You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Martin Hewitt <ma...@gmail.com> on 2013/04/01 10:34:15 UTC
Re: Mailet config; remote delivery only from local IPs
Hi Eric,
I don't think that's quite what I'm looking for - unless I have to run two
servers - as I still need to enable remote access for delivery of incoming
messages.
However, your comment got me looking in the smtpserver.conf instead of the
mailetcontainer.conf file, and I think, if I can create a custom handler
and insert it into the SMTP server handler chain, I can get access to the
SMTPSession in the check() method of the handler, from which I can then use
SMTPSession#getRemoteIPAddress in conjunction with the Mail object to
achieve what I need to.
I think...
Martin
On 31 March 2013 11:15, Eric Charles <er...@apache.org> wrote:
> Hi,
>
> Did you look at authorizedAddresses [1] in smtpserver-template.xml ?
> It allows to configure the smptserver to accept only some originating
> addresses. Does it completely map your requirements (it sounds like, but
> not sure from your mail).
>
> Thx, Eric
>
>
> [1]
> <!-- Uncomment this if you want to authorize specific
> addresses/networks.
> If you use SMTP AUTH, addresses that match those specified
> here will
> be permitted to relay without SMTP AUTH. If you do not use
> SMTP
> AUTH, and you specify addreses here, then only addresses
> that match
> those specified will be permitted to relay.
>
> Addresses may be specified as a an IP address or domain
> name, with an
> optional netmask, e.g.,
>
> 127.*, 127.0.0.0/8, 127.0.0.0/255.0.0.0, and localhost/8
> are all the same
>
> See also the RemoteAddrNotInNetwork matcher in the
> transport processor.
> You would generally use one OR the other approach.
> -->
> <authorizedAddresses>127.0.0.**0/8 <http://127.0.0.0/8>
> </authorizedAddresses>
>
>
>
>
>
> On 29/03/2013 12:31, Martin Hewitt wrote:
>
>> Hi all,
>>
>> I'm building a system that uses the James SMTP server to send and receive
>> messages. I intercept these messages with a custom mailet and feed them
>> into my system. However, when it comes to sending mail through the SMTP
>> server, there's a bit of difference.
>>
>> My users have an email address, which is configured in a database, I have
>> a
>> custom UserRepository that handles the verification of addresses. However,
>> because users never login to James/IMAP directly, there's no real concept
>> of a "password". This means I can't use conventional authentication, but I
>> can't close off port 25, because I won't get incoming mail, but,
>> obviously,
>> I don't want to have an open SMTP relay running.
>>
>> What I'm looking to do is configure my mailets such that, if a message is
>> destined for remote delivery (i.e. is an outgoing message) that the SMTP
>> server only allows such a delivery if the request originated from the same
>> machine that the SMTP server is running on.
>>
>> I'm not sure how (or, even, if) I can get this information from the
>> Mailet/Matcher API - I think I'm more in Matcher territory than Mailet
>> territory - but the Matcher still only has access to the Mail object, and
>> I
>> think I'm probably a bit lower-level than that.
>>
>> Can/should I run two SMTP instances, one for incoming and one for
>> outgoing?
>> Can they have different Mailet chains?
>>
>> Not sure how best to achieve this!
>>
>> Martin
>>
>>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: server-user-unsubscribe@james.**apache.org<se...@james.apache.org>
> For additional commands, e-mail: server-user-help@james.apache.**org<se...@james.apache.org>
>
>
Re: Mailet config; remote delivery only from local IPs
Posted by Eric Charles <er...@apache.org>.
Good to read you are progressing on this.
James uses javamail to send the remote mail. You have to configure the
RemoteDeliveryMailet to pickup the correct javamail configuration
(undocumented, on my todo list).
Depending on your host/dns settings, you would force by adding
<mail.smtp.localhost>your_ip@</mail.smtp.localhost> in the
RemoteDelivery mailet so the second smtp server can pick it up (see [1]
from the javamail javadoc).
Thx, Eric
[1] mail.smtp.localhost - Local host name used in the SMTP HELO or EHLO
command. Defaults to InetAddress.getLocalHost().getHostName(). Should
not normally need to be set if your JDK and your name service are
configured properly.
On 01/04/2013 13:38, Martin Hewitt wrote:
> I'm having some success using the onMessage method, and the DENY/DECLINE
> semantics are exactly what I'm after.
>
> The only question I have is that in the onMessage method, I have an
> SMTPSession object and a Mail object. When I call Mail#getRemoteAddr this
> always, *always* returns 127.0.0.1, regardless of where the mail is coming
> from. However, if I use SMTPSession#getAttribute("CURRENT_HELO_NAME") then
> I get the true remote IP address.
