hi folks, i've been going through the code with a fine-toothed comb all morning, mainly to further my understanding of it as it stands [and eventually to tackle the SMTP headers issue and also to get the tests to run :-)], and one of the things i encountered was that CmdRCPT apparently allows open relaying, as long as the sender address is a known one. this behaviour could be exploited by spammers, as they already use forged email-sender addresses.
the proper behaviour would be to check if the smtp client is authenticated or not, where authentication would either be explicit (like AUTH etc), or implicit if the client's i.p. address is localhost or 127.0.0.1. this at least is how sendmail can be configured. so i'm thinking that at the very least we need a new state variable in the Protocol interface for SMTP, which essentially says whether or not the client is connecting from localhost. we then should hard-code this behaviour into CmdRCPT right now, and later on, instead develop a pluggable set of criteria that have to be satisfied before mail is relayed, and describe that in an mbean's xml configuration. i'll start working on the quick solution right now, and start to think about how to organize the more modular, pluggable one --- unless something like this already exists in the code, and i overlooked it. mike <a href="http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3824532#3824532";>View the original post</a> <a href="http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3824532>Reply to the post</a> ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ JBoss-Development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
