You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Norman Maurer (JIRA)" <se...@james.apache.org> on 2006/03/31 12:30:01 UTC

[jira] Created: (JAMES-463) Check for reverse on HELO/EHLO

Check for reverse on HELO/EHLO
------------------------------

         Key: JAMES-463
         URL: http://issues.apache.org/jira/browse/JAMES-463
     Project: James
        Type: New Feature
  Components: SMTPServer  
    Reporter: Norman Maurer


I complete a patch to support check that the provided helo is the reverse entry of the connected mailserver. But anyone has an idea howto write a junit test for that ? Is there a way to spoof the ip ? cause otherwise it will connect with 127.0.0.1 and this will fail cause there is no valid reverse for that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

[jira] Updated: (JAMES-463) Check for reverse on HELO/EHLO

Posted by "Norman Maurer (JIRA)" <se...@james.apache.org>.

     [ http://issues.apache.org/jira/browse/JAMES-463?page=all ]

Norman Maurer updated JAMES-463:
--------------------------------

    Attachment: helo-reverse.patch

Here are my patch to support this features.. Feedback welcome

> Check for reverse on HELO/EHLO
> ------------------------------
>
>          Key: JAMES-463
>          URL: http://issues.apache.org/jira/browse/JAMES-463
>      Project: James
>         Type: New Feature

>   Components: SMTPServer
>     Reporter: Norman Maurer
>     Assignee: Norman Maurer
>      Fix For: 2.4.0
>  Attachments: helo-reverse.patch
>
> I complete a patch to support check that the provided helo is the reverse entry of the connected mailserver. But anyone has an idea howto write a junit test for that ? Is there a way to spoof the ip ? cause otherwise it will connect with 127.0.0.1 and this will fail cause there is no valid reverse for that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

Re: [jira] Commented: (JAMES-463) Check for reverse on HELO/EHLO

Posted by Stefano Bagnara <ap...@bago.org>.

Norman Maurer (JIRA) wrote:
> i think the admin should check for correctness of the dns entries.. Such thinks teach admins ;-) But anyway if noone find this usefull i will discard it.. Maybe we should consider to add the feature of rcptchecks (lookup for valid users) .. This would be a good improvment, cause some blacklists (spamcop.net) blacklist severs if they accept such emails and sned a bounce after that.. So a permanent error on smtp level would be nice..

The problem arise with gateways/firewalls that uses NAT.
The MUA behind the firewall does not know the real public IP that will 
be presented to the outside servers, and the public IP is the one seen 
by the receiving MTA.

This is why I don't check for validity of the HELO argument.

This scenario happens too often in companies and given that most MTA 
will not enforce the validity of the helo argument most network 
administrator (of the sender network) thinks their configuration is good 
(they never had complaints before) and you start loosing too much time 
explaining they are wrong.

BTW, I'n not against this kind of patches. I simply say I'll not enable 
them because I think they don't increase my security, don't provide any 
improvement to my server and they make me spend more time explaining 
this kind of problems to others ;-)

Spammers seems the only ones that really take care to have a matching 
HELO argument.

Stefano


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

Re: [jira] Commented: (JAMES-463) Check for reverse on HELO/EHLO

Posted by Stefano Bagnara <ap...@bago.org>.

Norman Maurer wrote:
> I only will submit the patches when i found a way to write a junit
> test.. 

You could move the getByName from the doHELO command to a protected 
method. Then you could extend the HeloCmdHandler by overriding the 
getByName with your own implementation, and then test the behaviour.
Not sure this is a good way, but I can't think of other solutions right 
now.

> Buth what you think about rcptchecks? It should be possible to acces he
> user store for getting all valid recipients or im wrong ? 

The problem here is that often the user will have aliases, 
virtusertables. specific recipient matchers that will result in a 
mapping not 1 to 1 between the valid recipients and the users in the 
repository.

Stefano

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

Re: [jira] Commented: (JAMES-463) Check for reverse on HELO/EHLO

Posted by Norman Maurer <nm...@byteaction.de>.

Am Freitag, den 31.03.2006, 15:00 +0200 schrieb Stefano Bagnara:
> Norman Maurer wrote:
> > I only will submit the patches when i found a way to write a junit
> > test.. 
> 
> You could move the getByName from the doHELO command to a protected 
> method. Then you could extend the HeloCmdHandler by overriding the 
> getByName with your own implementation, and then test the behaviour.
> Not sure this is a good way, but I can't think of other solutions right 
> now.

