You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Ken Lin <ke...@yahoo.com> on 2006/03/07 21:02:28 UTC
james SMTP authentication enforcement
Hi:
I installed the james mail server behind a firewall, and exposed its SMTP port through firewall tunneling. Because of the firewall, I cannot do any IP based authentication because all incoming connection shows the internal address of the firewall (192.0.something)
I turned on the SMTP authentication, and expected that it to authenticate each email the "from" address of which contains the server name that James is responsible for.
I tried a mail server testing web site to test whether james server rejects spams properly. It seems that if the authentication of SMTP was turned on in every case where "from" address contains the server name EXCEPT in one case where both the "from" address and "to" address contain the server name.
Can anyone help pointing out how I can turn on SMTP authentication for James in the case the "from" address and "to" address contains the server name that James is responsible for?
Thanks in advance!
Ken
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
RE: james SMTP authentication enforcement
Posted by "Noel J. Bergman" <no...@devtech.com>.
See also the "Secure Mailing List using S/MIME" discussion from January.
There are some comments in there from Stefano that could apply.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: james SMTP authentication enforcement
Posted by Stefano Bagnara <ap...@bago.org>.
Ken Lin wrote:
> However, if administrator does turn on SMTP authentication, email client of internal users will anyway need to be set up to send in authentication information on every SMTP request. I wonder why the the administrator wants to deliberately disable SMTP authentication for ALL intra-domain emails (which is the current behavior of James). Why should SMTP only protect emails sent to outside of corporation, and not emails to a corporation?
SMTP authentication is intended to give the sender "special" relaying
permissions. To send a message to a local address is not a special
permission.
Most "big companies" (as you refer to them) wil have people around the
world that should be able to send mail from their company email to other
email of the same company but are unable to connect directly to the smtp
server and will use the smtp server of their connectivity provider.
This way the message from a@xyz.com to b@xyz.com will be relayed from
the connectivity provider (because they mostly authorize based on IP
addresses) and the message will be forwarded to the company smtp server
that will reject the message.
IMHO this is an unwanted behaviour.
IMHO you intended behaviour (a better one, that include your behaviour)
should be achieved using SPF.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
RE: james SMTP authentication enforcement
Posted by "Noel J. Bergman" <no...@devtech.com>.
> However, if administrator does turn on SMTP authentication, email
> client of internal users will anyway need to be set up to send in
> authentication information on every SMTP request.
We put in support years ago so that an administrator can setup trusted
subnets, removing the requirement for clients in those subnets to
authenticate. IP address and cryptographic data are the only reliable
tests. Nothing else in RFC 2821 and RFC 2822 is non-spoofable. SPF, for
example, comes down to eventual IP address checking, having determined the
list of IP addresses which a given domain has claimed are valid from it to
send.
If anyone wants to write some SPF code for JAMES, one way would be to base
it on creating and caching a netmatcher for each sender domain.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
RE: james SMTP authentication enforcement
Posted by Ken Lin <ke...@yahoo.com>.
Yes. I will ensure the fix will never block email to postmaster.
Per prior discussion on the default behavior for SMTP authentication, I hope to classify the 2 types of email traffic:
(1) inter-domain: the sender and recipient address contain different domain name
(2) intra-domain: the sender and recipient address contain same domain name.
I so-far hear two arguments that we should not enforce SMTP authentication for intra-domain traffic:
(1) RFC requires us to delivery to postmaster. Further, there might a business need for a list of "guaranteed delivery" emails.
(2) Intra-domain emails are less important than inter-domain emails. SMTP authentication doesn't completely prevent inter-domain email address spoofing, so we shouldn't use it to prevent "intra-domain" spoofing.
I think argument (1) is valid, and we should address it.
However, I feel argument (2) is invalid.
Intra-domain problem is quite important for large corporation (say corporation > 100 people) and large ISPs (like aol, yahoo, gmail or hotmail), because in these cases intra-domain emails is a significant portion all email traffic (especially in large corporations).
Intra-domain emails is not easy to protect either because of factors like large number of users, possibility of malicious attacks (worms or human), and inability to constraint user's IP address (in case of yahoo, gmail, etc.)
People do forget password from time to time, so I can see the administrator might want make exception for a small list of special destination addresses (like postmaster@, abuse@, support@, etc).
