You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Ashton Holmes <ro...@scoopta.ninja> on 2018/07/09 05:21:09 UTC
Disabling JMX/Securing james
Is there any way to completely disable JMX? I've changed the
com.sun.management.jmxremote property to false but james-cli is still
able to connect and interact with the server. If not then maybe I'm
asking the wrong question. This server has multiple users with shell
access and I am looking to make it so they can't just download a james
zip and use james-cli to change server settings. James is running as its
own user in a folder with the proper permissions so they can't directly
access the email data but because james-cli goes over the network it
makes it somewhat a mute point allowing anyone with shell access to
change passwords, create accounts, etc.
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Disabling JMX/Securing james
Posted by Ashton Holmes <ro...@scoopta.ninja>.
Ahhh yeah that's probably my problem then. Oh well. As I said I've
addressed the issue outside of James
On 07/11/2018 07:06 PM, Benoit Tellier wrote:
> Hello Ashton Holmes,
>
> What Raphael did not tell you in his previous email is that this setting
> is Guice specific. It is not working with the Spring default binaries
> that you might be using.
>
> Cheers,
>
> Benoit Tellier
>
>
> Le 12/07/2018 à 02:03, Ashton Holmes a écrit :
>> That doesn't seem to work for me. The setting seems to get completely
>> ignored, however, I've come up with my own solution. I setup some
>> nftables firewall rules so that only certain users can open outbound
>> sockets on the JMX port and it's actually a more helpful solution
>> anyway because it means I can still admin the server without
>> restarting it and opening JMX to all users.
>>
>>
>> On 07/09/2018 06:10 AM, Raphael OUAZANA wrote:
>>> Hi,
>>>
>>> We (very) recently added an option to deactivate JMX, see:
>>> http://james.apache.org/server/config-system.html
>>>
>>> Regards,
>>> Raphaël Ouazana.
>>>
>>> Le 2018-07-09 07:21, Ashton Holmes a écrit :
>>>> Is there any way to completely disable JMX? I've changed the
>>>> com.sun.management.jmxremote property to false but james-cli is still
>>>> able to connect and interact with the server. If not then maybe I'm
>>>> asking the wrong question. This server has multiple users with shell
>>>> access and I am looking to make it so they can't just download a james
>>>> zip and use james-cli to change server settings. James is running as
>>>> its own user in a folder with the proper permissions so they can't
>>>> directly access the email data but because james-cli goes over the
>>>> network it makes it somewhat a mute point allowing anyone with shell
>>>> access to change passwords, create accounts, etc.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Disabling JMX/Securing james
Posted by Benoit Tellier <bt...@linagora.com>.
Hello Ashton Holmes,
What Raphael did not tell you in his previous email is that this setting
is Guice specific. It is not working with the Spring default binaries
that you might be using.
Cheers,
Benoit Tellier
Le 12/07/2018 à 02:03, Ashton Holmes a écrit :
> That doesn't seem to work for me. The setting seems to get completely
> ignored, however, I've come up with my own solution. I setup some
> nftables firewall rules so that only certain users can open outbound
> sockets on the JMX port and it's actually a more helpful solution
> anyway because it means I can still admin the server without
> restarting it and opening JMX to all users.
>
>
> On 07/09/2018 06:10 AM, Raphael OUAZANA wrote:
>> Hi,
>>
>> We (very) recently added an option to deactivate JMX, see:
>> http://james.apache.org/server/config-system.html
>>
>> Regards,
>> Raphaël Ouazana.
>>
>> Le 2018-07-09 07:21, Ashton Holmes a écrit :
>>> Is there any way to completely disable JMX? I've changed the
>>> com.sun.management.jmxremote property to false but james-cli is still
>>> able to connect and interact with the server. If not then maybe I'm
>>> asking the wrong question. This server has multiple users with shell
>>> access and I am looking to make it so they can't just download a james
>>> zip and use james-cli to change server settings. James is running as
>>> its own user in a folder with the proper permissions so they can't
>>> directly access the email data but because james-cli goes over the
>>> network it makes it somewhat a mute point allowing anyone with shell
>>> access to change passwords, create accounts, etc.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>> For additional commands, e-mail: server-user-help@james.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Disabling JMX/Securing james
Posted by Ashton Holmes <ro...@scoopta.ninja>.
That doesn't seem to work for me. The setting seems to get completely
ignored, however, I've come up with my own solution. I setup some
nftables firewall rules so that only certain users can open outbound
sockets on the JMX port and it's actually a more helpful solution anyway
because it means I can still admin the server without restarting it and
opening JMX to all users.
On 07/09/2018 06:10 AM, Raphael OUAZANA wrote:
> Hi,
>
> We (very) recently added an option to deactivate JMX, see:
> http://james.apache.org/server/config-system.html
>
> Regards,
> Raphaël Ouazana.
>
> Le 2018-07-09 07:21, Ashton Holmes a écrit :
>> Is there any way to completely disable JMX? I've changed the
>> com.sun.management.jmxremote property to false but james-cli is still
>> able to connect and interact with the server. If not then maybe I'm
>> asking the wrong question. This server has multiple users with shell
>> access and I am looking to make it so they can't just download a james
>> zip and use james-cli to change server settings. James is running as
>> its own user in a folder with the proper permissions so they can't
>> directly access the email data but because james-cli goes over the
>> network it makes it somewhat a mute point allowing anyone with shell
>> access to change passwords, create accounts, etc.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Disabling JMX/Securing james
Posted by Raphael OUAZANA <ra...@linagora.com>.
Hi,
We (very) recently added an option to deactivate JMX, see:
http://james.apache.org/server/config-system.html
Regards,
Raphaël Ouazana.
Le 2018-07-09 07:21, Ashton Holmes a écrit :
> Is there any way to completely disable JMX? I've changed the
> com.sun.management.jmxremote property to false but james-cli is still
> able to connect and interact with the server. If not then maybe I'm
> asking the wrong question. This server has multiple users with shell
> access and I am looking to make it so they can't just download a james
> zip and use james-cli to change server settings. James is running as
> its own user in a folder with the proper permissions so they can't
> directly access the email data but because james-cli goes over the
> network it makes it somewhat a mute point allowing anyone with shell
> access to change passwords, create accounts, etc.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org