Apache Log4j 2 vulnerability (CVE-2021-44228)
Hello, Considering the following CVE @ https://www.ncsc.gov.uk/news/apache-log4j-vulnerability /deployments/james-server-app-3.6.0/conf/log4j2.xml /deployments/james-server-app-3.6.0/lib/log4j-api-2.14.0.jar /deployments/james-server-app-3.6.0/lib/log4j-core-2.14.0.jar /deployments/james-server-app-3.6.0/lib/log4j-slf4j-impl-2.14.0.jar What are the plans for mitigating this from Apache James Perspective ? Or is this a non issue ? amlan --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/privacy.htm for information about privacy. - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Apache James MTA 3.6.0 spawning additional connections.
Hello, This is how the mailet is looking like. I also by adding the following optional elements and increasing timeout to 10 mins was able to get better connection reuse on the gateway. I need to further optimise the reuse. - Amlan 60 60 Mailet: outgoing true 4 * 60 minutes, 2 * 4 hours, 18 * 12 hours 3 3 60 60 ${env:MTA_DELIVERY_THREADS} true bounces ${env:SMTP_GATEWAY_1} ${env:SMTP_GATEWAY_2} ${env:SMTP_GATEWAY_3} ${env:SMTP_GATEWAY_4} ${env:SMTP_WEBSSO_USERNAME} ${env:SMTP_WEBSSO_PASSWORD} ${env:SMTP_LOCALHOST_NAME} On 13/07/2021, 11:21, "btell...@apache.org" wrote: Hello Amlan, Could you please share your remote delivery configuration in mailetcontainer.xml? Have you been configuring it as a SMTP gateway? I noticed this too in a performance enhancement session with flame graphs. To be fairly honest the code paths handling direct resolution and gateway resolution are relying on the very same code path, preventing efforts to pool the underlying SMTP transports and do effectively connection pooling. I think this could be achieved by segregating the two use cases and actually write two transport layers (both relying on javax.mail), one doing just direct resolution with connection churn, one achieving gateway forward with good connection pooling. Also with gateway mode turned on, we no longer need per-domain delivery and can group deliveries (this would reduce network exchanges / connection overhead). We can discuss those more these technical details. I would personally more than welcome contribution on the topic of "Outgoing SMTP connection reuse when gateway mode is active". I would also be happy to be sponsored to contribute it. Cheers, Benoit On 13/07/2021 16:18, Amlan Sengupta wrote: > Hello, > > We are seeing something very strange with Apache James MTA. > > Keeping the flow below in context, we have a client which only uses 1 connection ad reuses it send emails to Apache James. We have confirmed this through connection tracking. We are seeing Apache James spawning up to 60 connections. > > Flow : > Docker Client ( 1 connection : 60 emails ) > Apache James ( MTA ) on Docker ---( spawning 60 new connections ) -> SMTP Gateway. > > Configuration: > I have sent the following to 1 and retested. It still behaves the same way. > > MTA_SPOOL_THREADS=1 > MTA_DELIVERY_THREADS=1 > > > > > > > ${env:MTA_SPOOL_THREADS} > > file:///deployments/logs/mail/error/ > > > > > ${env:MTA_DELIVERY_THREADS} > > > Objective here is limit the no of connections made to SMTPGateway. > > Any guidance ? Amlan > > > --- > This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. > > Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/privacy.htm for information about privacy. - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/privacy.htm for information about privacy.
Apache James MTA 3.6.0 spawning additional connections.
Hello, We are seeing something very strange with Apache James MTA. Keeping the flow below in context, we have a client which only uses 1 connection ad reuses it send emails to Apache James. We have confirmed this through connection tracking. We are seeing Apache James spawning up to 60 connections. Flow : Docker Client ( 1 connection : 60 emails ) > Apache James ( MTA ) on Docker ---( spawning 60 new connections ) -> SMTP Gateway. Configuration: I have sent the following to 1 and retested. It still behaves the same way. MTA_SPOOL_THREADS=1 MTA_DELIVERY_THREADS=1 ${env:MTA_SPOOL_THREADS} file:///deployments/logs/mail/error/ ${env:MTA_DELIVERY_THREADS} Objective here is limit the no of connections made to SMTPGateway. Any guidance ? Amlan --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/privacy.htm for information about privacy.
