I think we need two additional property. The source of a mail is trusted if the mail is 1. received through smtp from a local host - based on its ip address 2. received through smtp from an smtp authenticated host 3. generated within james
As I know information about (1) is already available, but not about(2) and (3). ----- Original Message ----- From: "Noel J. Bergman" <[EMAIL PROTECTED]> To: "James Developers List" <[EMAIL PROTECTED]> Sent: Wednesday, July 31, 2002 5:28 AM Subject: RE: Open relay with SMTP-AUTH > Serge, > > Instead of an X- header, why can't we add an "authenticatedSender" (pick a > name) property to the mail object? That kind of metadata would travel with > the object (and clones) within the system, but can't be forged from the > outside. Does the fact that we authenticated it have any meaning once it > leaves JAMES? I don't think so. If it did, that would be part of the RFC. > > Back in June, you and I were discussing Matcher <-> Mailet communication, > and you mentioned that you wanted to add Mail.setAttribute() / > Mail.getAttribute() to the Mailet API. Do you want me to add this now, or > add a fixed property? > > --- Noel > > -----Original Message----- > From: Serge Knystautas [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 30, 2002 22:53 > To: James Developers List > Subject: Re: Open relay with SMTP-AUTH > > > Yeah, I agree. I never quite understood how SMTP AUTH was implemented > effectively because there isn't an easy way to do that. I don't know... > maybe add an "X-" header to the message itself to record that it's > authenticated (and make sure there isn't one there already). But yeah, > I agree with Noel's idea. > > -- > Serge Knystautas > Loki Technologies - Unstoppable Websites > http://www.lokitech.com/ > > Noel J. Bergman wrote: > > Peter, > > > > At a quick glance, it looks OK, but please ask Serge what he thinks. And > I > > believe that I have an alternative solution. > > > > I don't like that right now we have to force SMTP AUTH for everyone under > > all circumstances, or not use it at all. I'd rather that AUTH was > optional, > > and that there was a way for the mail to be tagged with the meta-data that > > it was authenticated. That way, our configuration could toss people who > > aren't on an acceptable IP to a processor that checked for AUTH, and if > the > > mail was tagged, it could pass it on for delivery. > > > > I don't mean to tag the message, e.g., with a forgable header. I mean to > > tag the mail object, e.g., with a new property. But right now once the > mail > > object has left the handler, there is nothing preserved to tell us that it > > was sent by an authenticated sender. The only reason why SMTP AUTH and <> > > turns JAMES into an open relay is that we have to disable > > RemoteAddrInNetwork. If we could keep RemoteAddrInNetwork, and check for > > AUTH in the failure case, we could address this problem differently. > > > > --- Noel > > > > -----Original Message----- > > From: Peter M. Goldstein [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, July 30, 2002 21:57 > > To: 'James Developers List' > > Cc: [EMAIL PROTECTED] > > Subject: RE: Open relay with SMTP-AUTH > > > > > > > > Noel, > > > > Right. So locally generated bounces shouldn't traverse the gate logic > > in SMTPHandler.java (and hence should be sent even if they have a null > > Sender header) while bounces from other servers should only be delivered > > locally if authRequired is true. So we can change the SMTPHandler code > > as I suggested earlier and we should be ok. Your thoughts? > > > > --Peter > > > > > >>-----Original Message----- > >>From: Noel J. Bergman [mailto:[EMAIL PROTECTED]] > >>Sent: Tuesday, July 30, 2002 6:56 PM > >>To: James Developers List > >>Cc: [EMAIL PROTECTED] > >>Subject: RE: Open relay with SMTP-AUTH > >> > >>Peter, > >> > >>Internally, messages are sent by calling James.sendMail(), which calls > >>spool.store() to put the message on the incoming message spool. If > >>you look at SMTPHandler, you'll see that it does the same thing. It calls > >>mailServer.sendMail(), which it sounds as if you've already noticed. > >> > >> --- Noel > >> > >>-----Original Message----- > >>From: Peter M. Goldstein [mailto:[EMAIL PROTECTED]] > >>Sent: Tuesday, July 30, 2002 20:48 > >>To: 'James Developers List' > >>Subject: RE: Open relay with SMTP-AUTH > >> > >> > >> > >>Noel, > >> > >>That looks right. The relevant logic is in the SMTPHandler. > >> > >>Does