However, if administrator does turn on SMTP authentication, email client of internal users will anyway need to be set up to send in authentication information on every SMTP request. I wonder why the the administrator wants to deliberately disable SMTP authentication for ALL intra-domain emails (which is the current behavior of James). Why should SMTP only protect emails sent to outside of corporation, and not emails to a corporation?
Ken
"Noel J. Bergman" <no...@devtech.com> wrote: > RFC 2821 - Simple Mail Transfer Protocol
> 4.5.1 Minimum Implementation
> Any system that includes an SMTP server supporting mail relaying or
> delivery MUST support the reserved mailbox "postmaster" as a case-
> insensitive local name.
See also: http://www.rfc-ignorant.org/
People really do maintain block lists of those who do not properly follow
the RFCs.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
RE: james SMTP authentication enforcement
Posted by "Noel J. Bergman" <no...@devtech.com>.
> RFC 2821 - Simple Mail Transfer Protocol
> 4.5.1 Minimum Implementation
> Any system that includes an SMTP server supporting mail relaying or
> delivery MUST support the reserved mailbox "postmaster" as a case-
> insensitive local name.
See also: http://www.rfc-ignorant.org/
People really do maintain block lists of those who do not properly follow
the RFCs.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: james SMTP authentication enforcement
Posted by Ken Lin <ke...@yahoo.com>.
Stefano:
Thanks for pointing out. I was looking at the older version of the SMTP RFC. I will let you know once the code is ready.
Ken
Stefano Bagnara <ap...@bago.org> wrote: Ken Lin wrote:
> Stefano:
> I went ahead and tested a few other ISP and corporation's email. It seems when SMTP authentication is not established, many directly reject any mail with sender containing the designated domain name. Here are the servers I tested that rejected all spoof:
>
> Mail ISP:
> Gmail: gsmtp183.google.com
I just sent a mail from one of my gmail account to another of my gmail
account using their smtp server without authentication and I have been
succesfull.
You're probably missing something in the tests, or I don't understand
what are you testing.
[edentist][/var/log]$ telnet gsmtp163.google.com 25
Trying 64.233.163.27...
Connected to gsmtp163.google.com.
Escape character is '^]'.
220 mx.gmail.com ESMTP 38si1843438nzk
ehlo pippo.com
250-mx.gmail.com at your service
250-SIZE 20971520
250-8BITMIME
250 ENHANCEDSTATUSCODES
mail from:
250 2.1.0 OK
rcpt to:
250 2.1.5 OK
data
354 Go ahead
Subject: test
body
.
250 2.0.0 OK 1141947204 38si1843438nzk
quit
221 2.0.0 mx.gmail.com closing connection 38si1843438nzk
Connection closed by foreign host.
And I succesfully received the message.
I don't test all the other servers because there is obviously a
misunderstanding in this conversation.
> Just to make sure that the code change won't violate the RFC, can you let me know the RFC number and section number that mandates any email from @xyz.com can be sent to postmaster@xyz.com without SMTP authentication? I looked at the following two RFCs from the IETF site and couldn't find this mandate:
> SMTP RFC (821): http://www.ietf.org/rfc/rfc0821.txt
> SMTP authentication RFC (2554): http://www.ietf.org/rfc/rfc2554.txt
RFC 2821 - Simple Mail Transfer Protocol
4.5.1 Minimum Implementation
Any system that includes an SMTP server supporting mail relaying or
delivery MUST support the reserved mailbox "postmaster" as a case-
insensitive local name.This postmaster address is not strictly
necessary if the server always returns 554 on connection opening (as
described in section 3.1). The requirement to accept mail for
postmaster implies that RCPT commands which specify a mailbox for
postmaster at any of the domains for which the SMTP server provides
mail service, as well as the special case of "RCPT TO:
"
(with no domain specification), MUST be supported.
SMTP systems are expected to make every reasonable effort to accept
mail directed to Postmaster from any other system on the Internet.
In extreme cases --such as to contain a denial of service attack or
other breach of security-- an SMTP server may block mail directed to
Postmaster. However, such arrangements SHOULD be narrowly tailored
so as to avoid blocking messages which are not part of such attacks.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
Re: james SMTP authentication enforcement
Posted by Stefano Bagnara <ap...@bago.org>.
Ken Lin wrote:
> Stefano:
> I went ahead and tested a few other ISP and corporation's email. It seems when SMTP authentication is not established, many directly reject any mail with sender containing the designated domain name. Here are the servers I tested that rejected all spoof:
>
> Mail ISP:
> Gmail: gsmtp183.google.com
I just sent a mail from one of my gmail account to another of my gmail
account using their smtp server without authentication and I have been
succesfull.
