You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by sg...@apache.org on 2012/03/04 22:59:48 UTC
svn commit: r1296887 - in /commons/proper/email/trunk/src:
changes/changes.xml java/org/apache/commons/mail/Email.java
site/xdoc/userguide.xml test/org/apache/commons/mail/EmailLiveTest.java
test/org/apache/commons/mail/settings/EmailConfiguration.java
Author: sgoeschl
Date: Sun Mar 4 21:59:47 2012
New Revision: 1296887
URL: http://svn.apache.org/viewvc?rev=1296887&view=rev
Log:
[EMAIL-105] he patch actually broke sending emails over a secured connection - disabled the "MAIL_SMTP_SSL_CHECKSERVERIDENTITY" and "MAIL_SMTP_SSL_ENABLE" activation. Tested the functionality using GMail, GMX and Office365 so the code is at least working for a couple of existing SMTP servers. Also added 'sslCheckServerIdentity' including setter and getter. Also added a chapter regarding "Security" to the user manua
Modified:
commons/proper/email/trunk/src/changes/changes.xml
commons/proper/email/trunk/src/java/org/apache/commons/mail/Email.java
commons/proper/email/trunk/src/site/xdoc/userguide.xml
commons/proper/email/trunk/src/test/org/apache/commons/mail/EmailLiveTest.java
commons/proper/email/trunk/src/test/org/apache/commons/mail/settings/EmailConfiguration.java
Modified: commons/proper/email/trunk/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/changes/changes.xml?rev=1296887&r1=1296886&r2=1296887&view=diff
==============================================================================
--- commons/proper/email/trunk/src/changes/changes.xml (original)
+++ commons/proper/email/trunk/src/changes/changes.xml Sun Mar 4 21:59:47 2012
@@ -23,6 +23,16 @@
<body>
<release version="1.3" date="as in SVN">
+ <action dev="sgoeschl" type="fix" issue="EMAIL-105" date="2012-02-04" due-to="Siegfried Goeschl">
+ The patch actually broke sending emails over a secured connection - disabled the
+ "MAIL_SMTP_SSL_CHECKSERVERIDENTITY" and "MAIL_SMTP_SSL_ENABLE" activation. Tested
+ the functionality using GMail, GMX and Office365 so the code is at least working for
+ a couple of existing SMTP servers. Also added 'sslCheckServerIdentity' including
+ setter and getter. Also added a chapter regarding "Security" to the user manual.
+ </action>
+ <action dev="sgoeschl" type="add" issue="EMAIL-113" date="2012-02-19" due-to="Peter Kofler">
+ Maven Site fails with error in Checkstyle configuration.
+ </action>
<action dev="sgoeschl" type="add" issue="EMAIL-112" date="2012-02-19" due-to="Peter Kofler">
DataSourceFileResolverTest fails under IBM JDK 1.4 and 1.6 running on Windows.
</action>
Modified: commons/proper/email/trunk/src/java/org/apache/commons/mail/Email.java
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/java/org/apache/commons/mail/Email.java?rev=1296887&r1=1296886&r2=1296887&view=diff
==============================================================================
--- commons/proper/email/trunk/src/java/org/apache/commons/mail/Email.java (original)
+++ commons/proper/email/trunk/src/java/org/apache/commons/mail/Email.java Sun Mar 4 21:59:47 2012
@@ -159,25 +159,45 @@ public abstract class Email implements E
/**
* Does server require TLS encryption for authentication?
- * @deprecated since 1.3, use setStartTLSRequired() instead
+ * @deprecated since 1.3, use setStartTLSEnabled() instead
*/
protected boolean tls;
/**
- * Does the current transport use SSL/TLS encryption upon connection?
- * @deprecated since 1.3, use setSSLOnConnect() instead
+ * If true, enables the use of the STARTTLS command (if supported by
+ * the server) to switch the connection to a TLS-protected connection
+ * before issuing any login commands. Note that an appropriate trust
+ * store must configured so that the client will trust the server's
+ * certificate.
+ * Defaults to false.
*/
- protected boolean ssl;
-
- /** does client want STARTTLS encryption */
private boolean startTlsEnabled;
- /** does client require STARTTLS encryption */
+ /**
+ * If true, requires the use of the STARTTLS command. If the server doesn't
+ * support the STARTTLS command, or the command fails, the connect method
+ * will fail.
+ * Defaults to false.
+ */
private boolean startTlsRequired;
+ /**
+ * Does the current transport use SSL/TLS encryption upon connection?
+ * @deprecated since 1.3, use setSSLOnConnect() instead
+ */
+ protected boolean ssl;
+
/** does the current transport use SSL/TLS encryption upon connection? */
private boolean sslOnConnect;
+ /**
+ * If set to true, check the server identity as specified by RFC 2595. These
+ * additional checks based on the content of the server's certificate are
+ * intended to prevent man-in-the-middle attacks.
