You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by Michael Kaegi <ka...@brainware.ch> on 2002/03/12 15:05:27 UTC
Re: javax.mail.Session access protection (part IV),
Hi Serge and Danny
First, thanx for your patience with me.
Yes I'm wrong with my assumption that you can hack (send email through)
the JAMES default javax.mail.Session.
Now I understand the problem. The SMTP specification specifies no
authentication (user, password) mechanism. Therefore my application can
send emails, without a valid authentication, over a SMTP server.
A security hole? Therefore?
A SMTP server can be configured to allow\ignore SMTP "request" from
machines. The default configuration of JAMES is to allow only SMTP
"request" from the local machine.
To make SMTP secure (for "remote request" and "local request") the SMTP
AUTH specification was written.
Now I'm on the right way?
Thanx a lot?
Bye
Michi
RE: javax.mail.Session access protection (part IV),
Posted by Danny Angus <da...@thought.co.uk>.
> First, thanx for your patience with me.
You're welcome!
>
> Yes I'm wrong with my assumption that you can hack (send email through)
> the JAMES default javax.mail.Session.
;-)
>
> Now I understand the problem. The SMTP specification specifies no
> authentication (user, password) mechanism. Therefore my application can
> send emails, without a valid authentication, over a SMTP server.
>
> A security hole? Therefore?
It is one reason that spam can be difficult to stop, but it doesn't
compromise anyones data.
>
> A SMTP server can be configured to allow\ignore SMTP "request" from
> machines. The default configuration of JAMES is to allow only SMTP
> "request" from the local machine.
Yes, correct.
>
> To make SMTP secure (for "remote request" and "local request") the SMTP
> AUTH specification was written.
Yes.
>
> Now I'm on the right way?
Yes, but if you look in James' config.xml you will see this:
<mailet match="RemoteAddrNotInNetwork=127.0.0.1" class="ToProcessor">
<processor> spam </processor>
</mailet>
You can add IP addresses to this to allow other machines to send mail out
from James.
EG: match="RemoteAddrNotInNetwork=127.0.0.1, 192.168.0.*"
Similarly using SMTP AUTH James will only deliver mail to remote hosts when
you are Authorised.
James will accept SMTP connections from any host, so that mail can be
recieved from remote loactions and delivered to accounts on your local
network.
d.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>