Re: Apache James : Purely MX record based smtp.
Hello, To set more context I am trying to get this work on : Version : Apache James 3.6.0 Runtime : RHEL 5.7.x openshift v3.11.248 kubernetes v1.11.0+d4cacc0 I have been debugging this a bit further - I moved to Apache James 3.6.0 - When I set the gateway host in the mailetcontainer.xml == smtp.x.x.com. I get the following error in 3.6.0. - in my dnsservice.xml I also enabled the with two upstream dns entry. Then I get this Error: jvm 1| 02-Jul-2021 21:34:09.722 DEBUG [RemoteDelivery-6] org.xbill.DNS.Lookup.lookup:513 - Lookup for smtp.x.x.com./A, cache answer: unknown jvm 1| 02-Jul-2021 21:34:09.728 DEBUG [RemoteDelivery-6] org.xbill.DNS.ExtendedResolver$Resolution.send:68 - Sending smtp.x.x.com./A, id=50467 to resolver 0 (SimpleResolver [/dnsserrverrip:dnsport]), attempt 1 of 3 jvm 1| 02-Jul-2021 21:34:09.729 DEBUG [RemoteDelivery-6] org.xbill.DNS.SimpleResolver.sendAsync:332 - Sending smtp.x.x.com./A, id=50467 to udp/dnsserrverrip:dnsport jvm 1| 02-Jul-2021 21:34:09.771 DEBUG [RemoteDelivery-6] org.xbill.DNS.Cache.addMessage:732 - Caching NXRRSET for smtp.x.x.com./A jvm 1| 02-Jul-2021 21:34:09.771 DEBUG [RemoteDelivery-6] org.xbill.DNS.Lookup.lookup:563 - Queried smtp.x.x.com./A, id=50467: NXRRSET jvm 1| 02-Jul-2021 21:34:09.772 ERROR [RemoteDelivery-6] org.apache.james.dnsservice.library.MXHostAddressIterator.:79 - Couldn't resolve IP address for discovered host smtp.x.x.com. - so in my env if I do, I get $nslookup smtp.x.x.com *** Can't find smtp.x.x.com: No answer I am wondering if there is anything specific we need to set up or do to get this work on kubernetes ? Also has anyone been able to get James to work against MX Records which are not coupled with an A Name before ? I also feel the fundamental issue is, my MX record has no ip and it is dying as cannot find one. $host smtpxxx..com smtpxxx..com mail is handled by 10 sinxxx.xxx.com. smtpxxx..com mail is handled by 10 sinyyy.yyy.com. smtpxxx..com mail is handled by 10 frayyy.yyy.com. smtpxxx..com mail is handled by 10 fraxxx.xxx.com. Any advise ? Amlan Hello Beniot, This exactly what I am doing in Apache James 3.5.0 in mailetcontainer.xml. outgoing 5000, 10, 50 25 0 ${env:MTA_DELIVERY_THREADS} true bounces ${env:SMTP_GATEWAY} ${env:SMTP_GATEWAYPORT} ${env:SMTP_WEBSSO_USERNAME} ${env:SMTP_WEBSSO_PASSWORD} The java exception on the other hand states the following : jvm 1 | 30-Jun-2021 10:20:30.654 ERROR [RemoteDelivery-2] org.apache.james.dnsservice.library.MXHostAddressIterator.:79 - Couldn't resolve IP address for discovered host smtpxxx..com. amlan On 01/07/2021, 02:47, "btell...@apache.org" wrote: Hello, If ou are using a gateway you should configure it directly mailetcontainer.xml RemoteDelivery mailet. Otherwize James would attempt to deliver all mails itself to remote domains. Eg: outgoing 5000, 10, 23*50 25 0 10 bounces ${env:JAMES_REMOTE_DELIVERY_GATEWAY} ${env:JAMES_REMOTE_DELIVERY_GATEWAY_PORT} ${env:JAMES_REMOTE_DELIVERY_USERNAME} ${env:JAMES_REMOTE_DELIVERY_PASSWORD} Cheers, Benoit On 30/06/2021 22:56, Amlan Sengupta wrote: > Hello, > > To be honest I was not expecting it to need anything else besides a MX Record. > > The java exception on the other hand states the following : > jvm 1 | 30-Jun-2021 10:20:30.654 ERROR [RemoteDelivery-2] org.apache.james.dnsservice.library.MXHostAddressIterator.:79 - Couldn't resolve IP address for discovered host smtpxxx..com. Seems to me that the RemoteDelivery class is looking for an ip address for smtpxxx..com and treat it as an A Record. Where as all it is the following > > $host smtpxxx..com > smtpxxx..com mail is handled by 10 sinxxx.xxx.com. > smtpxxx..com mail is handled by 10 sinyyy.yyy.com. > smtpxxx..com mail is handled by 10 frayyy.yyy.com. > smtpxxx..com mail is handled by 10 fraxxx.xxx.com. > > All my usecase is > > Application running in a container ---> ApacheJames Running in a separated container ( MTA ) --> SMTP gateway (exposed through MX Records) > > Amlan > > > >
Re: Apache James : Purely MX record based smtp.