+ * Defaults to false.
+ */
+ private boolean sslCheckServerIdentity;
+
/** socket I/O timeout value in milliseconds */
protected int socketTimeout = SOCKET_TIMEOUT_MS;
@@ -510,23 +530,22 @@ public abstract class Email implements E
properties.setProperty(MAIL_SMTP_AUTH, "true");
}
- if (isSSLOnConnect() || isStartTLSEnabled() || isStartTLSRequired())
- {
- properties.setProperty(MAIL_SMTP_SSL_SOCKET_FACTORY_PORT, this.sslSmtpPort);
- properties.setProperty(MAIL_SMTP_SSL_SOCKET_FACTORY_CLASS, "javax.net.ssl.SSLSocketFactory");
- properties.setProperty(MAIL_SMTP_SOCKET_FACTORY_FALLBACK, "false");
- properties.put(MAIL_SMTP_SSL_CHECKSERVERIDENTITY, Boolean.TRUE);
- }
-
if (isSSLOnConnect())
{
- properties.put(MAIL_SMTP_SSL_ENABLE, Boolean.TRUE);
properties.setProperty(MAIL_PORT, this.sslSmtpPort);
properties.setProperty(MAIL_SMTP_SOCKET_FACTORY_PORT, this.sslSmtpPort);
properties.setProperty(MAIL_SMTP_SOCKET_FACTORY_CLASS, "javax.net.ssl.SSLSocketFactory");
properties.setProperty(MAIL_SMTP_SOCKET_FACTORY_FALLBACK, "false");
}
+ if (isSSLOnConnect() || isStartTLSEnabled())
+ {
+ if(isSSLCheckServerIdentity())
+ {
+ properties.setProperty(MAIL_SMTP_SSL_CHECKSERVERIDENTITY, "true");
+ }
+ }
+
if (this.bounceAddress != null)
{
properties.setProperty(MAIL_SMTP_FROM, this.bounceAddress);
@@ -1400,6 +1419,16 @@ public abstract class Email implements E
return this;
}
+ public boolean isSSLCheckServerIdentity()
+ {
+ return sslCheckServerIdentity;
+ }
+
+ public void setSSLCheckServerIdentity(boolean sslCheckServerIdentity)
+ {
+ this.sslCheckServerIdentity = sslCheckServerIdentity;
+ }
+
/**
* Returns the current SSL port used by the SMTP transport.
*
Modified: commons/proper/email/trunk/src/site/xdoc/userguide.xml
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/site/xdoc/userguide.xml?rev=1296887&r1=1296886&r2=1296887&view=diff
==============================================================================
--- commons/proper/email/trunk/src/site/xdoc/userguide.xml (original)
+++ commons/proper/email/trunk/src/site/xdoc/userguide.xml Sun Mar 4 21:59:47 2012
@@ -32,7 +32,7 @@
<source>
<![CDATA[
Email email = new SimpleEmail();
-email.setHostName("smtp.gmail.com");
+email.setHostName("smtp.googlemail.com");
email.setSmtpPort(465);
email.setAuthenticator(new DefaultAuthenticator("username", "password"));
email.setSSLOnConnect(true);
@@ -223,6 +223,12 @@ import org.apache.commons.mail.HtmlEmail
of the mail classes by calling setDebug(true). The debugging output
will be written to <code>System.out</code>.
</p>
+ <p>
+ Sometimes you want to experiment with various security setting or
+ features of commons-email. A good starting point is the test class
+ <code>EmailLiveTest</code> and <code>EmailConfiguration</code> which
+ are used for testing commons-email with real SMTP servers.
+ </p>
</section>
<section name="Authentication">
<p>
@@ -243,6 +249,46 @@ import org.apache.commons.mail.HtmlEmail
<code>Email.setAuthenticator</code> method.
</p>
</section>
+ <section name="Security">
+ <p>
+ Nowadays you should not use plain SMTP protocol when using public SMTP servers
+ but there is a some confusion regarding the available options.
+ </p>
+ <p>
+ Two commons options are using
+ <ul>
+ <li>STARTTLS on port 25</li>
+ <li>SSL on port 465</li>
+ </ul>
+ The following definitions were taken from Wikipedia
+ <ul>
+ <li>
+ STARTTLS is an extension to plain text communication protocols, which offers a
+ way to upgrade a plain text connection to an encrypted (TLS or SSL) connection
+ instead of using a separate port for encrypted communication.
+ </li>
+ <li>
+ Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL),
+ are cryptographic protocols that provide communication security over the
+ Internet.TLS and SSL encrypt the segments of network connections above the
+ Transport Layer, using asymmetric cryptography for key exchange, symmetric
+ encryption for privacy, and message authentication codes for message integrity.