the LocalDelivery bounce even invoke the SMTPHandler? I don't > > > > see > > > >>why it wouldn't just place an outgoing message on the spool directly. > >>That's what it appears to do. > >> > >>I'm going to play with some configurations here and see what > > > > happens... > > > >>--Peter > >> > >> > >>>-----Original Message----- > >>>From: Noel J. Bergman [mailto:[EMAIL PROTECTED]] > >>>Sent: Tuesday, July 30, 2002 4:39 PM > >>>To: James Developers List > >>>Cc: [EMAIL PROTECTED] > >>>Subject: RE: Open relay with SMTP-AUTH > >>> > >>>Seems like we have the following combination: > >>> > >>> local receiver remote receiver > >>> local sender OK OK > >>> remote sender OK DENY > >>> > >>>with respect to null senders, which is the same as for other > >> > > messages. > > > >>>Am I missing something? > >>> > >>> --- Noel > >>> > >>>-----Original Message----- > >>>From: Hontvari Jozsef [mailto:[EMAIL PROTECTED]] > >>>Sent: Tuesday, July 30, 2002 16:03 > >>>To: James Developers List; [EMAIL PROTECTED] > >>>Subject: Re: Open relay with SMTP-AUTH > >>> > >>> > >>> > >>>>If we're going to enforce that mail will null senders does not > >>> > > leave > > > >>the > >> > >>>>host, then this should be: > >>> > >>>Maybe this assumption originates from me, sorry. It is not true. I > >> > >>have > >> > >>>fogotten that bounce messages generated by james also went through > >> > > the > > > >>>mailet spool (or am I wrong again?). > >>> > >>>At least the bounces generated locally by james must leave the > >> > > server > > > >>(and > >> > >>>the bounces MUST have null sender accordingly to RFC 1123 5.3.3). > >>> > >>>I agree on that preventing open relay should not require adding > >> > >>mailets to > >> > >>>the default configuration file. > >>> > >>>----- Original Message ----- > >>>From: "Peter M. Goldstein" <[EMAIL PROTECTED]> > >>>To: "'James Developers List'" <[EMAIL PROTECTED]> > >>>Sent: Tuesday, July 30, 2002 8:54 PM > >>>Subject: RE: Open relay with SMTP-AUTH > >>> > >>> > >>> > >>>>All, > >>>> > >>>>From Serge's description it just seems that the not null sender > >>> > >>check is > >> > >>>>unnecessary. The code now is: > >>>> > >>>> // If this is a delivery failure notification (MAIL > >>> > >>FROM: > >> > >>>><>) > >>>> // we don't enforce authentication > >>>> if (authRequired && state.get(SENDER) != null) { > >>>> // Make sure the mail is being sent locally if not > >>>> // authenticated else reject. > >>>> if (!state.containsKey(AUTH)) { > >>>> String toDomain = recipientAddress.getHost(); > >>>> if (!mailServer.isLocalServer(toDomain)) { > >>>> out.println("530 Authentication > >>> > > Required"); > > > >>>> getLogger().error("Authentication is > >>> > >>required > >> > >>>>for mail request"); > >>>> return; > >>>> } > >>>> } else { > >>>> > >>>>If we're going to enforce that mail will null senders does not > >>> > > leave > > > >>the > >> > >>>>host, then this should be: > >>>> > >>>> // If this is a delivery failure notification (MAIL > >>> > >>FROM: > >> > >>>><>) > >>>> // we don't enforce authentication > >>>> if (authRequired) { > >>>> // Make sure the mail is being sent locally if not > >>>> // authenticated else reject. > >>>> if (!state.containsKey(AUTH)) { > >>>> String toDomain = recipientAddress.getHost(); > >>>> if (!mailServer.isLocalServer(toDomain)) { > >>>> out.println("530 Authentication > >>> > > Required"); > > > >>>> getLogger().error("Authentication is > >>> > >>required > >> > >>>>for mail request"); > >>>> return; > >>>> } > >>>> } else { > >>>> > >>>> > >>>>I haven't looked at the LocalDelivery mailet, but I imagine it may > >>>>require modification to ensure that mails with empty senders that > >>> > >>are > >> > >>>>routed to non-existent addresses don't bounce. > >>>> > >>>>I don't agree that this is a matcher issue. It shouldn't require > >>> > >>any > >> > >>>>complex configuration to prevent open relay behavior. Turning on > >>> > >>SMTP > >> > >>>>authentication is a standard and expected behavior to prevent open > >>> > >>relay > >> > >>>>behavior. Additional configuration of matchers is not. > >>>> > >>>>Any thoughts? > >>>> > >>>>--Peter > >>>> > >>>> > >>>>>-----Original Message----- > >>>>>From: Hontvari Jozsef [mailto:[EMAIL PROTECTED]] > >>>>>Sent: Tuesday, July 30, 2002 12:54 AM > >>>>>To: James Developers List > >>>>>Subject: Re: Open relay with SMTP-AUTH > >>>>> > >>>>>But is it possible at all to configure james correctly? > >>>>>If he is using smtp