You're probably missing something in the tests, or I don't understand
what are you testing.
[edentist][/var/log]$ telnet gsmtp163.google.com 25
Trying 64.233.163.27...
Connected to gsmtp163.google.com.
Escape character is '^]'.
220 mx.gmail.com ESMTP 38si1843438nzk
ehlo pippo.com
250-mx.gmail.com at your service
250-SIZE 20971520
250-8BITMIME
250 ENHANCEDSTATUSCODES
mail from: <my...@gmail.com>
250 2.1.0 OK
rcpt to: <my...@gmail.com>
250 2.1.5 OK
data
354 Go ahead
Subject: test
body
.
250 2.0.0 OK 1141947204 38si1843438nzk
quit
221 2.0.0 mx.gmail.com closing connection 38si1843438nzk
Connection closed by foreign host.
And I succesfully received the message.
I don't test all the other servers because there is obviously a
misunderstanding in this conversation.
> Just to make sure that the code change won't violate the RFC, can you let me know the RFC number and section number that mandates any email from @xyz.com can be sent to postmaster@xyz.com without SMTP authentication? I looked at the following two RFCs from the IETF site and couldn't find this mandate:
> SMTP RFC (821): http://www.ietf.org/rfc/rfc0821.txt
> SMTP authentication RFC (2554): http://www.ietf.org/rfc/rfc2554.txt
RFC 2821 - Simple Mail Transfer Protocol
4.5.1 Minimum Implementation
Any system that includes an SMTP server supporting mail relaying or
delivery MUST support the reserved mailbox "postmaster" as a case-
insensitive local name.This postmaster address is not strictly
necessary if the server always returns 554 on connection opening (as
described in section 3.1). The requirement to accept mail for
postmaster implies that RCPT commands which specify a mailbox for
postmaster at any of the domains for which the SMTP server provides
mail service, as well as the special case of "RCPT TO:<Postmaster>"
(with no domain specification), MUST be supported.
SMTP systems are expected to make every reasonable effort to accept
mail directed to Postmaster from any other system on the Internet.
In extreme cases --such as to contain a denial of service attack or
other breach of security-- an SMTP server may block mail directed to
Postmaster. However, such arrangements SHOULD be narrowly tailored
so as to avoid blocking messages which are not part of such attacks.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: james SMTP authentication enforcement
Posted by Ken Lin <ke...@yahoo.com>.
Stefano:
Great to hear from your experience. It sounds a lot of effort to become a committer.
Here is the open relay testing site that I used:
http://www.abuse.net/relay.html
This appears to be pretty popular as it showed up as the top link on google for "mail relay test". My james server failed the test case I mentioned earlier in email (spoofing ...@xyz.com to ...@xyz.com).
I went ahead and tested a few other ISP and corporation's email. It seems when SMTP authentication is not established, many directly reject any mail with sender containing the designated domain name. Here are the servers I tested that rejected all spoof:
Mail ISP:
Gmail: gsmtp183.google.com
Hotmail: mf4100beta1.solinus.com
Corporation email:
Google.com: smtp1.google.com
Amazon.com: smtp-fw-0101.amazon.com
Microsoft.com: mailb.microsoft.com
The test on Yahoo seems to have failed that it accepts a "fake" email from ...@yahoo.com to ...@yahoo.com. However, it is possible that yahoo "drops" spoofed mails in spooling queue (like using the configuration similar to what you posted earlier). I need to confirm this later. (I can't do the spoofing testing at work at the moment because our corporate firewall blocks all outgoing port 25 access)
Just to make sure that the code change won't violate the RFC, can you let me know the RFC number and section number that mandates any email from @xyz.com can be sent to postmaster@xyz.com without SMTP authentication? I looked at the following two RFCs from the IETF site and couldn't find this mandate:
SMTP RFC (821): http://www.ietf.org/rfc/rfc0821.txt
SMTP authentication RFC (2554): http://www.ietf.org/rfc/rfc2554.txt
Ken
Stefano Bagnara <ap...@bago.org> wrote: Ken Lin wrote:
> Maybe this method of "spoofing" users has been overlooked. Even if James has SMTP turned on, I can impersonate any user of the server and send another user an email without any authentication. In a way, it seems to be a security hole open by default unless people apply your section of configuration.