Hello Beniot, This exactly what I am doing in Apache James 3.5.0 in mailetcontainer.xml. outgoing 5000, 10, 50 25 0 ${env:MTA_DELIVERY_THREADS} true bounces ${env:SMTP_GATEWAY} ${env:SMTP_GATEWAYPORT} ${env:SMTP_WEBSSO_USERNAME} ${env:SMTP_WEBSSO_PASSWORD} The java exception on the other hand states the following : jvm 1 | 30-Jun-2021 10:20:30.654 ERROR [RemoteDelivery-2] org.apache.james.dnsservice.library.MXHostAddressIterator.:79 - Couldn't resolve IP address for discovered host smtpxxx..com. amlan On 01/07/2021, 02:47, "btell...@apache.org" wrote: Hello, If ou are using a gateway you should configure it directly mailetcontainer.xml RemoteDelivery mailet. Otherwize James would attempt to deliver all mails itself to remote domains. Eg: outgoing 5000, 10, 23*50 25 0 10 bounces ${env:JAMES_REMOTE_DELIVERY_GATEWAY} ${env:JAMES_REMOTE_DELIVERY_GATEWAY_PORT} ${env:JAMES_REMOTE_DELIVERY_USERNAME} ${env:JAMES_REMOTE_DELIVERY_PASSWORD} Cheers, Benoit On 30/06/2021 22:56, Amlan Sengupta wrote: > Hello, > > To be honest I was not expecting it to need anything else besides a MX Record. > > The java exception on the other hand states the following : > jvm 1 | 30-Jun-2021 10:20:30.654 ERROR [RemoteDelivery-2] org.apache.james.dnsservice.library.MXHostAddressIterator.:79 - Couldn't resolve IP address for discovered host smtpxxx..com. Seems to me that the RemoteDelivery class is looking for an ip address for smtpxxx..com and treat it as an A Record. Where as all it is the following > > $host smtpxxx..com > smtpxxx..com mail is handled by 10 sinxxx.xxx.com. > smtpxxx..com mail is handled by 10 sinyyy.yyy.com. > smtpxxx..com mail is handled by 10 frayyy.yyy.com. > smtpxxx..com mail is handled by 10 fraxxx.xxx.com. > > All my usecase is > > Application running in a container ---> ApacheJames Running in a separated container ( MTA ) --> SMTP gateway (exposed through MX Records) > > Amlan > > > > On 30/06/2021, 16:43, "David Matthews" wrote: > > hi Amlan > > Why do you think any SMTP server needs anything other than an MX record? > > OK Some TXT records for dkim, spf and dmarc, but why an A record? > > I doubt that I properly understand your use case and since James itself does SMTP, I don't follow why you talk about connecting to an smtp provider with your own James instance. > > I'm out of date with James now, but did do a write up with config changes, as much as for my own future reference as for anyone else. I'm not sure if it will help you, but it's at > > https://dmatthews.org/java_email.html > > if you care to look. > > best wishes > > -- > David Matthews > m...@dmatthews.org > > > > > > > --- > This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. > > Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/privacy.htm for information about privacy. > > - > To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org > For additional commands, e-mail: server-user-h...@james.apache.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/
Re: Apache James : Purely MX record based smtp.
