All,
I've just confirmed this on the latest code base. The cause is pretty
obvious - there is a comment in SMTPHandler.java:
// If this is a delivery failure notification (MAIL FROM:
<>)
// we don't enforce authentication
if (authRequired && state.get(SENDER) != null) {
Removing the (state.get(SENDER) != null) clause closes the open relay.
But can anyone clarify the comment? Is this comment referring to
messages being generated by the James server in response to local
delivery failures? Clearly the code as it stands in insecure...
--Peter
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: None
To: [EMAIL PROTECTED]
Subject: Open relay with SMTP-AUTH
Hello
I think I found a bug when using SMTP-AUTH
if you enable smtp-auth and sends a <> as the sender
the servers allows the relay of any message, if you
specify a correct email address the server enforces the authentication
I created a patch for this, is there any other solution?
following a session that shows the problem
Trying XXXXXX...
Connected to XXXXXXXXX.
Escape character is '^]'.
220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready Mon, 29
Jul 2002 20:31:04 -0400
helo test
250-myMailServer Hello test (XXXXXXX)
250 AUTH LOGIN PLAIN
mail from: <>
250 Sender <> OK
rcpt to: <[EMAIL PROTECTED]>
250 Recipient <[EMAIL PROTECTED]> OK
.....
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
