You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Vincenzo Gianferrari Pini <vi...@praxis.it> on 2003/02/14 09:28:15 UTC
A safe "SenderIsLocal" matcher?
I need a matcher that checks if the sender of a message is a local user.
I wrote (very simple task indeed) such matcher ("SenderIsLocal", a kind of
mix of "SenderIs" and "RecipientIsLocal"). If anyone is ever interested in
it just let me know.
But there is a possible "hole" in it. Here follows my problem and question.
The reason why I need this matcher is to have, in the config.xml file, a
message coming from a local user of my company go to a special processor
that will try to match against some "RecipientIS" conditions that will have
the message spread (using either class="AvalonListserv" or class="Redirect")
to one or more large lists of local users and/or customers.
As just said, it is imperative for me that only *local users* may send
messages to such lists, and it must be verifiable in the logs. The matcher I
wrote works perfectly, but anyone from outside could just fake the sender
email address using a legitimate local user address and have a spam or nasty
message sent to lots of people, even customers, acting as someone else (also
someone from inside could use someone else's name and damage).
I can (and have) set both SMTP <authRequired> and <verifyIdentity> to true
in my config.xml file, but unfortunately this is not enough, as such checks
are being done only for messages not going to local recipients, and my lists
are local recipients themselves.
So here is my question: is there any way in the matcher Java code to check
for the sender having been authenticated and verified (even when all
recipients are local), instead of checking "if
(mailetContext.isLocalServer(senderMailAddress.getHost()) &&
mailetContext.isLocalUser(senderMailAddress.getUser()))"? I would need the
equivalent of something like "if (mailetContext.isSenderAuthenticated() &&
mailetContext.isSenderVerified())". Or is there any other way to obtain my
goal?
Can someone help me?
Thanks,
Vincenzo
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
Re: A safe "SenderIsLocal" matcher?
Posted by bill parducci <bi...@parducci.net>.
yes, but i use the concept of direction for other things when i evaluate
mail against my policies (branched logic: "if external, do X; if
internal do Y"), so this is a natural extension of my setup.
b
Noel J. Bergman wrote:
>>1. you define those ip addresses that are considered 'internal'. in my
>>world that is the company mailserver
>
>
>>2. you extend your "RecipientIS" mailet to consider the ip address of
>>the sender
>
>
> I was also going to suggest IP filtering, but the matcher already exists:
> RemoteAddrInNetwork or RemoteAddrNotInNetwork. Instead of just using that
> to control access to the RemoteDelivery mailet, it could control access to
> the mailing lists.
>
> --- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
RE: A safe "SenderIsLocal" matcher?
Posted by Danny Angus <da...@apache.org>.
> Let's recap:
<snip>
> Unless there is something I haven't thought about, it should work.
That looks good, the mail won't be able to be relayed out from james, and external users won't be able to AUTH and send mail to that address, only users with credentials will be able to send to this fake address so it will be protected from spam.
Next step would be to make james give mailets access to the credentials used to send the mail.
d.
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
RE: A safe "SenderIsLocal" matcher?
Posted by Vincenzo Gianferrari Pini <vi...@praxis.it>.
> > 1. you define those ip addresses that are considered 'internal'. in my
> > world that is the company mailserver
>
> > 2. you extend your "RecipientIS" mailet to consider the ip address of
> > the sender
>
> I was also going to suggest IP filtering, but the matcher already exists:
> RemoteAddrInNetwork or RemoteAddrNotInNetwork. Instead of just using that
> to control access to the RemoteDelivery mailet, it could control access to
> the mailing lists.
>
> --- Noel
>
Hi,
I've been away for a few days; now I'm back to this thread.
First of all, I would like to make clear that for "local user" I'm intending
a user (connecting to SMTP either from inside or outside my network) know to
the server, in the sense that can be authenticated through SMTP AUTH, and
not a user with an IP number considered internal to my network (let's call
the latter an "internal user" - just to have a common terminology), that
obviously could be filtered using "RemoteAddrInNetwork" etc. I'm using the
term "local" in the same sense used in the "RecipientIsLocal" matcher, from
which I wrote a "SenderIsLocal" matcher that did not fulfill my needs, being
forgeable.