authentication, likely he hasn't so called > >>>> > >>"local" > >> > >>>>>hosts. > >>>>> > >>>>>This is the required behaviour, when the mail from is empty > >>>> > > (i.e. > > > >>>>bounce > >>>> > >>>>>message): > >>>>>-if the recipient is local then delivery the message > >>>>>(-if the recipient is local, but the mailbox does not exist, > >>>> > > then > > > >>do > >> > >>>>>nothing, you must not bounce a bounce message) > >>>>> > >>>>>-if the recipient is not local but the remote host is > >>>> > >>authenticated > >> > >>>>then > >>>> > >>>>>relay the message (although I guess this rarely occurs) > >>>>>-if the recipient is not local and the remote host is not > >>>> > >>>>authenticated > >>>> > >>>>>then > >>>>>do nothing (usual servers simply would not accept the mail) > >>>>> > >>>>>BUT: there is no matcher which can decide if the sender is > >>>> > >>>>authenticated > >>>> > >>>>>or > >>>>>not, so we cannot configure correctly. > >>>>> > >>>>>I think the best configuration - which can be done at this > >>>> > > moment > > > >>- > >> > >>>>simply > >>>> > >>>>>removes the message if the recipient isn't local and the sender > >>>> > > is > > > >>>>empty. > >>>> > >>>>> > >>>>> > >>>>>----- Original Message ----- > >>>>>From: "Serge Knystautas" <[EMAIL PROTECTED]> > >>>>>To: "James Developers List" <[EMAIL PROTECTED]>; > >>>>><[EMAIL PROTECTED]> > >>>>>Sent: Tuesday, July 30, 2002 8:21 AM > >>>>>Subject: Re: Open relay with SMTP-AUTH > >>>>> > >>>>> > >>>>> > >>>>>>Even if you have a server that only is accepting SMTH AUTH, > >>>>> > > it's > > > >>>>still > >>>> > >>>>>best > >>>>> > >>>>>>practices to accept "MAIL FROM: <>" messages (i.e., you can't > >>>>> > >>just > >> > >>>>>disable > >>>>> > >>>>>>that). That said, messages with a null sender should not > >>>>> > > leave > > > >>your > >> > >>>>>server, > >>>>> > >>>>>>so I think it's either a conf issue or a bug in some matcher > >>>>> > >>that > >> > >>>>isn't > >>>> > >>>>>>probably capturing that and preventing the relaying. > >>>>>> > >>>>>>Serge Knystautas > >>>>>>Loki Technologies > >>>>>>http://www.lokitech.com/ > >>>>>> > >>>>>>----- Original Message ----- > >>>>>>From: "Peter M. Goldstein" <[EMAIL PROTECTED]> > >>>>>>To: "'James Developers List'" <[EMAIL PROTECTED]> > >>>>>>Sent: Monday, July 29, 2002 8:21 PM > >>>>>>Subject: FW: Open relay with SMTP-AUTH > >>>>>> > >>>>>> > >>>>>> > >>>>>>>All, > >>>>>>> > >>>>>>>I've just confirmed this on the latest code base. The cause > >>>>>> > >>is > >> > >>>>pretty > >>>> > >>>>>>>obvious - there is a comment in SMTPHandler.java: > >>>>>>> > >>>>>>> // If this is a delivery failure notification > >>>>>> > >>(MAIL > >> > >>>>FROM: > >>>> > >>>>>>><>) > >>>>>>> // we don't enforce authentication > >>>>>>> if (authRequired && state.get(SENDER) != null) { > >>>>>>> > >>>>>>>Removing the (state.get(SENDER) != null) clause closes the > >>>>>> > >>open > >> > >>>>relay. > >>>> > >>>>>>>But can anyone clarify the comment? Is this comment > >>>>>> > > referring > > > >>to > >> > >>>>>>>messages being generated by the James server in response to > >>>>>> > >>local > >> > >>>>>>>delivery failures? Clearly the code as it stands in > >>>>>> > >>insecure... > >> > >>>>>>>--Peter > >>>>>>> > >>>>>>>-----Original Message----- > >>>>>>>From: [EMAIL PROTECTED] > >>>>>> > >>>>[mailto:[EMAIL PROTECTED]] > >>>> > >>>>>>>Sent: None > >>>>>>>To: [EMAIL PROTECTED] > >>>>>>>Subject: Open relay with SMTP-AUTH > >>>>>>> > >>>>>>> > >>>>>>>Hello > >>>>>>> > >>>>>>>I think I found a bug when using SMTP-AUTH > >>>>>>> > >>>>>>>if you enable smtp-auth and sends a <> as the sender > >>>>>>>the servers allows the relay of any message, if you > >>>>>>>specify a correct email address the server enforces the > >>>>>> > >>>>authentication > >>>> > >>>>>>>I created a patch for this, is there any other solution? > >>>>>>> > >>>>>>>following a session that shows the problem > >>>>>>> > >>>>>>>Trying XXXXXX... > >>>>>>>Connected to XXXXXXXXX. > >>>>>>>Escape character is '^]'. > >>>>>>>220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) > >>>>>> > >>ready > >> > >>>>Mon, > >>>> > >>>>>29 > >>>>> > >>>>>>>Jul 2002 20:31:04 -0400 > >>>>>>>helo test > >>>>>>>250-myMailServer Hello test (XXXXXXX) > >>>>>>>250 AUTH LOGIN PLAIN > >>>>>>>mail from: <> > >>>>>>>250 Sender <> OK > >>>>>>>rcpt to: <[EMAIL PROTECTED]> > >>>>>>>250 Recipient <[EMAIL PROTECTED]> OK > >>>>>>>..... > >>>>>> > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