>
> I don't know if CURRENT_HELO_NAME is set by James or by the connecting
> agent, and therefore if it's a reliable way of determining the connecting
> machine's remote IP or not.
>
> I also don't know why MailImpl#getRemoteAddr always returns 127.0.0.1, but
> if CURRENT_HELO_NAME is reliable, that doesn't matter so much.
>
> Thanks,
>
> Martin
>
>
> On 1 April 2013 09:41, Martin Hewitt <ma...@gmail.com> wrote:
>
>> Sorry, not the check() method, the onMessage method, as used in
>> SpamAssassinHandler:
>> https://james.apache.org/server/head/xref/org/apache/james/smtpserver/core/filter/fastfail/SpamAssassinHandler.html#145
>>
>> Martin
>>
>>
>> On 1 April 2013 09:34, Martin Hewitt <ma...@gmail.com> wrote:
>>
>>> Hi Eric,
>>>
>>> I don't think that's quite what I'm looking for - unless I have to run
>>> two servers - as I still need to enable remote access for delivery of
>>> incoming messages.
>>>
>>> However, your comment got me looking in the smtpserver.conf instead of
>>> the mailetcontainer.conf file, and I think, if I can create a custom
>>> handler and insert it into the SMTP server handler chain, I can get access
>>> to the SMTPSession in the check() method of the handler, from which I can
>>> then use SMTPSession#getRemoteIPAddress in conjunction with the Mail object
>>> to achieve what I need to.
>>>
>>> I think...
>>>
>>> Martin
>>>
>>>
>>> On 31 March 2013 11:15, Eric Charles <er...@apache.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> Did you look at authorizedAddresses [1] in smtpserver-template.xml ?
>>>> It allows to configure the smptserver to accept only some originating
>>>> addresses. Does it completely map your requirements (it sounds like, but
>>>> not sure from your mail).
>>>>
>>>> Thx, Eric
>>>>
>>>>
>>>> [1]
>>>> <!-- Uncomment this if you want to authorize specific
>>>> addresses/networks.
>>>> If you use SMTP AUTH, addresses that match those
>>>> specified here will
>>>> be permitted to relay without SMTP AUTH. If you do not
>>>> use SMTP
>>>> AUTH, and you specify addreses here, then only addresses
>>>> that match
>>>> those specified will be permitted to relay.
>>>>
>>>> Addresses may be specified as a an IP address or domain
>>>> name, with an
>>>> optional netmask, e.g.,
>>>>
>>>> 127.*, 127.0.0.0/8, 127.0.0.0/255.0.0.0, and localhost/8
>>>> are all the same
>>>>
>>>> See also the RemoteAddrNotInNetwork matcher in the
>>>> transport processor.
>>>> You would generally use one OR the other approach.
>>>> -->
>>>> <authorizedAddresses>127.0.0.**0/8 <http://127.0.0.0/8>
>>>> </authorizedAddresses>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 29/03/2013 12:31, Martin Hewitt wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I'm building a system that uses the James SMTP server to send and
>>>>> receive
>>>>> messages. I intercept these messages with a custom mailet and feed them
>>>>> into my system. However, when it comes to sending mail through the SMTP
>>>>> server, there's a bit of difference.
>>>>>
>>>>> My users have an email address, which is configured in a database, I
>>>>> have a
>>>>> custom UserRepository that handles the verification of addresses.
>>>>> However,
>>>>> because users never login to James/IMAP directly, there's no real
>>>>> concept
>>>>> of a "password". This means I can't use conventional authentication,
>>>>> but I
>>>>> can't close off port 25, because I won't get incoming mail, but,
>>>>> obviously,
>>>>> I don't want to have an open SMTP relay running.
>>>>>
>>>>> What I'm looking to do is configure my mailets such that, if a message
>>>>> is
>>>>> destined for remote delivery (i.e. is an outgoing message) that the SMTP
>>>>> server only allows such a delivery if the request originated from the
>>>>> same
>>>>> machine that the SMTP server is running on.
>>>>>
>>>>> I'm not sure how (or, even, if) I can get this information from the
>>>>> Mailet/Matcher API - I think I'm more in Matcher territory than Mailet
>>>>> territory - but the Matcher still only has access to the Mail object,
>>>>> and I
>>>>> think I'm probably a bit lower-level than that.
>>>>>
>>>>> Can/should I run two SMTP instances, one for incoming and one for
>>>>> outgoing?
>>>>> Can they have different Mailet chains?
>>>>>
>>>>> Not sure how best to achieve this!
