.com>.
> If we're going to enforce that mail will null senders does not leave the
> host, then this should be:
Maybe this assumption originates from me, sorry. It is not true. I have
fogotten that bounce messages generated by james also went through the
mailet spool (or am I wrong again?).
At least the bounces generated locally by james must leave the server (and
the bounces MUST have null sender accordingly to RFC 1123 5.3.3).
I agree on that preventing open relay should not require adding mailets to
the default configuration file.
----- Original Message -----
From: "Peter M. Goldstein" <pe...@yahoo.com>
To: "'James Developers List'" <ja...@jakarta.apache.org>
Sent: Tuesday, July 30, 2002 8:54 PM
Subject: RE: Open relay with SMTP-AUTH
>
> All,
>
> From Serge's description it just seems that the not null sender check is
> unnecessary. The code now is:
>
> // If this is a delivery failure notification (MAIL FROM:
> <>)
> // we don't enforce authentication
> if (authRequired && state.get(SENDER) != null) {
> // Make sure the mail is being sent locally if not
> // authenticated else reject.
> if (!state.containsKey(AUTH)) {
> String toDomain = recipientAddress.getHost();
> if (!mailServer.isLocalServer(toDomain)) {
> out.println("530 Authentication Required");
> getLogger().error("Authentication is required
> for mail request");
> return;
> }
> } else {
>
> If we're going to enforce that mail will null senders does not leave the
> host, then this should be:
>
> // If this is a delivery failure notification (MAIL FROM:
> <>)
> // we don't enforce authentication
> if (authRequired) {
> // Make sure the mail is being sent locally if not
> // authenticated else reject.
> if (!state.containsKey(AUTH)) {
> String toDomain = recipientAddress.getHost();
> if (!mailServer.isLocalServer(toDomain)) {
> out.println("530 Authentication Required");
> getLogger().error("Authentication is required
> for mail request");
> return;
> }
> } else {
>
>
> I haven't looked at the LocalDelivery mailet, but I imagine it may
> require modification to ensure that mails with empty senders that are
> routed to non-existent addresses don't bounce.
>
> I don't agree that this is a matcher issue. It shouldn't require any
> complex configuration to prevent open relay behavior. Turning on SMTP
> authentication is a standard and expected behavior to prevent open relay
> behavior. Additional configuration of matchers is not.
>
> Any thoughts?
>
> --Peter
>
> > -----Original Message-----
> > From: Hontvari Jozsef [mailto:hontvari@solware.com]
> > Sent: Tuesday, July 30, 2002 12:54 AM
> > To: James Developers List
> > Subject: Re: Open relay with SMTP-AUTH
> >
> > But is it possible at all to configure james correctly?
> > If he is using smtp authentication, likely he hasn't so called "local"
> > hosts.
> >
> > This is the required behaviour, when the mail from is empty (i.e.
> bounce
> > message):
> > -if the recipient is local then delivery the message
> > (-if the recipient is local, but the mailbox does not exist, then do
> > nothing, you must not bounce a bounce message)
> >
> > -if the recipient is not local but the remote host is authenticated
> then
> > relay the message (although I guess this rarely occurs)
> > -if the recipient is not local and the remote host is not
> authenticated
> > then
> > do nothing (usual servers simply would not accept the mail)
> >
> > BUT: there is no matcher which can decide if the sender is
> authenticated
> > or
> > not, so we cannot configure correctly.
> >
> > I think the best configuration - which can be done at this moment -
> simply
> > removes the message if the recipient isn't local and the sender is
> empty.
> >
> >
> >
> > ----- Original Message -----
> > From: "Serge Knystautas" <se...@lokitech.com>
> > To: "James Developers List" <ja...@jakarta.apache.org>;
> > <fa...@alum.mit.edu>
> > Sent: Tuesday, July 30, 2002 8:21 AM
> > Subject: Re: Open relay with SMTP-AUTH
> >
> >
> > > Even if you have a server that only is accepting SMTH AUTH, it's
> still
> > best
> > > practices to accept "MAIL FROM: <>" messages (i.e., you can't just
> > disable
> > > that). That said, messages with a null sender should not leave your
> > server,
> > > so I think it's either a conf issue or a bug in some matcher that
> isn't
> > > probably capturing that and preventing the relaying.
