what is the best way to secure an open relay server without restricting senders

[Amarish Khopkar <am...@gmail.com>]

Hi Guys,

I'm configuring my James server to do the following.  I have a domain
mydomain.org where I've installed James for a forum type website I'm
creating.  What I want is functionality for mail forwarding where I will
have thousands of users that do posts.  On those posts, I display their
mydomain email address such as user-12345@mydomain.org.  This is a generated
address that maps to their actual address such as user@gmail.com.  I've
configured my James server to use JDBC Aliasing so that when somebody sends
an email to user-12345@mydomain.com, it will be forwarded to user@gmail.com.
However, I had to disable the smtp security feature as well as the relay
denied security feature (to prevent the relay-denied 550 error).

My question is how do I know secure my James server such that it doesn't get
used as an open relay server for spam, but still keep this functionality
intact.  What I'm looking for is being able to accept all incoming mail from
anybody only as long as they are sending to something like
user-12345@mydomain.org.  Otherwise, I want it to only be used as an open
relay smtp server from localhost where my application will send mail using
javamail, using the james server as an smtp server.

What is the best way to configure James to do this?

Any suggestions would be greatly appreciated.

Thanks,

Amarish

Re: what is the best way to secure an open relay server without restricting senders

[Amarish Khopkar <am...@gmail.com>]

Hi Stefano,

Thanks a lot for your help.  I will try that and let you know.

Amarish


On 2/13/06, Stefano Bagnara <ap...@bago.org> wrote:
>
> Amarish Khopkar wrote:
> > Thanks for your suggestion.
> >
> > Sorry about this but I'm going to ask a novice question as I'm a
> beginner to
> > James.  I would like to try your suggestion.  How do I 'flag'  a
> rewritten
> > mail so that it doesn't get processed by the relaying denied
> processor?  I
> > don't actually see a mailet that does flagging in the docs.
> >
> > Amarish
>
> Check the SetMailAttribute mailet and the HasMailAttribute matcher.
>
> <mailet match="HostIs=yourdomain.com" class="SetMailAttribute">
>      <myflag>myvalue</myflag>
> </mailet>
>
>
> <mailet match="HostIs=yourdomain.com" class="VirtuserTable">
> ....
> </mailet>
>
> ...
>
> <mailet match="HasMailAttribute=myflag" class="ToProcessor">
>    <processor>transport</processor>
> </mailet>
>
> Stefano
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>

Re: what is the best way to secure an open relay server without restricting senders

[Stefano Bagnara <ap...@bago.org>]

Amarish Khopkar wrote:
> Thanks for your suggestion.
> 
> Sorry about this but I'm going to ask a novice question as I'm a beginner to
> James.  I would like to try your suggestion.  How do I 'flag'  a rewritten
> mail so that it doesn't get processed by the relaying denied processor?  I
> don't actually see a mailet that does flagging in the docs.
> 
> Amarish

Check the SetMailAttribute mailet and the HasMailAttribute matcher.

<mailet match="HostIs=yourdomain.com" class="SetMailAttribute">
     <myflag>myvalue</myflag>
</mailet>


<mailet match="HostIs=yourdomain.com" class="VirtuserTable">
....
</mailet>

...

<mailet match="HasMailAttribute=myflag" class="ToProcessor">
   <processor>transport</processor>
</mailet>

Stefano

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

RE: what is the best way to secure an open relay server without restricting senders

["Kyle W. Cartmell" <ky...@firstfinance.org>]

I don't know that what you're looking for has been discussed here
previously, but consider using the mailing list archives to search for
previous discussions that may be of assistance to you. Faster turnaround
time, and you're less likely to have to deal with cranky people, not that I
have ever seen a cranky response on this particular list. :)

Kyle W. Cartmell
Sr. Software Developer
LAP Holdings, LLC dba First Finance
Phone: (480) 222-1301
Toll Free: (800) 355-3135
kylecartmell@firstfinance.org
www.efirstfinance.com

-----Original Message-----
From: Amarish Khopkar [mailto:amarish.khopkar@gmail.com]
Sent: Monday, February 13, 2006 4:20 PM
To: James Users List
Subject: Re: what is the best way to secure an open relay server without
restricting senders


Thanks for your suggestion.

Sorry about this but I'm going to ask a novice question as I'm a beginner to
James.  I would like to try your suggestion.  How do I 'flag'  a rewritten
mail so that it doesn't get processed by the relaying denied processor?  I
don't actually see a mailet that does flagging in the docs.

Amarish


On 2/13/06, Stefano Bagnara <ap...@bago.org> wrote:
>
> Amarish Khopkar wrote:
> > My question is how do I know secure my James server such that it doesn't
> get
> > used as an open relay server for spam, but still keep this functionality
> > intact.  What I'm looking for is being able to accept all incoming mail
> from
> > anybody only as long as they are sending to something like
> > user-12345@mydomain.org.  Otherwise, I want it to only be used as an
> open
> > relay smtp server from localhost where my application will send mail
> using
> > javamail, using the james server as an smtp server.
> >
> > What is the best way to configure James to do this?
>
> I'm not sure I understand the problem: adding mydomain.org to your
> "server names" does not work?
>
> Keep on the smtp security and flag "rewritten" mails so that they don't
> run in the relay check mailet.
>
> Stefano
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: what is the best way to secure an open relay server without restricting senders

[Amarish Khopkar <am...@gmail.com>]

Thanks for your suggestion.

Sorry about this but I'm going to ask a novice question as I'm a beginner to
James.  I would like to try your suggestion.  How do I 'flag'  a rewritten
mail so that it doesn't get processed by the relaying denied processor?  I
don't actually see a mailet that does flagging in the docs.

Amarish


On 2/13/06, Stefano Bagnara <ap...@bago.org> wrote:
>
> Amarish Khopkar wrote:
> > My question is how do I know secure my James server such that it doesn't
> get
> > used as an open relay server for spam, but still keep this functionality
> > intact.  What I'm looking for is being able to accept all incoming mail
> from
> > anybody only as long as they are sending to something like
> > user-12345@mydomain.org.  Otherwise, I want it to only be used as an
> open
> > relay smtp server from localhost where my application will send mail
> using
> > javamail, using the james server as an smtp server.
> >
> > What is the best way to configure James to do this?
>
> I'm not sure I understand the problem: adding mydomain.org to your
> "server names" does not work?
>
> Keep on the smtp security and flag "rewritten" mails so that they don't
> run in the relay check mailet.
>
> Stefano
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>

Re: what is the best way to secure an open relay server without restricting senders

[Stefano Bagnara <ap...@bago.org>]

Amarish Khopkar wrote:
> My question is how do I know secure my James server such that it doesn't get
> used as an open relay server for spam, but still keep this functionality
> intact.  What I'm looking for is being able to accept all incoming mail from
> anybody only as long as they are sending to something like
> user-12345@mydomain.org.  Otherwise, I want it to only be used as an open
> relay smtp server from localhost where my application will send mail using
> javamail, using the james server as an smtp server.
> 
> What is the best way to configure James to do this?

I'm not sure I understand the problem: adding mydomain.org to your 
"server names" does not work?

Keep on the smtp security and flag "rewritten" mails so that they don't 
run in the relay check mailet.

Stefano

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org