Hi, I will explain once more why I think you are mistaken, perhaps you would like to correct any misunderstanding I may have made, rather just than re-iterating your initial assertion, which is getting us nowhere.
1/ your class is sending an email to James, using SMTP on localhost. James is *supposed* to receive it, James is an SMTP mailserver. 2/ your class will not be running in the same jvm as james unless it is run in the same instance of avalon. 3/ you have not demonstrated how any sensitive information is gained from the default mail session. d. > -----Original Message----- > From: Michael Kaegi [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 11, 2002 4:09 PM > To: [EMAIL PROTECTED] > Subject: RE: javax.mail.Session access protection (part IV), > > > ... from scratch. > > > Test case: > > It's the JAMES default javax.mail.Session secure? I think no! > > > Test environment: > > OS: MS Windows 2000 > JDK: 1.3 > JAMES: James 2.0a2 > > > Test description: > > - Install and configure JAMES (only DNS must be set). > - Run JAMES. > - View JAMESMailSessionHackTest source code. No SMTP host, user or > password will be set to connect to the SMTP server (in our case JAMES). > Because no SMTP host is set the default will be used and this is > 'localhost'. > - Run JAMESMailSessionHackTest as first argument you must specify an > recipient email address. > - Check if the recipient has received an email from '[EMAIL PROTECTED]' > with the subject: > 'JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!'. In my > case is it like that. > > > JAMESMailSessionHackTest source code: > > import java.util.*; > > import javax.mail.*; > import javax.mail.internet.*; > > /** > * This class gets the default mail session from JAMES > * and sends an email to specified recipient. > * > * @author Michael Kaegi ([EMAIL PROTECTED]) > * @version 1.0 > */ > public class JAMESMailSessionHackTest { > > private Session session; > > public static void main(String[] args) { > > JAMESMailSessionHackTest jt = new JAMESMailSessionHackTest(); > jt.getMailSession(); > jt.sendMail(args[0]); > } > > private void getMailSession() { > > Properties props = new Properties(); > session = Session.getDefaultInstance(props, null); > } > > private void sendMail(String recipient) { > > try { > > System.out.println("Session mail.smtp.host: " + > session.getProperty("mail.smtp.host")); > System.out.println("Session mail.user: " + > session.getProperty("mail.user")); > > MimeMessage mm = new MimeMessage(session); > mm.setFrom(new InternetAddress("[EMAIL PROTECTED]")); > mm.addRecipient(Message.RecipientType.TO, new > InternetAddress(recipient)); > mm.setSubject("JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!"); > mm.setText("Suprise."); > Transport.send(mm); > > } catch(Exception e) { > > System.out.println("Exception: "); > System.out.println(e); > e.printStackTrace(); > } > } > } > > > > Question: Why you can get the JAMES default javax.mail.Session without a > valid authentication? See JavaMail specification. > > Question: Why is the JAMES default javax.mail.Session not protected with > an authentication? > > Question: Is this a JAMES Bug, Feature or? > > > Thanx ? > > Bye > Michi -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
