Hi Danny (and others)
Yes, I have made several tests where I was able to deliver mails to accounts outside of my network even though the configuration should prevent it. For instance, the below example (1) where I telnet'ed allowed me to send an e-mail to my hotmail account. Moreover the open relay database at www.ordb.org has now blacklisted my JAMES installation, and testing it with spamlart (you can try it yourself by clicking below) made it flunk bigtime. http://www.paladincorp.com.au/cgi-bin/spamlart.cgi?DESTINATION=test.rock it.dk Are you guys absolutely certain that your installations are not relaying? If you are, I would really like to see some configuration examples. If you are not, I would like to recommend you try http://www.ordb.org/submit/. I really need to solves this quickly but I am really stuck here, so any feedback on the configuration I have posted will be highly appreciated. Yours Randahl -----Original Message----- From: Danny Angus [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 08:51 To: James Users List Subject: RE: Relay prevention Randahl Just because James accepts mail, does not make it a relay, is mail sent from clients on other networks actually being delivered? http://jakarta.apache.org/james/FAQ.html#2 > -----Original Message----- > From: Randahl Fink Isaksen [mailto:[EMAIL PROTECTED]] > Sent: 21 May 2002 22:51 > To: [EMAIL PROTECTED] > Subject: Relay prevention > > > Hi > > > I am having a hard time stopping james from relaying mails (see config > file below). Here is my list of unsolved issues - I would really > appreciate any constructive feedback: > > 1. I am using the SenderInFakeDomain matcher but it seems to have > no effect. If I telnet to JAMES I can easily make JAMES send an e-mail > using arbitrary sender addresses as in "mail from:[EMAIL PROTECTED]". > JAMES just gives me an "OK" response. > 2. I have tried many different parameters for > RemoteAddrNotInNetwork in the so-called anti-relay mailet. Currently I > am trying to send everything to the SPAM folder unless it comes from > 127.0.0.1 (JAMES itself) or one of my local IPs, e.g. 10.0.0.23. This > has no effect what so ever - I tested it with on-line relay-testers, and > even had a friend from another network telnet to my server, and he was > able to send an e-mail aswell. > 3. I tried setting authRequired to true, but this seems not to be > compatible with MS Outlook which fails to authenticate (I have tried > many different sensible settings). This is the solution which I would > like the most, since I hope it would could enable me to check my JAMES > account outside the office aswell. > > The fact that my JAMES installation is an open relay has caused me no > problems (yet), but I really would like to put an effort into stopping > the spammers who are actively abusing my installation. Urgent help will > be highly appreciated. My config file is included below. > > Thanks > > > Randahl > > > <?xml version="1.0"?> > <config> > > <!-- The James block --> > <James> > <!-- CHECKME! Set this to the right email address for error reports --> > <postmaster>[EMAIL PROTECTED]</postmaster> > > <!-- CONFIRM? --> > <!-- servernames identifies the DNS namespace served by this > instance > of James. > If autodetect is TRUE, James wil attempt to discover its own name > AND use > any specified servernames. If autodetect is FALSE, James will use > only > the specified servernames. By default, the servername 'localhost' > is > specified. This can be removed, if required. --> > <servernames autodetect="FALSE"> > <servername>rockit.dk</servername> > <!-- > <servername>To override autodetected server names > uncomment this. </servername> > <servername>localhost</servername>--> > </servernames> > > <!-- Set whether user names are case sensitive or insensitive --> > <!-- Set whether to enable local aliases --> > <usernames ignoreCase="TRUE" enableAliases="TRUE" > enableForwarding="TRUE"/> > > > > <!-- The inbox repository is the location for users inboxes --> > <!-- Default setting: file based repository - enter path ( :/// > for absolute) --> > <inboxRepository> > <repository destinationURL="file://var/mail/inboxes/" > type="MAIL"> > </repository> > </inboxRepository> > <!-- Alternative inbox repository definition for DB use. --> > <!-- The format for the destinationURL is > "db://<data-source>/<table>" > - <data-source> is the datasource name set up in the > database-connections block, below > - <table> is the name of the table to store user inboxes in > The user name is used as <repositoryName> for this repository > config. > > <inboxRepository> > <repository destinationURL="db://maildb/inbox/" > type="MAIL"> > </repository> > </inboxRepository> > --> > </James> > > <!-- The James Spool Manager block --> > <spoolmanager> > > > <!-- number of spool threads --> > <threads> 10 </threads> > > <!-- Set the packages from which to load mailets and matches --> > <mailetpackages> > > <mailetpackage>org.apache.james.transport.mailets</mailetpackage> > </mailetpackages> > <matcherpackages> > > <matcherpackage>org.apache.james.transport.matchers</matcherpackage> > </matcherpackages> > > <!-- Processor CONFIGURATION SAMPLE: > root is the first processor all mails enter --> > <processor name="root"> > <!-- Checks that the MAIL FROM command was for a valid domain. > Important for spam prevention. --> > <!-- --> > <mailet match="SenderInFakeDomain" class="ToProcessor"> > <processor> spam </processor> > </mailet> > > <!-- Important check to avoid race conditions --> > <mailet match="RelayLimit=30" class="Null"> > </mailet> > > <!