That should work but its not a very "clean" solution :-( 
> 
> > Buth what you think about rcptchecks? It should be possible to acces he
> > user store for getting all valid recipients or im wrong ? 
> 
> The problem here is that often the user will have aliases, 
> virtusertables. specific recipient matchers that will result in a 
> mapping not 1 to 1 between the valid recipients and the users in the 
> repository.

> Stefano

Is the Virtualusertable not accessable from the UserStore ? Aliases must
handled correct of course. Also whitelist domains etc must be
configurable.

bye 
Norman 

> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
> 
> !EXCUBATOR:1,442d4f1f37022694517039!

Re: [jira] Commented: (JAMES-463) Check for reverse on HELO/EHLO

Posted by Norman Maurer <nm...@byteaction.de>.

I only will submit the patches when i found a way to write a junit
test.. 

Buth what you think about rcptchecks? It should be possible to acces he
user store for getting all valid recipients or im wrong ? 

bye

Am Freitag, den 31.03.2006, 14:04 +0200 schrieb Stefano Bagnara:
> argument most network 
> administrator (of the sender network) thinks their configuration is
> good 
> (they never had complaints before) and you start loosing too much
> time 
> explaining they are wrong.
> 
> BTW, I'n not against this kind of patches. I simply say I'll not
> enable 
> them because I think they don't increase my security, don't provide
> any 
> improvement to my server and they make me spend more time explaining 
> this kind of problems to others ;-)
> 
> Spammers seems the only ones that really take care to have a matching 
> HELO argument.

[jira] Commented: (JAMES-463) Check for reverse on HELO/EHLO

Posted by "Norman Maurer (JIRA)" <se...@james.apache.org>.

    [ http://issues.apache.org/jira/browse/JAMES-463?page=comments#action_12372660 ] 

Norman Maurer commented on JAMES-463:
-------------------------------------

i think the admin should check for correctness of the dns entries.. Such thinks teach admins ;-) But anyway if noone find this usefull i will discard it.. Maybe we should consider to add the feature of rcptchecks (lookup for valid users) .. This would be a good improvment, cause some blacklists (spamcop.net) blacklist severs if they accept such emails and sned a bounce after that.. So a permanent error on smtp level would be nice..



> Check for reverse on HELO/EHLO
> ------------------------------
>
>          Key: JAMES-463
>          URL: http://issues.apache.org/jira/browse/JAMES-463
>      Project: James
>         Type: New Feature
>   Components: SMTPServer
>     Reporter: Norman Maurer

>
> I complete a patch to support check that the provided helo is the reverse entry of the connected mailserver. But anyone has an idea howto write a junit test for that ? Is there a way to spoof the ip ? cause otherwise it will connect with 127.0.0.1 and this will fail cause there is no valid reverse for that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

[jira] Commented: (JAMES-463) Check for reverse on HELO/EHLO

Posted by "Norman Maurer (JIRA)" <se...@james.apache.org>.

    [ http://issues.apache.org/jira/browse/JAMES-463?page=comments#action_12412125 ] 

Norman Maurer commented on JAMES-463:
-------------------------------------

Anyone is intressted to have this feature ? If not i will close this issue and mark it as invalid!

> Check for reverse on HELO/EHLO
> ------------------------------
>
>          Key: JAMES-463
>          URL: http://issues.apache.org/jira/browse/JAMES-463
>      Project: James
>         Type: New Feature

>   Components: SMTPServer
>     Reporter: Norman Maurer
>      Fix For: 2.4.0

>
> I complete a patch to support check that the provided helo is the reverse entry of the connected mailserver. But anyone has an idea howto write a junit test for that ? Is there a way to spoof the ip ? cause otherwise it will connect with 127.0.0.1 and this will fail cause there is no valid reverse for that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

[jira] Resolved: (JAMES-463) Check for reverse on HELO/EHLO

Posted by "Norman Maurer (JIRA)" <se...@james.apache.org>.