You, anyway, will never stop people from using your email as sender
address and send messages around the world. There are solutions to stop
this behaviour (e.g. SPF) but not supported by all the SMTP server so I
don't think that we can consider this thing a "security hole" in james.
I'm not 100% sure, but I bet that most mail servers will not block
messages with a "from:" containing a local domain to be relayd (even
with authentication on).
> Well we check for recipient address in the first place. This checking is not explicitly mentioned in the RFC either, but is just implicitly allowed. By the same token, checking the sender address should be allowed too.
You'd be not RFC compliant because you MUST accept a mail "from:
xxx@xyz.com" "to: postmaster@xyz.com" even without authentication.
I think that this is not specified in the RFC and is not even common
practice for SMTP servers and we should not make it the default.
Btw, if you want to write a patch to provide an option to enable this
behaviour I'll try to review it.
> What do you think? Actually, are you a software developer on the James team? How do I become one?
I'm a James committer. I've been "proposed" by other James committers
one year ago after many months of support here in the list and after
having submitted many patches to the issue tracker.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
Re: james SMTP authentication enforcement
Posted by Stefano Bagnara <ap...@bago.org>.
Ken Lin wrote:
> Maybe this method of "spoofing" users has been overlooked. Even if James has SMTP turned on, I can impersonate any user of the server and send another user an email without any authentication. In a way, it seems to be a security hole open by default unless people apply your section of configuration.
You, anyway, will never stop people from using your email as sender
address and send messages around the world. There are solutions to stop
this behaviour (e.g. SPF) but not supported by all the SMTP server so I
don't think that we can consider this thing a "security hole" in james.
I'm not 100% sure, but I bet that most mail servers will not block
messages with a "from:" containing a local domain to be relayd (even
with authentication on).
> Well we check for recipient address in the first place. This checking is not explicitly mentioned in the RFC either, but is just implicitly allowed. By the same token, checking the sender address should be allowed too.
You'd be not RFC compliant because you MUST accept a mail "from:
xxx@xyz.com" "to: postmaster@xyz.com" even without authentication.
I think that this is not specified in the RFC and is not even common
practice for SMTP servers and we should not make it the default.
Btw, if you want to write a patch to provide an option to enable this
behaviour I'll try to review it.
> What do you think? Actually, are you a software developer on the James team? How do I become one?
I'm a James committer. I've been "proposed" by other James committers
one year ago after many months of support here in the list and after
having submitted many patches to the issue tracker.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: james SMTP authentication enforcement
Posted by Ken Lin <ke...@yahoo.com>.
Stefano:
Thanks! I tested the configuration and found that it works.
Maybe this method of "spoofing" users has been overlooked. Even if James has SMTP turned on, I can impersonate any user of the server and send another user an email without any authentication. In a way, it seems to be a security hole open by default unless people apply your section of configuration.
This seems to be fairly easy to fix in source code. In SMTPHandler.java, the condition of bouncing back error 530 during SMTP session goes like this:
if (authRequired) {
if (getUser() == null) {
String toDomain = recipientAddress.getHost();
if (!theConfigData.getMailServer().isLocalServer(toDomain)) {
responseString = "530 Authentication Required";
writeLoggedFlushedResponse(responseString);
...
Now to close the hole, we need to add one more codition to give out error 530. We just need to change the following line
if (!theConfigData.getMailServer().isLocalServer(toDomain))
to something like this:
if ( ( !theConfigData.getMailServer().isLocalServer(toDomain) )
|| theConfigData.getMailServer().isLocalServer(senderAddress.getHost())
As you pointed out that the SMTP authentication is not associated with sender address in SMTP RFC, so I did suspect that this additional condition *might* violate the RFC. However, I double-checked with RFC 2554. It seems actually such checking is allowed. The wording for error 530 is actually fairly weak:
530 Authentication required
This response may be returned by any command other than AUTH, EHLO,
HELO, NOOP, RSET, or QUIT. It indicates that server policy requires
authentication in order to perform the requested action.
Well we check for recipient address in the first place. This checking is not explicitly mentioned in the RFC either, but is just implicitly allowed. By the same token, checking the sender address should be allowed too.
What do you think? Actually, are you a software developer on the James team? How do I become one?
