Re: [PR] 3JAMES-4034 SMTP submission: validate FROM header [james-project]

Wed, 15 May 2024 19:23:04 -0700 


quantranhong1999 commented on code in PR #2246:
URL: https://github.com/apache/james-project/pull/2246#discussion_r1602503045


##########
server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/SenderAuthIdentifyVerificationHook.java:
##########
@@ -90,4 +98,55 @@ protected boolean isSenderAllowed(Username connectedUser, 
Username sender) {
         }
         return allowed;
     }
+
+    @Override
+    public HookResult onMessage(SMTPSession session, Mail mail) {
+        System.out.println("mess");

Review Comment:
   ```suggestion
   ```



##########
server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/SenderAuthIdentifyVerificationHook.java:
##########
@@ -90,4 +98,55 @@ protected boolean isSenderAllowed(Username connectedUser, 
Username sender) {
         }
         return allowed;
     }
+
+    @Override
+    public HookResult onMessage(SMTPSession session, Mail mail) {
+        System.out.println("mess");
+        ExtendedSMTPSession nSession = (ExtendedSMTPSession) session;
+        if (nSession.verifyIdentity()) {
+            try {
+                return StreamUtils.ofNullable(mail.getMessage().getFrom())
+                    .distinct()
+                    .flatMap(address -> doCheckMessage(session, address))
+                    .findFirst()
+                    .orElse(HookResult.DECLINED);
+            } catch (MessagingException e) {
+                throw new RuntimeException(e);
+            }
+        } else {
+            return HookResult.DECLINED;
+        }
+    }
+
+    private Stream<HookResult> doCheckMessage(SMTPSession session, Address 
from) {
+        if (fromDoesNotMatchAuthUser(session, from)) {
+            return Stream.of(INVALID_AUTH);
+        } else {
+            return Stream.empty();
+        }
+    }
+
+    private boolean fromDoesNotMatchAuthUser(SMTPSession session, Address 
from) {
+        if (from instanceof InternetAddress internetAddress) {
+            try {
+                MailAddress mailAddress = new 
MailAddress(internetAddress.getAddress());
+                return session.getUsername() != null &&
+                    (!fromMatchSessionUser(mailAddress, session) || 
!belongsToLocalDomain(mailAddress));

Review Comment:
   Is delegated user supported?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to