Now I think that I found a very simple "solution".
Let's recap:
1) I have a "normal" James server, already using SMTP AUTH to prevent
relaying, and accepting messages from local-internal users to everywhere,
from local-external users to everywhere, and from non-local users to local
users.
2) In addition to that, I want that only users authenticated through SMTP
AUTH be allowed to send messages to certain protected recipient addresses,
mainly lists;
3) Because of (2), the domain part of such recipient address does not need
to be known "in the open world", but will be managed only by my James
server; it can and *should* be then a fake domain known only to my server
and my users.
4) Then, it is enough to use for such protected recipient addresses a
special domain name, like "local", *not* listed in <servername>, and that's
it: I just need to match to the right domain using
match="RecipientIs=listname@local" or
match="CommandForListserv=listname@local" or other matcher/mailet
variations. As the recipient domain is not listed in <servername>, James
will enforce SMTP AUTH.
5) The legitimate users should just know that the address to use for the
list is "listname@local" instead of "listname@mycompany.com", and connect
directly to my server to send the message.
Unless there is something I haven't thought about, it should work.
Thanks for the help,
Vincenzo
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
RE: A safe "SenderIsLocal" matcher?
Posted by "Noel J. Bergman" <no...@devtech.com>.
> 1. you define those ip addresses that are considered 'internal'. in my
> world that is the company mailserver
> 2. you extend your "RecipientIS" mailet to consider the ip address of
> the sender
I was also going to suggest IP filtering, but the matcher already exists:
RemoteAddrInNetwork or RemoteAddrNotInNetwork. Instead of just using that
to control access to the RemoteDelivery mailet, it could control access to
the mailing lists.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
Re: A safe "SenderIsLocal" matcher?
Posted by bill parducci <bi...@parducci.net>.
i belive there may be a solution to this by adding the concept of
'direction' to the mail flow analysis. this only works if your mail
server is in a protected area where IP spoofing is not possible (you
cannot trust your ISP to check for spoofing, but a well configured
firewall or router does this quite reliably). it works like this:
1. you define those ip addresses that are considered 'internal'. in my
world that is the company mailserver, since james is acting as an
intelligent filtering mx (yes, i still owe the list some docs on this, i
haven't forgotten! :o)
2. you extend your "RecipientIS" mailet to consider the ip address of
the sender: anything that matches the subnet of the 'internal' address
becomes 'outgoing' mail, anything doesn't becomes 'incoming' mail.
3. you only allow 'outgoing' mail that matches the naming scheme you
currently have defined in "RecipientIS" to be delivered.
b
Vincenzo Gianferrari Pini wrote:
> I need a matcher that checks if the sender of a message is a local user.
>
> I wrote (very simple task indeed) such matcher ("SenderIsLocal", a kind of
> mix of "SenderIs" and "RecipientIsLocal"). If anyone is ever interested in
> it just let me know.
>
> But there is a possible "hole" in it. Here follows my problem and question.
>
> The reason why I need this matcher is to have, in the config.xml file, a
> message coming from a local user of my company go to a special processor
> that will try to match against some "RecipientIS" conditions that will have
> the message spread (using either class="AvalonListserv" or class="Redirect")
> to one or more large lists of local users and/or customers.
>
> As just said, it is imperative for me that only *local users* may send
> messages to such lists, and it must be verifiable in the logs. The matcher I
> wrote works perfectly, but anyone from outside could just fake the sender
> email address using a legitimate local user address and have a spam or nasty
> message sent to lots of people, even customers, acting as someone else (also
> someone from inside could use someone else's name and damage).
>
> I can (and have) set both SMTP <authRequired> and <verifyIdentity> to true
> in my config.xml file, but unfortunately this is not enough, as such checks
> are being done only for messages not going to local recipients, and my lists
> are local recipients themselves.