Ken
Stefano Bagnara <ap...@bago.org> wrote: Ken Lin wrote:
> Stefano:
>
> Here is the actual scenario I try to prevent: Let's say I use james email server at corporation xyz.com. A hacker/email worm program telnet to SMTP port (inside or outside the corporate firewall), uses one of the employees' email address as "from" address (say admin@xyz.com), and sends another employee an email. You can see how this is clearly dangerous because a hacker/email worm can impersonate anybody in corporation.
>
> As my server is configured now, it will allow this attack because (a) IP-based authentication is unreliable at all because attacker or worm could be inside or outside corporate firewall
> (b) SMTP authentication is not required because RCPT TO address contains "@xyz.com"
>
> I would like to disable all relaying if both conditions are true:
> * The "from" address contains @xyz.com
> * The sender is not authenticated.
>
> How can I achieve this goal?
currently mail will be sent to the "transport" processor when ready to
be sent.
You should create a new "sendercheck" processor in the process.
transport
error
(you can change the ToProcessor to
something else, or change the processor to your needs).
transport
Then you change the current calls to processor "transport" to calls to
the "sendercheck" processor.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
Re: james SMTP authentication enforcement
Posted by Ken Lin <ke...@yahoo.com>.
Stefano:
Thanks! I tested the configuration and found that it works.
Maybe this method of "spoofing" users has been overlooked. Even if James has SMTP turned on, I can impersonate any user of the server and send another user an email without any authentication. In a way, it seems to be a security hole open by default unless people apply your section of configuration.
This seems to be fairly easy to fix in source code. In SMTPHandler.java, the condition of bouncing back error 530 during SMTP session goes like this:
if (authRequired) {
if (getUser() == null) {
String toDomain = recipientAddress.getHost();
if (!theConfigData.getMailServer().isLocalServer(toDomain)) {
responseString = "530 Authentication Required";
writeLoggedFlushedResponse(responseString);
...
Now to close the hole, we need to add one more codition to give out error 530. We just need to change the following line
if (!theConfigData.getMailServer().isLocalServer(toDomain))
to something like this:
if ( ( !theConfigData.getMailServer().isLocalServer(toDomain) )
|| theConfigData.getMailServer().isLocalServer(senderAddress.getHost())
As you pointed out that the SMTP authentication is not associated with sender address in SMTP RFC, so I did suspect that this additional condition *might* violate the RFC. However, I double-checked with RFC 2554. It seems actually such checking is allowed. The wording for error 530 is actually fairly weak:
530 Authentication required
This response may be returned by any command other than AUTH, EHLO,
HELO, NOOP, RSET, or QUIT. It indicates that server policy requires
authentication in order to perform the requested action.
Well we check for recipient address in the first place. This checking is not explicitly mentioned in the RFC either, but is just implicitly allowed. By the same token, checking the sender address should be allowed too.
What do you think? Actually, are you a software developer on the James team? How do I become one?
Ken
Stefano Bagnara <ap...@bago.org> wrote: Ken Lin wrote:
> Stefano:
>
> Here is the actual scenario I try to prevent: Let's say I use james email server at corporation xyz.com. A hacker/email worm program telnet to SMTP port (inside or outside the corporate firewall), uses one of the employees' email address as "from" address (say admin@xyz.com), and sends another employee an email. You can see how this is clearly dangerous because a hacker/email worm can impersonate anybody in corporation.
>
> As my server is configured now, it will allow this attack because (a) IP-based authentication is unreliable at all because attacker or worm could be inside or outside corporate firewall
> (b) SMTP authentication is not required because RCPT TO address contains "@xyz.com"
>
> I would like to disable all relaying if both conditions are true:
> * The "from" address contains @xyz.com
> * The sender is not authenticated.
>
> How can I achieve this goal?
currently mail will be sent to the "transport" processor when ready to
be sent.
You should create a new "sendercheck" processor in the process.
transport
error
(you can change the ToProcessor to
something else, or change the processor to your needs).
transport
Then you change the current calls to processor "transport" to calls to
the "sendercheck" processor.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
Re: james SMTP authentication enforcement
Posted by Stefano Bagnara <ap...@bago.org>.
Ken Lin wrote:
> Stefano:
>
> Here is the actual scenario I try to prevent: Let's say I use james email server at corporation xyz.com. A hacker/email worm program telnet to SMTP port (inside or outside the corporate firewall), uses one of the employees' email address as "from" address (say admin@xyz.com), and sends another employee an email. You can see how this is clearly dangerous because a hacker/email worm can impersonate anybody in corporation.