>>>>>
>>>>> Martin
>>>>>
>>>>>
>>>> ------------------------------**------------------------------**
>>>> ---------
>>>> To unsubscribe, e-mail: server-user-unsubscribe@james.**apache.org<se...@james.apache.org>
>>>> For additional commands, e-mail: server-user-help@james.apache.**org<se...@james.apache.org>
>>>>
>>>>
>>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Mailet config; remote delivery only from local IPs
Posted by Martin Hewitt <ma...@gmail.com>.
I'm having some success using the onMessage method, and the DENY/DECLINE
semantics are exactly what I'm after.
The only question I have is that in the onMessage method, I have an
SMTPSession object and a Mail object. When I call Mail#getRemoteAddr this
always, *always* returns 127.0.0.1, regardless of where the mail is coming
from. However, if I use SMTPSession#getAttribute("CURRENT_HELO_NAME") then
I get the true remote IP address.
I don't know if CURRENT_HELO_NAME is set by James or by the connecting
agent, and therefore if it's a reliable way of determining the connecting
machine's remote IP or not.
I also don't know why MailImpl#getRemoteAddr always returns 127.0.0.1, but
if CURRENT_HELO_NAME is reliable, that doesn't matter so much.
Thanks,
Martin
On 1 April 2013 09:41, Martin Hewitt <ma...@gmail.com> wrote:
> Sorry, not the check() method, the onMessage method, as used in
> SpamAssassinHandler:
> https://james.apache.org/server/head/xref/org/apache/james/smtpserver/core/filter/fastfail/SpamAssassinHandler.html#145
>
> Martin
>
>
> On 1 April 2013 09:34, Martin Hewitt <ma...@gmail.com> wrote:
>
>> Hi Eric,
>>
>> I don't think that's quite what I'm looking for - unless I have to run
>> two servers - as I still need to enable remote access for delivery of
>> incoming messages.
>>
>> However, your comment got me looking in the smtpserver.conf instead of
>> the mailetcontainer.conf file, and I think, if I can create a custom
>> handler and insert it into the SMTP server handler chain, I can get access
>> to the SMTPSession in the check() method of the handler, from which I can
>> then use SMTPSession#getRemoteIPAddress in conjunction with the Mail object
>> to achieve what I need to.
>>
>> I think...
>>
>> Martin
>>
>>
>> On 31 March 2013 11:15, Eric Charles <er...@apache.org> wrote:
>>
>>> Hi,
>>>
>>> Did you look at authorizedAddresses [1] in smtpserver-template.xml ?
>>> It allows to configure the smptserver to accept only some originating
>>> addresses. Does it completely map your requirements (it sounds like, but
>>> not sure from your mail).
>>>
>>> Thx, Eric
>>>
>>>
>>> [1]
>>> <!-- Uncomment this if you want to authorize specific
>>> addresses/networks.
>>> If you use SMTP AUTH, addresses that match those
>>> specified here will
>>> be permitted to relay without SMTP AUTH. If you do not
>>> use SMTP
>>> AUTH, and you specify addreses here, then only addresses
>>> that match
>>> those specified will be permitted to relay.
>>>
>>> Addresses may be specified as a an IP address or domain
>>> name, with an
>>> optional netmask, e.g.,
>>>
>>> 127.*, 127.0.0.0/8, 127.0.0.0/255.0.0.0, and localhost/8
>>> are all the same
>>>
>>> See also the RemoteAddrNotInNetwork matcher in the
>>> transport processor.
>>> You would generally use one OR the other approach.
>>> -->
>>> <authorizedAddresses>127.0.0.**0/8 <http://127.0.0.0/8>
>>> </authorizedAddresses>
>>>
>>>
>>>
>>>
>>>
>>> On 29/03/2013 12:31, Martin Hewitt wrote:
>>>
>>>> Hi all,
>>>>
>>>> I'm building a system that uses the James SMTP server to send and
>>>> receive
>>>> messages. I intercept these messages with a custom mailet and feed them
>>>> into my system. However, when it comes to sending mail through the SMTP
>>>> server, there's a bit of difference.
>>>>
>>>> My users have an email address, which is configured in a database, I
>>>> have a
>>>> custom UserRepository that handles the verification of addresses.
>>>> However,
>>>> because users never login to James/IMAP directly, there's no real
>>>> concept
>>>> of a "password". This means I can't use conventional authentication,
>>>> but I
>>>> can't close off port 25, because I won't get incoming mail, but,
>>>> obviously,
>>>> I don't want to have an open SMTP relay running.
>>>>
>>>> What I'm looking to do is configure my mailets such that, if a message
>>>> is
>>>> destined for remote delivery (i.e. is an outgoing message) that the SMTP
>>>> server only allows such a delivery if the request originated from the
>>>> same
>>>> machine that the SMTP server is running on.