-- Check for delivery from a known spam server --> > <mailet match="InSpammerBlacklist=blackholes.mail-abuse.org" > class="ToProcessor"> > <processor> spam </processor> > <notice> Rejected - see http://www.mail-abuse.org/rbl/ > </notice> > </mailet> > > <mailet match="InSpammerBlacklist=dialups.mail-abuse.org" > class="ToProcessor"> > <processor> spam </processor> > <notice> Dialup - see http://www.mail-abuse.org/dul/ > </notice> > </mailet> > > <mailet match="InSpammerBlacklist=relays.mail-abuse.org" > class="ToProcessor"> > <processor> spam </processor> > <notice> Open spam relay - see > http://www.mail-abuse.org/rss/ </notice> > </mailet> > > <!-- Sample matching to kill a message (send to Null) --> > <mailet match="RecipientIs=badboy@badhost" class="Null"> > </mailet> > > <!-- Sends remaining mails to the transport processor for > either > local or remote delivery --> > <mailet match="All" class="ToProcessor"> > <processor> transport </processor> > </mailet> > </processor> > > <!-- Processor CONFIGURATION SAMPLE: error is the processor > mails with > failure conditions enter --> > <processor name="error"> > <!-- Logs any messages to the repository specified --> > <mailet match="All" class="ToRepository"> > <repositoryPath> file://var/mail/error/</repositoryPath> > <!-- <repositoryPath> db://conf/mail-error.properties > </repositoryPath> --> > <passThrough> true </passThrough> > </mailet> > > <!-- If you want to notify the sender their message was marked > as > spam, uncomment this --> > <mailet match="All" class="NotifySender"> > </mailet> > <!-- --> > > <!-- If you want to notify the postmaster that a message was > marked > as spam, uncomment this --> > <mailet match="All" class="NotifyPostmaster"> > </mailet> > <!-- --> > </processor> > > <!-- Processor CONFIGURATION SAMPLE: transport is a sample > custom > processor for local or remote delivery --> > <processor name="transport"> > <!-- Is the recipient is for a local account, deliver it > locally --> > <mailet match="RecipientIsLocal" class="LocalDelivery"> > </mailet> > > <!-- If the host is handled by this server and it did not get > locally delivered, this is an invalid recipient --> > <mailet match="HostIsLocal" class="ToProcessor"> > <processor>error</processor> > </mailet> > > <!-- CHECKME! > Anti-relay mailet: Add your network address here, > e.g. "RemoteAddrNotInNetwork=127.0.0.1, abc.de.*" > --> > > <!-- This matcher-mailet pair can prevent relaying... if you > change > this, you risk making your mail server an open relay point > for > spammers . > NOTE 1: the order of matcher-mailets is important: it must > come after > valid local recipients have been dealt with but before any > attempt is > made to delivery the mail remotely. > NOTE 2: Add your own network, if you want to relay mail > outwards > NOTE 3: If you use SMTP AUTH, you may want to comment this > so users who are on the road can still use the server --> > <mailet match="RemoteAddrNotInNetwork=127.0.0.1, 10.0.0.*" > class="ToProcessor"> > <processor>spam</processor> > </mailet> > > <!-- Attempt remote delivery using the specified repository > for the > spool, > using delay time to retry delivery and the maximum number of > retries --> > <mailet match="All" class="RemoteDelivery"> > <outgoing> file://var/mail/outgoing/ </outgoing> > <!-- <outgoing> db://conf/mail-outgoing.properties > </outgoing> --> > <delayTime> 21600000 </delayTime> > <maxRetries> 5 </maxRetries> > </mailet> > </processor> > > <!-- Processor CONFIGURATION SAMPLE: spam is where messages > detected > as relaying or other problems will get sent. You can either log > these, > bounce these, or just ignore them. --> > <processor name="spam"> > <!-- If you wanted, you could just destroy messages, uncomment > this > matcher/mailet > <mailet match="All" class="Null"> > </mailet> > --> > > <!-- If you want to notify the sender their message was marked > as > spam, uncomment this --> > <mailet match="All" class="NotifySender"> > </mailet> > <!-- --> > > <!-- If you want to notify the postmaster that a message was > marked > as spam, uncomment this--> > <mailet match="All" class="NotifyPostmaster"> > </mailet> > <!-- --> > > <!-- Out of the box, this will log the message to a repository > --> > <mailet match="All" class="ToRepository"> > <repositoryPath>file://var/mail/spam/</repositoryPath> > </mailet> > </processor> > </spoolmanager> > > > <smtpserver> > <port>25</port> > <!--<bind></bind> uncomment this if you want to bind to a > specific > inetaddress --> > <!--<useTLS>TRUE</useTLS>uncomment this if you want to use TLS > (SSL) > on this port --> > <handler> > <!-- helloName is the single host name this instance of James > will > use to identify itself for example, in SMTP and POP3 > greetings. If > autodetect is TRUE, James will attempt to discover its own > name OR > use 'localhost'. If autodetect is FALSE, James will use the > value > given OR 'localhost' --> > <helloName autodetect="FALSE">ROCK IT Mail Server</helloName> > <connectiontimeout>360000</connectiontimeout> > > <authRequired>false</authRequired><!-- uncomment this if you > want > SMTP AUTH support. This is useful if you have users who need > to use > the email server on the road, while not having your server act > as an > open relay! --> > > <verifyIdentity>true</verifyIdentity><!-- uncomment this if you > want > to verify that the MAIL FROM: address is the same user that > authenticated. This prevents a user of your mail server from > acting > as somebody else --> > > <!-- This sets the maximum allowed message size for the > smtphandler > in KBytes. The value defaults to 0, which means no limit. --> > <maxmessagesize>0</maxmessagesize> > > </handler> > </smtpserver> > > > > </config> > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
