But is it possible at all to configure james correctly? If he is using smtp authentication, likely he hasn't so called "local" hosts.
This is the required behaviour, when the mail from is empty (i.e. bounce message): -if the recipient is local then delivery the message (-if the recipient is local, but the mailbox does not exist, then do nothing, you must not bounce a bounce message) -if the recipient is not local but the remote host is authenticated then relay the message (although I guess this rarely occurs) -if the recipient is not local and the remote host is not authenticated then do nothing (usual servers simply would not accept the mail) BUT: there is no matcher which can decide if the sender is authenticated or not, so we cannot configure correctly. I think the best configuration - which can be done at this moment - simply removes the message if the recipient isn't local and the sender is empty. ----- Original Message ----- From: "Serge Knystautas" <[EMAIL PROTECTED]> To: "James Developers List" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, July 30, 2002 8:21 AM Subject: Re: Open relay with SMTP-AUTH > Even if you have a server that only is accepting SMTH AUTH, it's still best > practices to accept "MAIL FROM: <>" messages (i.e., you can't just disable > that). That said, messages with a null sender should not leave your server, > so I think it's either a conf issue or a bug in some matcher that isn't > probably capturing that and preventing the relaying. > > Serge Knystautas > Loki Technologies > http://www.lokitech.com/ > > ----- Original Message ----- > From: "Peter M. Goldstein" <[EMAIL PROTECTED]> > To: "'James Developers List'" <[EMAIL PROTECTED]> > Sent: Monday, July 29, 2002 8:21 PM > Subject: FW: Open relay with SMTP-AUTH > > > > > > All, > > > > I've just confirmed this on the latest code base. The cause is pretty > > obvious - there is a comment in SMTPHandler.java: > > > > // If this is a delivery failure notification (MAIL FROM: > > <>) > > // we don't enforce authentication > > if (authRequired && state.get(SENDER) != null) { > > > > Removing the (state.get(SENDER) != null) clause closes the open relay. > > > > But can anyone clarify the comment? Is this comment referring to > > messages being generated by the James server in response to local > > delivery failures? Clearly the code as it stands in insecure... > > > > --Peter > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: None > > To: [EMAIL PROTECTED] > > Subject: Open relay with SMTP-AUTH > > > > > > Hello > > > > I think I found a bug when using SMTP-AUTH > > > > if you enable smtp-auth and sends a <> as the sender > > the servers allows the relay of any message, if you > > specify a correct email address the server enforces the authentication > > > > I created a patch for this, is there any other solution? > > > > following a session that shows the problem > > > > Trying XXXXXX... > > Connected to XXXXXXXXX. > > Escape character is '^]'. > > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready Mon, 29 > > Jul 2002 20:31:04 -0400 > > helo test > > 250-myMailServer Hello test (XXXXXXX) > > 250 AUTH LOGIN PLAIN > > mail from: <> > > 250 Sender <> OK > > rcpt to: <[EMAIL PROTECTED]> > > 250 Recipient <[EMAIL PROTECTED]> OK > > ..... > > > > > > > > > > -- > > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