Hello, To be honest I was not expecting it to need anything else besides a MX Record. The java exception on the other hand states the following : jvm 1 | 30-Jun-2021 10:20:30.654 ERROR [RemoteDelivery-2] org.apache.james.dnsservice.library.MXHostAddressIterator.:79 - Couldn't resolve IP address for discovered host smtpxxx..com. Seems to me that the RemoteDelivery class is looking for an ip address for smtpxxx..com and treat it as an A Record. Where as all it is the following $host smtpxxx..com smtpxxx..com mail is handled by 10 sinxxx.xxx.com. smtpxxx..com mail is handled by 10 sinyyy.yyy.com. smtpxxx..com mail is handled by 10 frayyy.yyy.com. smtpxxx..com mail is handled by 10 fraxxx.xxx.com. All my usecase is Application running in a container ---> ApacheJames Running in a separated container ( MTA ) --> SMTP gateway (exposed through MX Records) Amlan On 30/06/2021, 16:43, "David Matthews" wrote: hi Amlan Why do you think any SMTP server needs anything other than an MX record? OK Some TXT records for dkim, spf and dmarc, but why an A record? I doubt that I properly understand your use case and since James itself does SMTP, I don't follow why you talk about connecting to an smtp provider with your own James instance. I'm out of date with James now, but did do a write up with config changes, as much as for my own future reference as for anyone else. I'm not sure if it will help you, but it's at https://dmatthews.org/java_email.html if you care to look. best wishes -- David Matthews m...@dmatthews.org --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/privacy.htm for information about privacy.
Apache James : Purely MX record based smtp.
Hello, I am a bit unclear based on Apache James 3.5.0 docs whether it is able to connect to smtp service provider purely based on MX Records. I have gone through the mailing list historically . I have set the gateway and gatewayPort to published MX Record. Logs say the following which seem to imply it is still looking for an A Record. jvm 1 | 30-Jun-2021 10:20:30.654 ERROR [RemoteDelivery-2] org.apache.james.dnsservice.library.MXHostAddressIterator.:79 - Couldn't resolve IP address for discovered host smtpxxx..com. In mailet config I set up the gateway: ${env:SMTP_GATEWAY} ${env:SMTP_GATEWAYPORT} ${env:SMTP_WEBSSO_USERNAME} ${env:SMTP_WEBSSO_PASSWORD} In dnsservice.xml I also enabled true Our SMTP service provider is forcing down the MX Record with all A Records being removed. Is there anything else I need to consider to get this to work ? --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/privacy.htm for information about privacy.
Re: James 3.5.0 startTLS="true"
No offence taken. ~smile. Also these are very good suggestions. Thank you. On 28/06/2021, 15:30, "Garry Hurley" wrote: So, this is a Linux box. Let’s run down the list of usual suspects: File does not exist File permissions are wrong Directory structure permissions are wrong File ownership is wrong File is in the wrong format Code issue Now, the first three or four items in the list are where things go wrong most often. If James is running as the root user, the ownership of the file and/or folder should not be an issue. If, however, you have any concept of security and run James as a limited user, you need to check the permissions and ownership of the keystone and its location. I would also check to see if the file name matches EXACTLY what is in the path. I mean no disrespect, but I don’t know how long you have used Linux and newbies often don’t realize that the filenames ‘bob’, ‘Bob’, ‘BOB’ and ‘BoB’ are all different in Linux, whereas in Windows, the OS treats them all as the same filename. Typically, cacerts should be owned by root and have a - don’t quote me on this - 600 or 640 permission (either rw———- or rw-r——-). That means that they are read-write by the owners and MIGHT be readable by the group, but not by others. The directory path needs to be 755 (rwxr-x-r-x)at least to allow you to read and execute commands. Not having it at that permission level will make it hard for James to access the file. I know that this may seem offensive if you ‘know’ Linux, but I have been using Linux at home since 1996 and professionally since about 2006 (not counting my student job in college). I still make these boneheaded mistakes from time to time and feel like a dumbass every time. It’s no shame to be human and make simple mistakes - or at least it shouldn’t be. The worst that can happen is people point at you and shake their heads calling you a dumbass, knowing