Look, you are making a series of incredibly wrong assumptions that demonstrate no understanding of SMTP or the JavaMail API. Danny tried to point out how this is wrong, but you seem to have ignored him.
Question: Why you can get the JAMES default javax.mail.Session without a valid authentication? See JavaMail specification. Answer: There is nothing related to JAMES in your code. You are sending a message using SMTP, which requires no authentication. You are not accessing or using anything that's contained within JAMES. Question: Why is the JAMES default javax.mail.Session not protected with an authentication? Answer: There is nothing related to JAMES in your code. You have not gained access to an object within James. You have no special authentication, and do not require any authentication to instantiate an object. You are not accessing or using anything that's contained within JAMES. Question: Is this a JAMES Bug, Feature or? Answer: There is nothing related to JAMES in your code. You are not accessing or using anything that's contained within JAMES. If you don't believe me, run your tests using Exchange, sendmail, and any other mail server you want, and you will see the identical behavior. Serge Knystautas Loki Technologies - Unstoppable Websites http://www.lokitech.com/ ----- Original Message ----- From: "Michael Kaegi" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 11, 2002 11:08 AM Subject: RE: javax.mail.Session access protection (part IV), ... from scratch. Test case: It's the JAMES default javax.mail.Session secure? I think no! Test environment: OS: MS Windows 2000 JDK: 1.3 JAMES: James 2.0a2 Test description: - Install and configure JAMES (only DNS must be set). - Run JAMES. - View JAMESMailSessionHackTest source code. No SMTP host, user or password will be set to connect to the SMTP server (in our case JAMES). Because no SMTP host is set the default will be used and this is 'localhost'. - Run JAMESMailSessionHackTest as first argument you must specify an recipient email address. - Check if the recipient has received an email from '[EMAIL PROTECTED]' with the subject: 'JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!'. In my case is it like that. JAMESMailSessionHackTest source code: import java.util.*; import javax.mail.*; import javax.mail.internet.*; /** * This class gets the default mail session from JAMES * and sends an email to specified recipient. * * @author Michael Kaegi ([EMAIL PROTECTED]) * @version 1.0 */ public class JAMESMailSessionHackTest { private Session session; public static void main(String[] args) { JAMESMailSessionHackTest jt = new JAMESMailSessionHackTest(); jt.getMailSession(); jt.sendMail(args[0]); } private void getMailSession() { Properties props = new Properties(); session = Session.getDefaultInstance(props, null); } private void sendMail(String recipient) { try { System.out.println("Session mail.smtp.host: " + session.getProperty("mail.smtp.host")); System.out.println("Session mail.user: " + session.getProperty("mail.user")); MimeMessage mm = new MimeMessage(session); mm.setFrom(new InternetAddress("[EMAIL PROTECTED]")); mm.addRecipient(Message.RecipientType.TO, new InternetAddress(recipient)); mm.setSubject("JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!"); mm.setText("Suprise."); Transport.send(mm); } catch(Exception e) { System.out.println("Exception: "); System.out.println(e); e.printStackTrace(); } } } Thanx ? Bye Michi -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