> > >
> > > Serge Knystautas
> > > Loki Technologies
> > > http://www.lokitech.com/
> > >
> > > ----- Original Message -----
> > > From: "Peter M. Goldstein" <pe...@yahoo.com>
> > > To: "'James Developers List'" <ja...@jakarta.apache.org>
> > > Sent: Monday, July 29, 2002 8:21 PM
> > > Subject: FW: Open relay with SMTP-AUTH
> > >
> > >
> > > >
> > > > All,
> > > >
> > > > I've just confirmed this on the latest code base. The cause is
> pretty
> > > > obvious - there is a comment in SMTPHandler.java:
> > > >
> > > > // If this is a delivery failure notification (MAIL
> FROM:
> > > > <>)
> > > > // we don't enforce authentication
> > > > if (authRequired && state.get(SENDER) != null) {
> > > >
> > > > Removing the (state.get(SENDER) != null) clause closes the open
> relay.
> > > >
> > > > But can anyone clarify the comment? Is this comment referring to
> > > > messages being generated by the James server in response to local
> > > > delivery failures? Clearly the code as it stands in insecure...
> > > >
> > > > --Peter
> > > >
> > > > -----Original Message-----
> > > > From: bonadio@intersearch.com.br
> [mailto:bonadio@intersearch.com.br]
> > > > Sent: None
> > > > To: james-user@jakarta.apache.org
> > > > Subject: Open relay with SMTP-AUTH
> > > >
> > > >
> > > > Hello
> > > >
> > > > I think I found a bug when using SMTP-AUTH
> > > >
> > > > if you enable smtp-auth and sends a <> as the sender
> > > > the servers allows the relay of any message, if you
> > > > specify a correct email address the server enforces the
> authentication
> > > >
> > > > I created a patch for this, is there any other solution?
> > > >
> > > > following a session that shows the problem
> > > >
> > > > Trying XXXXXX...
> > > > Connected to XXXXXXXXX.
> > > > Escape character is '^]'.
> > > > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready
> Mon,
> > 29
> > > > Jul 2002 20:31:04 -0400
> > > > helo test
> > > > 250-myMailServer Hello test (XXXXXXX)
> > > > 250 AUTH LOGIN PLAIN
> > > > mail from: <>
> > > > 250 Sender <> OK
> > > > rcpt to: <ab...@abuse.org>
> > > > 250 Recipient <ab...@abuse.org> OK
> > > > .....
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <ma...@jakarta.apache.org>
> > > > For additional commands, e-mail:
> > > <ma...@jakarta.apache.org>
> > > >
> > > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail: <mailto:james-dev-
> > unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:james-dev-
> > help@jakarta.apache.org>
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Open relay with SMTP-AUTH
Posted by "Peter M. Goldstein" <pe...@yahoo.com>.
All,
>From Serge's description it just seems that the not null sender check is
unnecessary. The code now is:
// If this is a delivery failure notification (MAIL FROM:
<>)
// we don't enforce authentication
if (authRequired && state.get(SENDER) != null) {
// Make sure the mail is being sent locally if not
// authenticated else reject.
if (!state.containsKey(AUTH)) {
String toDomain = recipientAddress.getHost();
if (!mailServer.isLocalServer(toDomain)) {
out.println("530 Authentication Required");
getLogger().error("Authentication is required
for mail request");
return;
}
} else {
If we're going to enforce that mail will null senders does not leave the
host, then this should be:
// If this is a delivery failure notification (MAIL FROM:
<>)
// we don't enforce authentication
if (authRequired) {
// Make sure the mail is being sent locally if not
// authenticated else reject.
if (!state.containsKey(AUTH)) {
String toDomain = recipientAddress.getHost();
if (!mailServer.isLocalServer(toDomain)) {
out.println("530 Authentication Required");
getLogger().error("Authentication is required
for mail request");
return;
}
} else {
I haven't looked at the LocalDelivery mailet, but I imagine it may
require modification to ensure that mails with empty senders that are
routed to non-existent addresses don't bounce.
I don't agree that this is a matcher issue. It shouldn't require any
complex configuration to prevent open relay behavior. Turning on SMTP
authentication is a standard and expected behavior to prevent open relay
behavior. Additional configuration of matchers is not.
Any thoughts?
--Peter
> -----Original Message-----
> From: Hontvari Jozsef [mailto:hontvari@solware.com]
> Sent: Tuesday, July 30, 2002 12:54 AM
> To: James Developers List
> Subject: Re: Open relay with SMTP-AUTH
>
> But is it possible at all to configure james correctly?
> If he is using smtp authentication, likely he hasn't so called "local"
> hosts.
>
> This is the required behaviour, when the mail from is empty (i.e.
bounce
> message):
> -if the recipient is local then delivery the message
> (-if the recipient is local, but the mailbox does not exist, then do
> nothing, you must not bounce a bounce message)
>
> -if the recipient is not local but the remote host is authenticated
then
> relay the message (although I guess this rarely occurs)
> -if the recipient is not local and the remote host is not
authenticated
> then
> do nothing (usual servers simply would not accept the mail)
>
> BUT: there is no matcher which can decide if the sender is
authenticated
> or
> not, so we cannot configure correctly.