     [ http://issues.apache.org/jira/browse/JAMES-463?page=all ]
     
Norman Maurer resolved JAMES-463:
---------------------------------

    Resolution: Fixed

patch is applied

> Check for reverse on HELO/EHLO
> ------------------------------
>
>          Key: JAMES-463
>          URL: http://issues.apache.org/jira/browse/JAMES-463
>      Project: James
>         Type: New Feature

>   Components: SMTPServer
>     Reporter: Norman Maurer
>     Assignee: Norman Maurer
>      Fix For: 2.4.0
>  Attachments: HeloEhlo-reverse-check-v2.patch, helo-reverse.patch
>
> I complete a patch to support check that the provided helo is the reverse entry of the connected mailserver. But anyone has an idea howto write a junit test for that ? Is there a way to spoof the ip ? cause otherwise it will connect with 127.0.0.1 and this will fail cause there is no valid reverse for that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

[jira] Commented: (JAMES-463) Check for reverse on HELO/EHLO

Posted by "Stefano Bagnara (JIRA)" <se...@james.apache.org>.

    [ http://issues.apache.org/jira/browse/JAMES-463?page=comments#action_12372659 ] 

Stefano Bagnara commented on JAMES-463:
---------------------------------------

Currently we invoke directly the static method by:
org.apache.james.dnsserver.DNSServer.getByName(argument);

We probably should add this method to DNSServer interface and access it looking up for the service (Avalon Service).

In this way the dnsserver would be more pluggable and testable.
We could also provide a mock dnsserver to use in unittests.

The problem is that currently the DNSServer.getByName is used everywhere statically and in some place would be difficult to get access to the ServiceManager to lookup the DNSServer.

----

About this specific issue I don't think it's a good idea to enable this check: many people connect via firewalls/gateway with NAT or from networks with bad or unassigned reverse addresses: you would reject their messages.
Furthermore, the check doesn't improve the security of the mailserver.

In fact, I never understood the need for the helo argument itself.


> Check for reverse on HELO/EHLO
> ------------------------------
>
>          Key: JAMES-463
>          URL: http://issues.apache.org/jira/browse/JAMES-463
>      Project: James
>         Type: New Feature
>   Components: SMTPServer
>     Reporter: Norman Maurer

>
> I complete a patch to support check that the provided helo is the reverse entry of the connected mailserver. But anyone has an idea howto write a junit test for that ? Is there a way to spoof the ip ? cause otherwise it will connect with 127.0.0.1 and this will fail cause there is no valid reverse for that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

[jira] Updated: (JAMES-463) Check for reverse on HELO/EHLO

Posted by "Norman Maurer (JIRA)" <se...@james.apache.org>.

     [ http://issues.apache.org/jira/browse/JAMES-463?page=all ]

Norman Maurer updated JAMES-463:
--------------------------------

    Attachment: HeloEhlo-reverse-check-v2.patch

> Check for reverse on HELO/EHLO
> ------------------------------
>
>          Key: JAMES-463
>          URL: http://issues.apache.org/jira/browse/JAMES-463
>      Project: James
>         Type: New Feature

>   Components: SMTPServer
>     Reporter: Norman Maurer
>     Assignee: Norman Maurer
>      Fix For: 2.4.0
>  Attachments: HeloEhlo-reverse-check-v2.patch, helo-reverse.patch
>
> I complete a patch to support check that the provided helo is the reverse entry of the connected mailserver. But anyone has an idea howto write a junit test for that ? Is there a way to spoof the ip ? cause otherwise it will connect with 127.0.0.1 and this will fail cause there is no valid reverse for that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

[jira] Assigned: (JAMES-463) Check for reverse on HELO/EHLO

Posted by "Norman Maurer (JIRA)" <se...@james.apache.org>.

     [ http://issues.apache.org/jira/browse/JAMES-463?page=all ]

Norman Maurer reassigned JAMES-463:
-----------------------------------

    Assign To: Norman Maurer

> Check for reverse on HELO/EHLO
> ------------------------------
>
>          Key: JAMES-463
>          URL: http://issues.apache.org/jira/browse/JAMES-463
>      Project: James
>         Type: New Feature

>   Components: SMTPServer
>     Reporter: Norman Maurer
>     Assignee: Norman Maurer
>      Fix For: 2.4.0

>
> I complete a patch to support check that the provided helo is the reverse entry of the connected mailserver. But anyone has an idea howto write a junit test for that ? Is there a way to spoof the ip ? cause otherwise it will connect with 127.0.0.1 and this will fail cause there is no valid reverse for that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

[jira] Updated: (JAMES-463) Check for reverse on HELO/EHLO

Posted by "Stefano Bagnara (JIRA)" <se...@james.apache.org>.