>
> So here is my question: is there any way in the matcher Java code to check
> for the sender having been authenticated and verified (even when all
> recipients are local), instead of checking "if
> (mailetContext.isLocalServer(senderMailAddress.getHost()) &&
> mailetContext.isLocalUser(senderMailAddress.getUser()))"? I would need the
> equivalent of something like "if (mailetContext.isSenderAuthenticated() &&
> mailetContext.isSenderVerified())". Or is there any other way to obtain my
> goal?
>
> Can someone help me?
>
> Thanks,
>
> Vincenzo
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: james-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
Re: A safe "SenderIsLocal" matcher?
Posted by Kenny Smith <ja...@journalscape.com>.
Hi Vincenzo,
Are the people sending messages on the same network in your office or
are they distributed out on the internet? If they are in an office
situation, you can simply restrict the logic based on the network. There
is an example of it in the default james config.xml
<mailet match="RemoteAddrNotInNetwork=127.0.0.1" class="ToProcessor">
<processor> spam </processor>
</mailet>
This sends anything that isn't from localhost to the spam processor. You
could use this to control access to your lists.
Kenny Smith
JournalScape.com
Vincenzo Gianferrari Pini wrote:
> I need a matcher that checks if the sender of a message is a local user.
>
> I wrote (very simple task indeed) such matcher ("SenderIsLocal", a kind of
> mix of "SenderIs" and "RecipientIsLocal"). If anyone is ever interested in
> it just let me know.
>
> But there is a possible "hole" in it. Here follows my problem and
> question.
>
> The reason why I need this matcher is to have, in the config.xml file, a
> message coming from a local user of my company go to a special processor
> that will try to match against some "RecipientIS" conditions that will
> have
> the message spread (using either class="AvalonListserv" or
> class="Redirect")
> to one or more large lists of local users and/or customers.
>
> As just said, it is imperative for me that only *local users* may send
> messages to such lists, and it must be verifiable in the logs. The
> matcher I
> wrote works perfectly, but anyone from outside could just fake the sender
> email address using a legitimate local user address and have a spam or
> nasty
> message sent to lots of people, even customers, acting as someone else
> (also
> someone from inside could use someone else's name and damage).
>
> I can (and have) set both SMTP and to true
> in my config.xml file, but unfortunately this is not enough, as such
> checks
> are being done only for messages not going to local recipients, and my
> lists
> are local recipients themselves.
>
> So here is my question: is there any way in the matcher Java code to check
> for the sender having been authenticated and verified (even when all
> recipients are local), instead of checking "if
> (mailetContext.isLocalServer(senderMailAddress.getHost()) &&
> mailetContext.isLocalUser(senderMailAddress.getUser()))"? I would need the
> equivalent of something like "if (mailetContext.isSenderAuthenticated() &&
> mailetContext.isSenderVerified())". Or is there any other way to obtain my
> goal?
>
> Can someone help me?
>
> Thanks,
>
> Vincenzo
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: james-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
Re: A safe "SenderIsLocal" matcher?
Posted by Serge Knystautas <se...@lokitech.com>.
Vincenzo Gianferrari Pini wrote:
> As just said, it is imperative for me that only *local users* may send
> messages to such lists, and it must be verifiable in the logs. The matcher I
> wrote works perfectly, but anyone from outside could just fake the sender
> email address using a legitimate local user address and have a spam or nasty
> message sent to lots of people, even customers, acting as someone else (also
> someone from inside could use someone else's name and damage).
Vincenzo,
You've stumbled across why we include RecipientIsLocal, but not
SenderIsLocal, since it effectively is meaningless.
For James 3.0 we are planning to add arbitrary attributes to Mail
objects, and with that we'll be able to pass along that this Mail object
was sent by an authenticated user.
--
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
RE: A safe "SenderIsLocal" matcher?
Posted by Danny Angus <da...@apache.org>.
> Perhaps a general solution (but probably needing a change in the
> James code
> and so outside of my reach) could be to have James require always an
> authentication from the sender and, in case of failure, block
> only messages
> going to non-local users like now to avoid open relay spamming,
> but allowing
> in any case matchers and mailets to check if there has been a successful
> authentication/verification. Does it make sense?