>
> I think the best configuration - which can be done at this moment -
simply
> removes the message if the recipient isn't local and the sender is
empty.
>
>
>
> ----- Original Message -----
> From: "Serge Knystautas" <se...@lokitech.com>
> To: "James Developers List" <ja...@jakarta.apache.org>;
> <fa...@alum.mit.edu>
> Sent: Tuesday, July 30, 2002 8:21 AM
> Subject: Re: Open relay with SMTP-AUTH
>
>
> > Even if you have a server that only is accepting SMTH AUTH, it's
still
> best
> > practices to accept "MAIL FROM: <>" messages (i.e., you can't just
> disable
> > that). That said, messages with a null sender should not leave your
> server,
> > so I think it's either a conf issue or a bug in some matcher that
isn't
> > probably capturing that and preventing the relaying.
> >
> > Serge Knystautas
> > Loki Technologies
> > http://www.lokitech.com/
> >
> > ----- Original Message -----
> > From: "Peter M. Goldstein" <pe...@yahoo.com>
> > To: "'James Developers List'" <ja...@jakarta.apache.org>
> > Sent: Monday, July 29, 2002 8:21 PM
> > Subject: FW: Open relay with SMTP-AUTH
> >
> >
> > >
> > > All,
> > >
> > > I've just confirmed this on the latest code base. The cause is
pretty
> > > obvious - there is a comment in SMTPHandler.java:
> > >
> > > // If this is a delivery failure notification (MAIL
FROM:
> > > <>)
> > > // we don't enforce authentication
> > > if (authRequired && state.get(SENDER) != null) {
> > >
> > > Removing the (state.get(SENDER) != null) clause closes the open
relay.
> > >
> > > But can anyone clarify the comment? Is this comment referring to
> > > messages being generated by the James server in response to local
> > > delivery failures? Clearly the code as it stands in insecure...
> > >
> > > --Peter
> > >
> > > -----Original Message-----
> > > From: bonadio@intersearch.com.br
[mailto:bonadio@intersearch.com.br]
> > > Sent: None
> > > To: james-user@jakarta.apache.org
> > > Subject: Open relay with SMTP-AUTH
> > >
> > >
> > > Hello
> > >
> > > I think I found a bug when using SMTP-AUTH
> > >
> > > if you enable smtp-auth and sends a <> as the sender
> > > the servers allows the relay of any message, if you
> > > specify a correct email address the server enforces the
authentication
> > >
> > > I created a patch for this, is there any other solution?
> > >
> > > following a session that shows the problem
> > >
> > > Trying XXXXXX...
> > > Connected to XXXXXXXXX.
> > > Escape character is '^]'.
> > > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready
Mon,
> 29
> > > Jul 2002 20:31:04 -0400
> > > helo test
> > > 250-myMailServer Hello test (XXXXXXX)
> > > 250 AUTH LOGIN PLAIN
> > > mail from: <>
> > > 250 Sender <> OK
> > > rcpt to: <ab...@abuse.org>
> > > 250 Recipient <ab...@abuse.org> OK
> > > .....
> > >
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail: <mailto:james-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:james-dev-
> help@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Open relay with SMTP-AUTH
Posted by Hontvari Jozsef <ho...@solware.com>.
But is it possible at all to configure james correctly?
If he is using smtp authentication, likely he hasn't so called "local"
hosts.
This is the required behaviour, when the mail from is empty (i.e. bounce
message):
-if the recipient is local then delivery the message
(-if the recipient is local, but the mailbox does not exist, then do
nothing, you must not bounce a bounce message)
-if the recipient is not local but the remote host is authenticated then
relay the message (although I guess this rarely occurs)
-if the recipient is not local and the remote host is not authenticated then
do nothing (usual servers simply would not accept the mail)
BUT: there is no matcher which can decide if the sender is authenticated or
not, so we cannot configure correctly.
I think the best configuration - which can be done at this moment - simply
removes the message if the recipient isn't local and the sender is empty.
----- Original Message -----
From: "Serge Knystautas" <se...@lokitech.com>
To: "James Developers List" <ja...@jakarta.apache.org>;
<fa...@alum.mit.edu>
Sent: Tuesday, July 30, 2002 8:21 AM
Subject: Re: Open relay with SMTP-AUTH
> Even if you have a server that only is accepting SMTH AUTH, it's still
best
> practices to accept "MAIL FROM: <>" messages (i.e., you can't just disable
> that). That said, messages with a null sender should not leave your
server,
> so I think it's either a conf issue or a bug in some matcher that isn't
> probably capturing that and preventing the relaying.
