Harmeet,
'MAIL FROM <>' is still supported now. It is also supported in such a
way as to prevent arbitrary relaying of emails with null senders.
The correct behavior is as was discussed on this list earlier:
Not using SMTP AUTH - all messages are sent and relayed
Using SMTP AUTH - Messages will null senders are treated as
unauthenticated messages. They are delivered locally, but not relayed.
Note that this change still allows you to setup James as an incoming
gateway for one or more SMTP servers (by listing the appropriate domains
in the local server list and using appropriate matchers/mailets to
deliver messages to the gatewayed servers). Outgoing gateway behavior
is unaffected.
This is both in accord with the RFC and the only way to prevent James
from being an open relay when using SMTP AUTH as the primary form of
authorization (as opposed to IP match). Tests with ordb.org confirm
this.
--Peter
> -----Original Message-----
> From: Harmeet Bedi [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, August 17, 2002 4:25 AM
> To: James Developers List
> Subject: Re: Open relay with SMTP-AUTH
>
> Want to expand on this: If 'MAIL FROM <>' is not supported, your
server
> will
> not get bounced messages from an External Server. It is a mandatory
part
> of
> the specification for SMTP Server.
>
> Harmeet
> ----- Original Message -----
> From: "Serge Knystautas" <[EMAIL PROTECTED]>
> To: "James Developers List" <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Sent: Monday, July 29, 2002 11:21 PM
> Subject: Re: Open relay with SMTP-AUTH
>
>
> > Even if you have a server that only is accepting SMTH AUTH, it's
still
> best
> > practices to accept "MAIL FROM: <>" messages (i.e., you can't just
> disable
> > that). That said, messages with a null sender should not leave your
> server,
> > so I think it's either a conf issue or a bug in some matcher that
isn't
> > probably capturing that and preventing the relaying.
> >
> > Serge Knystautas
> > Loki Technologies
> > http://www.lokitech.com/
> >
> > ----- Original Message -----
> > From: "Peter M. Goldstein" <[EMAIL PROTECTED]>
> > To: "'James Developers List'" <[EMAIL PROTECTED]>
> > Sent: Monday, July 29, 2002 8:21 PM
> > Subject: FW: Open relay with SMTP-AUTH
> >
> >
> > >
> > > All,
> > >
> > > I've just confirmed this on the latest code base. The cause is
pretty
> > > obvious - there is a comment in SMTPHandler.java:
> > >
> > > // If this is a delivery failure notification (MAIL
FROM:
> > > <>)
> > > // we don't enforce authentication
> > > if (authRequired && state.get(SENDER) != null) {
> > >
> > > Removing the (state.get(SENDER) != null) clause closes the open
relay.
> > >
> > > But can anyone clarify the comment? Is this comment referring to
> > > messages being generated by the James server in response to local
> > > delivery failures? Clearly the code as it stands in insecure...
> > >
> > > --Peter
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
> > > Sent: None
> > > To: [EMAIL PROTECTED]
> > > Subject: Open relay with SMTP-AUTH
> > >
> > >
> > > Hello
> > >
> > > I think I found a bug when using SMTP-AUTH
> > >
> > > if you enable smtp-auth and sends a <> as the sender
> > > the servers allows the relay of any message, if you
> > > specify a correct email address the server enforces the
authentication
> > >
> > > I created a patch for this, is there any other solution?
> > >
> > > following a session that shows the problem
> > >
> > > Trying XXXXXX...
> > > Connected to XXXXXXXXX.
> > > Escape character is '^]'.
> > > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready
Mon,
> 29
> > > Jul 2002 20:31:04 -0400
> > > helo test
> > > 250-myMailServer Hello test (XXXXXXX)
> > > 250 AUTH LOGIN PLAIN
> > > mail from: <>
> > > 250 Sender <> OK
> > > rcpt to: <[EMAIL PROTECTED]>
> > > 250 Recipient <[EMAIL PROTECTED]> OK
> > > .....
> > >
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
> --
> To unsubscribe, e-mail: <mailto:james-dev-
> [EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:james-dev-
> [EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
