Re: [PR] 3JAMES-4034 SMTP submission: validate FROM header [james-project]

Wed, 15 May 2024 23:12:15 -0700 


chibenwa commented on code in PR #2246:
URL: https://github.com/apache/james-project/pull/2246#discussion_r1602672602


##########
server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/SenderAuthIdentifyVerificationHook.java:
##########
@@ -90,4 +98,55 @@ protected boolean isSenderAllowed(Username connectedUser, 
Username sender) {
         }
         return allowed;
     }
+
+    @Override
+    public HookResult onMessage(SMTPSession session, Mail mail) {
+        System.out.println("mess");
+        ExtendedSMTPSession nSession = (ExtendedSMTPSession) session;
+        if (nSession.verifyIdentity()) {
+            try {
+                return StreamUtils.ofNullable(mail.getMessage().getFrom())
+                    .distinct()
+                    .flatMap(address -> doCheckMessage(session, address))
+                    .findFirst()
+                    .orElse(HookResult.DECLINED);
+            } catch (MessagingException e) {
+                throw new RuntimeException(e);
+            }
+        } else {
+            return HookResult.DECLINED;
+        }
+    }
+
+    private Stream<HookResult> doCheckMessage(SMTPSession session, Address 
from) {
+        if (fromDoesNotMatchAuthUser(session, from)) {
+            return Stream.of(INVALID_AUTH);
+        } else {
+            return Stream.empty();
+        }
+    }
+
+    private boolean fromDoesNotMatchAuthUser(SMTPSession session, Address 
from) {
+        if (from instanceof InternetAddress internetAddress) {
+            try {
+                MailAddress mailAddress = new 
MailAddress(internetAddress.getAddress());
+                return session.getUsername() != null &&
+                    (!fromMatchSessionUser(mailAddress, session) || 
!belongsToLocalDomain(mailAddress));

Review Comment:
   No need to be supported as
   
   1. that's the same validation layer than JMAP
   2. the authenticated user is identified as the delegated user 
(impersonnation) 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to