You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "René Cordier (Jira)" <se...@james.apache.org> on 2021/05/13 08:21:00 UTC

[jira] [Closed] (JAMES-3579) verifyIdentity param should be rejected if authRequired is set to false in SMTP configuration

     [ https://issues.apache.org/jira/browse/JAMES-3579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

René Cordier closed JAMES-3579.
-------------------------------
    Fix Version/s: 3.7.0
       Resolution: Fixed

> verifyIdentity param should be rejected if authRequired is set to false in SMTP configuration
> ---------------------------------------------------------------------------------------------
>
>                 Key: JAMES-3579
>                 URL: https://issues.apache.org/jira/browse/JAMES-3579
>             Project: James Server
>          Issue Type: Bug
>          Components: SMTPServer
>            Reporter: René Cordier
>            Priority: Minor
>             Fix For: 3.7.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> According to the smtp conf documentation https://james.apache.org/server/config-smtp-lmtp.html:
> "handler.verifyIdentity
> This is an optional tag with a boolean body. This option can only be used if SMTP authentication is required. If the parameter is set to true then the sender address for the submitted message will be verified against the authenticated subject. Verify sender addresses, ensuring that the sender address matches the user who has authenticated. It will verify that the sender address matches the address of the user or one of its alias (from user or domain aliases). This prevents a user of your mail server from acting as someone else If unspecified, default value is true." 
> However, it has been observed that when authRequired is set to false in smtpserver.xml, if verifyIdentity is set to true, the SMTP server is expecting that the user is authenticated to be able to verify its identity.
> To stick to the documentation of James, we should reject this case on James startup.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org