You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-user@james.apache.org by Ole Ersoy <ol...@yahoo.com> on 2006/03/06 05:04:01 UTC

JavaMail not required to authenticate

Hi,

I wrote a simple javamail program, and noticed that it
is allowed to send messages without authenticating.

I have <authRequired>true</authRequired> in the SMTP
config block and when using thunderbird to connect the
same user authentication is required.

Initially I thought this might be because of the 
<authAddress> elements in the smtp config block, so I
commented all of them out and restarted the server. 
Javamail can still send mail without authenticating.

Any ideas on how to require javamail to authenticate?

I'm running 2.20 BTW.

Thanks,
- Ole


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: JavaMail not required to authenticate

Posted by Ole Ersoy <ol...@yahoo.com>.

Stefano,

Thanks!  You just explained why the authentication is
not required.  I am sending message from a local
address to a local address.

Thanks!  Now I can rest easy knowing that there are no
security holes.

Cheers,
- Ole

--- Stefano Bagnara <ap...@bago.org> wrote:

> I don't understand the problem, maybe you should
> provide more 
> informations on your configuration and the test that
> fail.
> 
> Keep in mind that also with "authRequired = true"
> james will accept 
> messages destinated to local addresses with no
> authentication.
> This is a needed SMTP behaviour, if we remove this
> you will not be able 
> to receive mail. If you want to require
> authentication for every message 
> you should remove every domain from your servernames
> configuration and 
> then use your own matcher to LocalDelivery instead
> of HostIsLocal.
> 
> Please provide more information on what you are
> trying to achieve 
> because it's unlikely that you need the above
> configuration for "real" 
> use cases.
> 
> Stefano
> 
> Ole Ersoy wrote:
> > Hi,
> > 
> > I wrote a simple javamail program, and noticed
> that it
> > is allowed to send messages without
> authenticating.
> > 
> > I have <authRequired>true</authRequired> in the
> SMTP
> > config block and when using thunderbird to connect
> the
> > same user authentication is required.
> > 
> > Initially I thought this might be because of the 
> > <authAddress> elements in the smtp config block,
> so I
> > commented all of them out and restarted the
> server. 
> > Javamail can still send mail without
> authenticating.
> > 
> > Any ideas on how to require javamail to
> authenticate?
> > 
> > I'm running 2.20 BTW.
> > 
> > Thanks,
> > - Ole
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> > http://mail.yahoo.com 
> > 
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> server-user-unsubscribe@james.apache.org
> > For additional commands, e-mail:
> server-user-help@james.apache.org
> > 
> > 
> 
> 
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> server-user-unsubscribe@james.apache.org
> For additional commands, e-mail:
> server-user-help@james.apache.org
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: JavaMail not required to authenticate

Posted by Stefano Bagnara <ap...@bago.org>.

I don't understand the problem, maybe you should provide more 
informations on your configuration and the test that fail.

Keep in mind that also with "authRequired = true" james will accept 
messages destinated to local addresses with no authentication.
This is a needed SMTP behaviour, if we remove this you will not be able 
to receive mail. If you want to require authentication for every message 
you should remove every domain from your servernames configuration and 
then use your own matcher to LocalDelivery instead of HostIsLocal.

Please provide more information on what you are trying to achieve 
because it's unlikely that you need the above configuration for "real" 
use cases.

Stefano

Ole Ersoy wrote:
> Hi,
> 
> I wrote a simple javamail program, and noticed that it
> is allowed to send messages without authenticating.
> 
> I have <authRequired>true</authRequired> in the SMTP
> config block and when using thunderbird to connect the
> same user authentication is required.
> 
> Initially I thought this might be because of the 
> <authAddress> elements in the smtp config block, so I
> commented all of them out and restarted the server. 
> Javamail can still send mail without authenticating.
> 
> Any ideas on how to require javamail to authenticate?
> 
> I'm running 2.20 BTW.
> 
> Thanks,
> - Ole
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org