+ </li>
+ </ul>
+ In addition you can force the following security checks (which are disabled by default)
+ <ul>
+ <li>
+ When using a secured transport (STARTTLS or SSL) you can force validating the server's
+ certificate by calling <code>Email.setSSLCheckServerIdentity(true). Having said that
+ this does not seem to work on any of my test servers (GMAIL, GMX).
+ </code>
+ </li>
+ <li>
+ Enforce using STARTTLS by calling <code>Email.setStartTLSRequired(true)</code>
+ </li>
+ </ul>
+ </p>
+ </section>
<section name="Handling Bounced Messages">
<p>
Normally, messages which cannot be delivered to a recipient are returned to the
Modified: commons/proper/email/trunk/src/test/org/apache/commons/mail/EmailLiveTest.java
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/test/org/apache/commons/mail/EmailLiveTest.java?rev=1296887&r1=1296886&r2=1296887&view=diff
==============================================================================
--- commons/proper/email/trunk/src/test/org/apache/commons/mail/EmailLiveTest.java (original)
+++ commons/proper/email/trunk/src/test/org/apache/commons/mail/EmailLiveTest.java Sun Mar 4 21:59:47 2012
@@ -96,7 +96,9 @@ public class EmailLiveTest extends BaseE
Email email = (Email) clazz.newInstance();
email.setStartTLSEnabled(EmailConfiguration.MAIL_USE_STARTTLS);
+ email.setStartTLSRequired(EmailConfiguration.MAIL_STARTTLS_REQUIRED);
email.setSSLOnConnect(EmailConfiguration.MAIL_USE_SSL);
+ email.setSSLCheckServerIdentity(EmailConfiguration.MAIL_SSL_CHECKSERVERIDENTITY);
email.setHostName(EmailConfiguration.MAIL_SERVER);
email.setSmtpPort(EmailConfiguration.MAIL_SERVER_PORT);
email.setBounceAddress(EmailConfiguration.TEST_FROM);
Modified: commons/proper/email/trunk/src/test/org/apache/commons/mail/settings/EmailConfiguration.java
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/test/org/apache/commons/mail/settings/EmailConfiguration.java?rev=1296887&r1=1296886&r2=1296887&view=diff
==============================================================================
--- commons/proper/email/trunk/src/test/org/apache/commons/mail/settings/EmailConfiguration.java (original)
+++ commons/proper/email/trunk/src/test/org/apache/commons/mail/settings/EmailConfiguration.java Sun Mar 4 21:59:47 2012
@@ -30,22 +30,32 @@ public final class EmailConfiguration
{
// when using GMail for testing the following combination work
//
- // port 25 - StartTLS
- // port 25 - StartTLS & UseSSL
- // port 465 - UseSSL
- // port 465 - StartTLS & UseSSL
-
- public static final boolean MAIL_FORCE_SEND = false;
- public static final boolean MAIL_DEBUG = false;
- public static final String MAIL_CHARSET = EmailConstants.UTF_8;
- public static final String MAIL_SERVER = "localhost";
- public static final int MAIL_SERVER_PORT = 25;
- public static final String TEST_FROM = "test_from@apache.org";
- public static final String TEST_TO = "test_to@apache.org";
- public static final String TEST_USER = "user";
- public static final String TEST_PASSWD = "password";
- public static final boolean MAIL_USE_SSL = false;
- public static final boolean MAIL_USE_STARTTLS = false;
+ // port 25 - MAIL_USE_STARTTLS, MAIL_STARTTLS_REQUIRED
+ // port 465 - MAIL_USE_SSL
+
+ // when using GMX for testing the following combination work
+ //
+ // port 465 - MAIL_USE_SSL, -Dsun.security.ssl.allowUnsafeRenegotiation=true
+
+ // when using Office 365 for testing the following combination work
+ //
+ // port 25 - MAIL_USE_STARTTLS, MAIL_STARTTLS_REQUIRED
+ // port 587 - MAIL_USE_STARTTLS, MAIL_STARTTLS_REQUIRED
+
+ public static final boolean MAIL_FORCE_SEND = false;
+ public static final boolean MAIL_DEBUG = false;
+ public static final String MAIL_CHARSET = EmailConstants.UTF_8;
+ public static final String MAIL_SERVER = "localhost";
+ public static final int MAIL_SERVER_PORT = 25;
+ public static final String TEST_FROM = "test_from@apache.org";
+ public static final String TEST_TO = "test_to@apache.org";
+ public static final String TEST_USER = "user";
+ public static final String TEST_PASSWD = "password";
+
+ public static final boolean MAIL_USE_SSL = false;
+ public static final boolean MAIL_SSL_CHECKSERVERIDENTITY = false;
+ public static final boolean MAIL_USE_STARTTLS = true;
+ public static final boolean MAIL_STARTTLS_REQUIRED = true;
public static final String TEST_URL = EmailConfiguration.class
.getResource("/images/asf_logo_wide.gif")