>>>>
>>>> I'm not sure how (or, even, if) I can get this information from the
>>>> Mailet/Matcher API - I think I'm more in Matcher territory than Mailet
>>>> territory - but the Matcher still only has access to the Mail object,
>>>> and I
>>>> think I'm probably a bit lower-level than that.
>>>>
>>>> Can/should I run two SMTP instances, one for incoming and one for
>>>> outgoing?
>>>> Can they have different Mailet chains?
>>>>
>>>> Not sure how best to achieve this!
>>>>
>>>> Martin
>>>>
>>>>
>>> ------------------------------**------------------------------**
>>> ---------
>>> To unsubscribe, e-mail: server-user-unsubscribe@james.**apache.org<se...@james.apache.org>
>>> For additional commands, e-mail: server-user-help@james.apache.**org<se...@james.apache.org>
>>>
>>>
>>
>
Re: Mailet config; remote delivery only from local IPs
Posted by Martin Hewitt <ma...@gmail.com>.
Sorry, not the check() method, the onMessage method, as used in
SpamAssassinHandler:
https://james.apache.org/server/head/xref/org/apache/james/smtpserver/core/filter/fastfail/SpamAssassinHandler.html#145
Martin
On 1 April 2013 09:34, Martin Hewitt <ma...@gmail.com> wrote:
> Hi Eric,
>
> I don't think that's quite what I'm looking for - unless I have to run two
> servers - as I still need to enable remote access for delivery of incoming
> messages.
>
> However, your comment got me looking in the smtpserver.conf instead of the
> mailetcontainer.conf file, and I think, if I can create a custom handler
> and insert it into the SMTP server handler chain, I can get access to the
> SMTPSession in the check() method of the handler, from which I can then use
> SMTPSession#getRemoteIPAddress in conjunction with the Mail object to
> achieve what I need to.
>
> I think...
>
> Martin
>
>
> On 31 March 2013 11:15, Eric Charles <er...@apache.org> wrote:
>
>> Hi,
>>
>> Did you look at authorizedAddresses [1] in smtpserver-template.xml ?
>> It allows to configure the smptserver to accept only some originating
>> addresses. Does it completely map your requirements (it sounds like, but
>> not sure from your mail).
>>
>> Thx, Eric
>>
>>
>> [1]
>> <!-- Uncomment this if you want to authorize specific
>> addresses/networks.
>> If you use SMTP AUTH, addresses that match those specified
>> here will
>> be permitted to relay without SMTP AUTH. If you do not
>> use SMTP
>> AUTH, and you specify addreses here, then only addresses
>> that match
>> those specified will be permitted to relay.
>>
>> Addresses may be specified as a an IP address or domain
>> name, with an
>> optional netmask, e.g.,
>>
>> 127.*, 127.0.0.0/8, 127.0.0.0/255.0.0.0, and localhost/8
>> are all the same
>>
>> See also the RemoteAddrNotInNetwork matcher in the
>> transport processor.
>> You would generally use one OR the other approach.
>> -->
>> <authorizedAddresses>127.0.0.**0/8 <http://127.0.0.0/8>
>> </authorizedAddresses>
>>
>>
>>
>>
>>
>> On 29/03/2013 12:31, Martin Hewitt wrote:
>>
>>> Hi all,
>>>
>>> I'm building a system that uses the James SMTP server to send and receive
>>> messages. I intercept these messages with a custom mailet and feed them
>>> into my system. However, when it comes to sending mail through the SMTP
>>> server, there's a bit of difference.
>>>
>>> My users have an email address, which is configured in a database, I
>>> have a
>>> custom UserRepository that handles the verification of addresses.
>>> However,
>>> because users never login to James/IMAP directly, there's no real concept
>>> of a "password". This means I can't use conventional authentication, but
>>> I
>>> can't close off port 25, because I won't get incoming mail, but,
>>> obviously,
>>> I don't want to have an open SMTP relay running.
>>>
>>> What I'm looking to do is configure my mailets such that, if a message is
>>> destined for remote delivery (i.e. is an outgoing message) that the SMTP
>>> server only allows such a delivery if the request originated from the
>>> same
>>> machine that the SMTP server is running on.
>>>
>>> I'm not sure how (or, even, if) I can get this information from the
>>> Mailet/Matcher API - I think I'm more in Matcher territory than Mailet
>>> territory - but the Matcher still only has access to the Mail object,
>>> and I
>>> think I'm probably a bit lower-level than that.
>>>
>>> Can/should I run two SMTP instances, one for incoming and one for
>>> outgoing?
>>> Can they have different Mailet chains?
>>>
>>> Not sure how best to achieve this!
>>>
>>> Martin
>>>
>>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.**apache.org<se...@james.apache.org>
>> For additional commands, e-mail: server-user-help@james.apache.**org<se...@james.apache.org>
>>
>>
>