     [ http://issues.apache.org/jira/browse/JAMES-463?page=all ]

Stefano Bagnara updated JAMES-463:
----------------------------------

    Fix Version: 2.4.0

> Check for reverse on HELO/EHLO
> ------------------------------
>
>          Key: JAMES-463
>          URL: http://issues.apache.org/jira/browse/JAMES-463
>      Project: James
>         Type: New Feature

>   Components: SMTPServer
>     Reporter: Norman Maurer
>      Fix For: 2.4.0

>
> I complete a patch to support check that the provided helo is the reverse entry of the connected mailserver. But anyone has an idea howto write a junit test for that ? Is there a way to spoof the ip ? cause otherwise it will connect with 127.0.0.1 and this will fail cause there is no valid reverse for that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

[jira] Commented: (JAMES-463) Check for reverse on HELO/EHLO

Posted by "Stefano Bagnara (JIRA)" <se...@james.apache.org>.

    [ http://issues.apache.org/jira/browse/JAMES-463?page=comments#action_12412440 ] 

Stefano Bagnara commented on JAMES-463:
---------------------------------------

Not tested, only reviewed the patch file and here is the result:

1) I would use checkReverseEqualsEhlo instead of checkReverseEqualEhlo
2) You used tabs somewhere, please rememeber we use 4 spaces.
3) Try not to reformat code you don't touch: this make it easier to review the changes, avoid conflicts, make is easy to find out in history why a give row contains a given code.

About the previous comment on the testability you can use a Mock DNSServer, like we did in jSPF for that.

> Check for reverse on HELO/EHLO
> ------------------------------
>
>          Key: JAMES-463
>          URL: http://issues.apache.org/jira/browse/JAMES-463
>      Project: James
>         Type: New Feature

>   Components: SMTPServer
>     Reporter: Norman Maurer
>     Assignee: Norman Maurer
>      Fix For: 2.4.0
>  Attachments: helo-reverse.patch
>
> I complete a patch to support check that the provided helo is the reverse entry of the connected mailserver. But anyone has an idea howto write a junit test for that ? Is there a way to spoof the ip ? cause otherwise it will connect with 127.0.0.1 and this will fail cause there is no valid reverse for that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

Re: [jira] Commented: (JAMES-463) Check for reverse on HELO/EHLO

Posted by Stefano Bagnara <ap...@bago.org>.

Norman Maurer (JIRA) wrote:
>     [ http://issues.apache.org/jira/browse/JAMES-463?page=comments#action_12412509 ] 
> 
> Norman Maurer commented on JAMES-463:
> -------------------------------------
> 
> 1) changed
> 2) fixed
> 3) fixed.
> 
> Plz review.. I also add junit tests for this feature

Just reviewed the patch and it looks fine (not applied to my repository).

+1 to commit it.

Stefano


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

[jira] Commented: (JAMES-463) Check for reverse on HELO/EHLO

Posted by "Norman Maurer (JIRA)" <se...@james.apache.org>.

    [ http://issues.apache.org/jira/browse/JAMES-463?page=comments#action_12412509 ] 

Norman Maurer commented on JAMES-463:
-------------------------------------

1) changed
2) fixed
3) fixed.

Plz review.. I also add junit tests for this feature

> Check for reverse on HELO/EHLO
> ------------------------------
>
>          Key: JAMES-463
>          URL: http://issues.apache.org/jira/browse/JAMES-463
>      Project: James
>         Type: New Feature

>   Components: SMTPServer
>     Reporter: Norman Maurer
>     Assignee: Norman Maurer
>      Fix For: 2.4.0
>  Attachments: HeloEhlo-reverse-check-v2.patch, helo-reverse.patch
>
> I complete a patch to support check that the provided helo is the reverse entry of the connected mailserver. But anyone has an idea howto write a junit test for that ? Is there a way to spoof the ip ? cause otherwise it will connect with 127.0.0.1 and this will fail cause there is no valid reverse for that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org