Ken Lin wrote:
Maybe this method of "spoofing" users has been overlooked. Even if James has SMTP turned on, I can impersonate any user of the server and send another user an email without any authentication. In a way, it seems to be a security hole open by default unless people apply your section of configuration.
You, anyway, will never stop people from using your email as sender address and send messages around the world. There are solutions to stop this behaviour (e.g. SPF) but not supported by all the SMTP server so I don't think that we can consider this thing a "security hole" in james. I'm not 100% sure, but I bet that most mail servers will not block messages with a "from:" containing a local domain to be relayd (even with authentication on).
Well we check for recipient address in the first place. This checking is not explicitly mentioned in the RFC either, but is just implicitly allowed. By the same token, checking the sender address should be allowed too.
You'd be not RFC compliant because you MUST accept a mail "from: [EMAIL PROTECTED]" "to: [EMAIL PROTECTED]" even without authentication.
I think that this is not specified in the RFC and is not even common practice for SMTP servers and we should not make it the default. Btw, if you want to write a patch to provide an option to enable this behaviour I'll try to review it.
What do you think? Actually, are you a software developer on the James team? How do I become one?
I'm a James committer. I've been "proposed" by other James committers one year ago after many months of support here in the list and after having submitted many patches to the issue tracker.
Stefano --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
