Want to expand on this: If 'MAIL FROM <>' is not supported, your server will not get bounced messages from an External Server. It is a mandatory part of the specification for SMTP Server.
Harmeet ----- Original Message ----- From: "Serge Knystautas" <[EMAIL PROTECTED]> To: "James Developers List" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, July 29, 2002 11:21 PM Subject: Re: Open relay with SMTP-AUTH > Even if you have a server that only is accepting SMTH AUTH, it's still best > practices to accept "MAIL FROM: <>" messages (i.e., you can't just disable > that). That said, messages with a null sender should not leave your server, > so I think it's either a conf issue or a bug in some matcher that isn't > probably capturing that and preventing the relaying. > > Serge Knystautas > Loki Technologies > http://www.lokitech.com/ > > ----- Original Message ----- > From: "Peter M. Goldstein" <[EMAIL PROTECTED]> > To: "'James Developers List'" <[EMAIL PROTECTED]> > Sent: Monday, July 29, 2002 8:21 PM > Subject: FW: Open relay with SMTP-AUTH > > > > > > All, > > > > I've just confirmed this on the latest code base. The cause is pretty > > obvious - there is a comment in SMTPHandler.java: > > > > // If this is a delivery failure notification (MAIL FROM: > > <>) > > // we don't enforce authentication > > if (authRequired && state.get(SENDER) != null) { > > > > Removing the (state.get(SENDER) != null) clause closes the open relay. > > > > But can anyone clarify the comment? Is this comment referring to > > messages being generated by the James server in response to local > > delivery failures? Clearly the code as it stands in insecure... > > > > --Peter > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: None > > To: [EMAIL PROTECTED] > > Subject: Open relay with SMTP-AUTH > > > > > > Hello > > > > I think I found a bug when using SMTP-AUTH > > > > if you enable smtp-auth and sends a <> as the sender > > the servers allows the relay of any message, if you > > specify a correct email address the server enforces the authentication > > > > I created a patch for this, is there any other solution? > > > > following a session that shows the problem > > > > Trying XXXXXX... > > Connected to XXXXXXXXX. > > Escape character is '^]'. > > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready Mon, 29 > > Jul 2002 20:31:04 -0400 > > helo test > > 250-myMailServer Hello test (XXXXXXX) > > 250 AUTH LOGIN PLAIN > > mail from: <> > > 250 Sender <> OK > > rcpt to: <[EMAIL PROTECTED]> > > 250 Recipient <[EMAIL PROTECTED]> OK > > ..... > > > > > > > > > > -- > > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