>
> As my server is configured now, it will allow this attack because (a) IP-based authentication is unreliable at all because attacker or worm could be inside or outside corporate firewall
> (b) SMTP authentication is not required because RCPT TO address contains "@xyz.com"
>
> I would like to disable all relaying if both conditions are true:
> * The "from" address contains @xyz.com
> * The sender is not authenticated.
>
> How can I achieve this goal?
currently mail will be sent to the "transport" processor when ready to
be sent.
You should create a new "sendercheck" processor in the process.
<processor name="sendercheck">
<mailet match="SMTPAuthSuccessful" class="ToProcessor">
<processor>transport</processor>
</mailet>
<mailet match="SenderHostIs=xyz.com" class="ToProcessor">
<processor>error</processor> (you can change the ToProcessor to
something else, or change the processor to your needs).
</mailet>
<mailet match="All" class="ToProcessor">
<processor>transport</processor>
</mailet>
</processor>
Then you change the current calls to processor "transport" to calls to
the "sendercheck" processor.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: james SMTP authentication enforcement
Posted by Ken Lin <ke...@yahoo.com>.
Stefano:
Here is the actual scenario I try to prevent: Let's say I use james email server at corporation xyz.com. A hacker/email worm program telnet to SMTP port (inside or outside the corporate firewall), uses one of the employees' email address as "from" address (say admin@xyz.com), and sends another employee an email. You can see how this is clearly dangerous because a hacker/email worm can impersonate anybody in corporation.
As my server is configured now, it will allow this attack because (a) IP-based authentication is unreliable at all because attacker or worm could be inside or outside corporate firewall
(b) SMTP authentication is not required because RCPT TO address contains "@xyz.com"
I would like to disable all relaying if both conditions are true:
* The "from" address contains @xyz.com
* The sender is not authenticated.
How can I achieve this goal?
Ken
Stefano Bagnara <ap...@bago.org> wrote: SMTP Authentication is defined in the SMTP rfc and is not related with
the from address.
If you are authenticated james does not perform relay checks. If you are
not authenticated then messages destinated (SMTP RCPT TO: command
argument) to domains included in "" will be accepted while
messages destinated to domains not included will be rejeacted.
SMTP authentication is not related to spam received.
Stefano
Ken Lin wrote:
> Hi:
>
> I installed the james mail server behind a firewall, and exposed its SMTP port through firewall tunneling. Because of the firewall, I cannot do any IP based authentication because all incoming connection shows the internal address of the firewall (192.0.something)
>
> I turned on the SMTP authentication, and expected that it to authenticate each email the "from" address of which contains the server name that James is responsible for.
>
> I tried a mail server testing web site to test whether james server rejects spams properly. It seems that if the authentication of SMTP was turned on in every case where "from" address contains the server name EXCEPT in one case where both the "from" address and "to" address contain the server name.
>
> Can anyone help pointing out how I can turn on SMTP authentication for James in the case the "from" address and "to" address contains the server name that James is responsible for?
>
> Thanks in advance!
>
> Ken
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
---------------------------------
Yahoo! Mail
Use Photomail to share photos without annoying attachments.
Re: james SMTP authentication enforcement
Posted by Stefano Bagnara <ap...@bago.org>.
SMTP Authentication is defined in the SMTP rfc and is not related with
the from address.
If you are authenticated james does not perform relay checks. If you are
not authenticated then messages destinated (SMTP RCPT TO: command
argument) to domains included in "<servernames>" will be accepted while
messages destinated to domains not included will be rejeacted.
SMTP authentication is not related to spam received.
Stefano
Ken Lin wrote:
> Hi:
>
> I installed the james mail server behind a firewall, and exposed its SMTP port through firewall tunneling. Because of the firewall, I cannot do any IP based authentication because all incoming connection shows the internal address of the firewall (192.0.something)
>
> I turned on the SMTP authentication, and expected that it to authenticate each email the "from" address of which contains the server name that James is responsible for.
>
> I tried a mail server testing web site to test whether james server rejects spams properly. It seems that if the authentication of SMTP was turned on in every case where "from" address contains the server name EXCEPT in one case where both the "from" address and "to" address contain the server name.
>
> Can anyone help pointing out how I can turn on SMTP authentication for James in the case the "from" address and "to" address contains the server name that James is responsible for?
>
> Thanks in advance!
>
> Ken
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org