You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by Michael Kaegi <ka...@brainware.ch> on 2002/03/12 15:05:27 UTC

Re: javax.mail.Session access protection (part IV),

Hi Serge and Danny

First, thanx for your patience with me. 
 
Yes I'm wrong with my assumption that you can hack (send email through) 
the JAMES default javax.mail.Session. 

Now I understand the problem. The SMTP specification specifies no 
authentication (user, password) mechanism. Therefore my application can 
send emails, without a valid authentication, over a SMTP server. 

A security hole? Therefore?

A SMTP server can be configured to allow\ignore SMTP "request" from 
machines. The default configuration of JAMES is to allow only SMTP 
"request" from the local machine. 

To make SMTP secure (for "remote request" and "local request") the SMTP 
AUTH specification was written. 

Now I'm on the right way? 

Thanx a lot?

Bye
Michi

RE: javax.mail.Session access protection (part IV),

Posted by Danny Angus <da...@thought.co.uk>.

> First, thanx for your patience with me.

You're welcome!

>
> Yes I'm wrong with my assumption that you can hack (send email through)
> the JAMES default javax.mail.Session.

;-)

>
> Now I understand the problem. The SMTP specification specifies no
> authentication (user, password) mechanism. Therefore my application can
> send emails, without a valid authentication, over a SMTP server.
>
> A security hole? Therefore?

It is one reason that spam can be difficult to stop, but it doesn't
compromise anyones data.

>
> A SMTP server can be configured to allow\ignore SMTP "request" from
> machines. The default configuration of JAMES is to allow only SMTP
> "request" from the local machine.

Yes, correct.

>
> To make SMTP secure (for "remote request" and "local request") the SMTP
> AUTH specification was written.

Yes.

>
> Now I'm on the right way?

Yes, but if you look in James' config.xml you will see this:

	<mailet match="RemoteAddrNotInNetwork=127.0.0.1" class="ToProcessor">
            <processor> spam </processor>
      </mailet>

You can add IP addresses to this to allow other machines to send mail out
from James.
EG: match="RemoteAddrNotInNetwork=127.0.0.1, 192.168.0.*"
Similarly using SMTP AUTH James will only deliver mail to remote hosts when
you are Authorised.

James will accept SMTP connections from any host, so that mail can be
recieved from remote loactions and delivered to accounts on your local
network.

d.



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>