>
> Serge Knystautas
> Loki Technologies
> http://www.lokitech.com/
>
> ----- Original Message -----
> From: "Peter M. Goldstein" <pe...@yahoo.com>
> To: "'James Developers List'" <ja...@jakarta.apache.org>
> Sent: Monday, July 29, 2002 8:21 PM
> Subject: FW: Open relay with SMTP-AUTH
>
>
> >
> > All,
> >
> > I've just confirmed this on the latest code base. The cause is pretty
> > obvious - there is a comment in SMTPHandler.java:
> >
> > // If this is a delivery failure notification (MAIL FROM:
> > <>)
> > // we don't enforce authentication
> > if (authRequired && state.get(SENDER) != null) {
> >
> > Removing the (state.get(SENDER) != null) clause closes the open relay.
> >
> > But can anyone clarify the comment? Is this comment referring to
> > messages being generated by the James server in response to local
> > delivery failures? Clearly the code as it stands in insecure...
> >
> > --Peter
> >
> > -----Original Message-----
> > From: bonadio@intersearch.com.br [mailto:bonadio@intersearch.com.br]
> > Sent: None
> > To: james-user@jakarta.apache.org
> > Subject: Open relay with SMTP-AUTH
> >
> >
> > Hello
> >
> > I think I found a bug when using SMTP-AUTH
> >
> > if you enable smtp-auth and sends a <> as the sender
> > the servers allows the relay of any message, if you
> > specify a correct email address the server enforces the authentication
> >
> > I created a patch for this, is there any other solution?
> >
> > following a session that shows the problem
> >
> > Trying XXXXXX...
> > Connected to XXXXXXXXX.
> > Escape character is '^]'.
> > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready Mon, 29
> > Jul 2002 20:31:04 -0400
> > helo test
> > 250-myMailServer Hello test (XXXXXXX)
> > 250 AUTH LOGIN PLAIN
> > mail from: <>
> > 250 Sender <> OK
> > rcpt to: <ab...@abuse.org>
> > 250 Recipient <ab...@abuse.org> OK
> > .....
> >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Open relay with SMTP-AUTH
Posted by Serge Knystautas <se...@lokitech.com>.
Even if you have a server that only is accepting SMTH AUTH, it's still best
practices to accept "MAIL FROM: <>" messages (i.e., you can't just disable
that). That said, messages with a null sender should not leave your server,
so I think it's either a conf issue or a bug in some matcher that isn't
probably capturing that and preventing the relaying.
Serge Knystautas
Loki Technologies
http://www.lokitech.com/
----- Original Message -----
From: "Peter M. Goldstein" <pe...@yahoo.com>
To: "'James Developers List'" <ja...@jakarta.apache.org>
Sent: Monday, July 29, 2002 8:21 PM
Subject: FW: Open relay with SMTP-AUTH
>
> All,
>
> I've just confirmed this on the latest code base. The cause is pretty
> obvious - there is a comment in SMTPHandler.java:
>
> // If this is a delivery failure notification (MAIL FROM:
> <>)
> // we don't enforce authentication
> if (authRequired && state.get(SENDER) != null) {
>
> Removing the (state.get(SENDER) != null) clause closes the open relay.
>
> But can anyone clarify the comment? Is this comment referring to
> messages being generated by the James server in response to local
> delivery failures? Clearly the code as it stands in insecure...
>
> --Peter
>
> -----Original Message-----
> From: bonadio@intersearch.com.br [mailto:bonadio@intersearch.com.br]
> Sent: None
> To: james-user@jakarta.apache.org
> Subject: Open relay with SMTP-AUTH
>
>
> Hello
>
> I think I found a bug when using SMTP-AUTH
>
> if you enable smtp-auth and sends a <> as the sender
> the servers allows the relay of any message, if you
> specify a correct email address the server enforces the authentication
>
> I created a patch for this, is there any other solution?
>
> following a session that shows the problem
>
> Trying XXXXXX...
> Connected to XXXXXXXXX.
> Escape character is '^]'.
> 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready Mon, 29
> Jul 2002 20:31:04 -0400
> helo test
> 250-myMailServer Hello test (XXXXXXX)
> 250 AUTH LOGIN PLAIN
> mail from: <>
> 250 Sender <> OK
> rcpt to: <ab...@abuse.org>
> 250 Recipient <ab...@abuse.org> OK
> .....
>
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>