I'm not sure that that would work, other mail transport agents connecting to james would give up if james asked for authentication and they had no credentials.
Unfortunately it is the combination of sender and recipient which is used to determine whether authentication is required.
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
RE: A safe "SenderIsLocal" matcher?
Posted by Vincenzo Gianferrari Pini <vi...@praxis.it>.
> Vincenzo,
>
> An interesting problem, and one which has no obvious answer.
> The problem is that it is not possible to carry out an
> authentication conversation with the sender when the mail is
> being processed, it is too late by then.
>
> Unfortunatly applying SMTP AUTH to mail for local delivery, while
> fairly easy*, would have the effect of preventing external
> senders sending mail to your domain. Senders, including
> intermediate MTA's, would have to know how to authenticate.
>
> You might try embedding pgp, or another public/private key
> technology, so that your mailet can verify the signature on messages.
>
> I think that your task might be impossible, if you can't trust
> the sender address, or the SMTP sender from the Mail object, then
> anything else can be faked too.
>
>
> d.
>
> * Remove the domain from the servernames, so that James thinks
> your mail is for remote delivery, james will then make the sender
> authenticate, now replace the RecipientIsLocal matcher with
> HostIs in the local delivery mailet. James now will demand AUTH
> for local mail, but will deliver it locally and not try to send
> it any further.
> For completeness you would need to work out how to deal with mail
> to a non-existent user of the domain, solving this problem is
> left as an excercise for the reader.. (tip: use a new processor
> for local delivery) ;-)
>
>
Danny,
thanks for the answer.
Perhaps a general solution (but probably needing a change in the James code
and so outside of my reach) could be to have James require always an
authentication from the sender and, in case of failure, block only messages
going to non-local users like now to avoid open relay spamming, but allowing
in any case matchers and mailets to check if there has been a successful
authentication/verification. Does it make sense?
Thanks,
Vincenzo
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
RE: A safe "SenderIsLocal" matcher?
Posted by Danny Angus <da...@apache.org>.
Vincenzo,
An interesting problem, and one which has no obvious answer.
The problem is that it is not possible to carry out an authentication conversation with the sender when the mail is being processed, it is too late by then.
Unfortunatly applying SMTP AUTH to mail for local delivery, while fairly easy*, would have the effect of preventing external senders sending mail to your domain. Senders, including intermediate MTA's, would have to know how to authenticate.
You might try embedding pgp, or another public/private key technology, so that your mailet can verify the signature on messages.
I think that your task might be impossible, if you can't trust the sender address, or the SMTP sender from the Mail object, then anything else can be faked too.
d.
* Remove the domain from the servernames, so that James thinks your mail is for remote delivery, james will then make the sender authenticate, now replace the RecipientIsLocal matcher with HostIs in the local delivery mailet. James now will demand AUTH for local mail, but will deliver it locally and not try to send it any further.
For completeness you would need to work out how to deal with mail to a non-existent user of the domain, solving this problem is left as an excercise for the reader.. (tip: use a new processor for local delivery) ;-)
RE: A safe "SenderIsLocal" matcher?
Posted by "Noel J. Bergman" <no...@devtech.com>.
> As just said, it is imperative for me that only *local users* may send
> messages to such lists, and it must be verifiable in the logs.
...
<mailet match="CommandForListserv=mylist@mydomain.tld"
class="ToProcessor">
<processor>protectedLists</processor>
</mailet>
<mailet match=RecipientIs==mylist@mydomain.tld"
class="ToProcessor">
<processor>protectedLists</processor>
</mailet>
...
<processor name="protectedLists">
<mailet match="RemoteAddrNotInNetwork=127.0.0.1, ..."
class="ToProcessor">
<processor> error </processor>
</mailet>
<mailet match="CommandForListserv=mylist@mydomain.tld"
class="AvalonListservManager">
...
</mailet>
<mailet match=RecipientIs==mylist@mydomain.tld"
class="AvalonListserv">
...
</mailet>
</processor>
> is there any way in the matcher Java code to check
> for the sender having been authenticated
Planned for James v3.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org