You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by pg...@apache.org on 2002/08/10 19:24:02 UTC
cvs commit: jakarta-james/src/java/org/apache/james/smtpserver SMTPHandler.java
pgoldstein 2002/08/10 10:24:02
Modified: src/java/org/apache/james/smtpserver SMTPHandler.java
Log:
This is a correction to the SMTP AUTH code to close an open relay hole.
In short, there was an unnecessary clause in the SMTP AUTH code that
excluded emails with null senders from validation, under the premise
that these are delivery failure notifications.
This is incorrect. Delivery failure notifications generated by the
James server are placed directly on the outgoing spool. With SMTP
AUTH configured external delivery failure notifications should
be routed through the James server if and only if they are
intended for delivery to the James server. Most critically,
before this patch a James server in a minimal SMTP AUTH config is
recognized as an open relay by ORDB.org. After, it is not.
Revision Changes Path
1.20 +3 -5 jakarta-james/src/java/org/apache/james/smtpserver/SMTPHandler.java
Index: SMTPHandler.java
===================================================================
RCS file: /home/cvs/jakarta-james/src/java/org/apache/james/smtpserver/SMTPHandler.java,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- SMTPHandler.java 7 Aug 2002 23:55:00 -0000 1.19
+++ SMTPHandler.java 10 Aug 2002 17:24:02 -0000 1.20
@@ -728,9 +728,7 @@
}
return;
}
- // If this is a delivery failure notification (MAIL FROM: <>)
- // we don't enforce authentication
- if (authRequired && state.get(SENDER) != null) {
+ if (authRequired) {
// Make sure the mail is being sent locally if not
// authenticated else reject.
if (!state.containsKey(AUTH)) {
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>