full well they have and likely will make the same mistake at some point. On Mon, Jun 28, 2021 at 9:23 AM Amlan Sengupta wrote: > Hello, > > I am running into a weird problem with James 3.5.0. I am trying to enable > the following but it fails to load the cacerts-test. I have confirmed the > file exist and the secret is correct. I also hardcoded the values of the > secret but startTLS="true"> to no vail. > > > > > > > > > > /opt/db/jdk/11/${env:JDK}/lib/security/cacerts-test > >xxx > > > org.bouncycastle.jce.provider.BouncyCastleProvider > > > >SunX509 > > > > > > I keep getting : > > jvm 1 | org.springframework.beans.factory.BeanCreationException: Error > creating bean with name 'smtpserver': Invocation of init method failed; > nested exception is java.io.FileNotFoundException: Could not load file > /opt/db/jdk/11/jdk11.0.9/lib/security/cacerts-test > > > > jvm 1 | Caused by: java.io.FileNotFoundException: Could not load file > /opt/db/jdk/11/jdk11.0.9/lib/security/cacerts-test > > > > Any suggestions or anyone else seen this ? Amlan > > > --- > This e-mail may contain confidential and/or privileged information. If you > are not the intended recipient (or have received this e-mail in error) > please notify the sender immediately and delete this e-mail. Any > unauthorized copying, disclosure or distribution of the material in this > e-mail is strictly forbidden. > > Please refer to https://www.db.com/disclosures for additional EU > corporate and regulatory disclosures and to > http://www.db.com/unitedkingdom/content/privacy.htm for information about > privacy. > --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/privacy.htm for information about privacy.
James 3.5.0 startTLS="true"
Hello, I am running into a weird problem with James 3.5.0. I am trying to enable the following but it fails to load the cacerts-test. I have confirmed the file exist and the secret is correct. I also hardcoded the values of the secret but startTLS="true"> to no vail. /opt/db/jdk/11/${env:JDK}/lib/security/cacerts-test xxx org.bouncycastle.jce.provider.BouncyCastleProvider SunX509 I keep getting : jvm 1 | org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'smtpserver': Invocation of init method failed; nested exception is java.io.FileNotFoundException: Could not load file /opt/db/jdk/11/jdk11.0.9/lib/security/cacerts-test jvm 1 | Caused by: java.io.FileNotFoundException: Could not load file /opt/db/jdk/11/jdk11.0.9/lib/security/cacerts-test Any suggestions or anyone else seen this ? Amlan --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/privacy.htm for information about privacy.
Rate limiting
Hello, Apache James : 3.5.0 I have a non functional requirement which I am trying to implement through Apache James which is “ A maximum of ( very low number ) emails per hour is allowed ”. I am currently using the default FileMailQueue approach while trying to adhere to ( very low number ) emails per hour requirement. I have configured the following CONNECTION_LIMIT : Set the maximum simultaneous incoming connections for this MTA service : 10 CONNECTION_LIMIT_PERIP : Set the maximum simultaneous incoming connections per IP for this MTA service : 10 DELIVERY_THREADS : The number of threads that should be trying to deliver outgoing messages : 10 SPOOL_THREADS : This is a required positive integer element. It specifies the number of threads the SpoolManager will use to process messages in the spool. This parameter tends to substantially impact performance, so it is advisable to tune it in production configurations. : 30 This meets my email per hour allowed requirement, but the functional component can peak at 216 emails / s so we get lost emails. When the following is done, CONNECTION_LIMIT : Set the maximum simultaneous incoming connections for this MTA service : 20 CONNECTION_LIMIT_PERIP : Set the maximum simultaneous incoming connections per IP for this MTA service : 20 DELIVERY_THREADS : The number of threads that should be trying to deliver outgoing messages : 10 SPOOL_THREADS : This is a required positive integer element. It specifies the number of threads the SpoolManager will use to process messages in the spool. This parameter tends to substantially impact performance, so it is advisable to tune it in production configurations. : 30 We are blowing the emails per hour limit. So the question is, do I need to do any custom queueing ? or configuration to enable throttling ? Amlan. --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/privacy.htm for information about privacy.