Noel
I have disabled RemoteNotInNetwork so that users who are dialling in
through unknown ISP's can provide a password to send email.
My second point is that I want to disable SMTP AUTH if the email comes
from an ip within a specified network.
This will allow applications which are not configured to use SMTP AUTH
to also use the James server to relay outside of the network.
If this can be implemented, the hole can be closed by checking that the
MAIL FROM:<> mail originates within the network.
James is currently checking for a null sender to identify failure
notifications.
In the SMTPHandler when handling the MAIL command the following code is
there:
<snip>
if (sender.length() == 0) {
//This is the <> case. Let senderAddress == null
} else {
</snip>
Is there a valid reason to accept null senders through the SMTPHandler.
If we just rejected null senders at this point, we could eliminate this
problem. I say this assuming that the failure notification being dealt
with is originating from James and not from another mail server? If the
failure notification are being sent by James, can we not inject them
into a processor directly?
I am also running a QMail server which accepts a MAIL FROM:<> but will
still block an unwelcome destination with the error:
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Andrew
On Thu, 2002-06-20 at 18:54, Noel J. Bergman wrote:
> Andrew,
>
> Perhaps this is a dumb question, but I wasn't sure from your message: how
> did this get passed the RemoteNotInNetwork matcher? Are you bypassing that
> for supposedly AUTH users, or are you saying that RemoteNotInNetwork somehow
> didn't get invoked?
>
> --- Noel
>
> -----Original Message-----
> From: Andrew Timberlake [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 20, 2002 11:38
> To: [EMAIL PROTECTED]
> Subject: Security vulnerability???
>
>
> I having been looking around in the source code from cvs HEAD and I have
> found what is probably a security vulnerability.
> My James server is restricted to non AUTH clients which should leave it
> as a closed relay but if you send an email as follows you can relay.
>
> MAIL FROM:<>
> RCPT TO:<[EMAIL PROTECTED]>
> DATA
> ...message...
> .
> QUIT
>
> The mail is relayed!!!
>
> What I was looking for is a way to use a combination of AUTH and
> RemoteNotInNetwork.
> I want to use AUTH if not in network and allow relay undiscriminately if
> in network.
> I am happy to write the necessary code if you would like to put forward
> a suggestion that fits into the greater James vision otherwise I'll come
> up with my own design and impl.
>
> Thanks
>
> Andrew
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
