[jira] [Comment Edited] (JAMES-3579) verifyIdentity param should be rejected if authRequired is set to false in SMTP configuration

Thu, 13 May 2021 01:21:04 -0700 


    [ 
https://issues.apache.org/jira/browse/JAMES-3579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17343772#comment-17343772
 ] 

René Cordier edited comment on JAMES-3579 at 5/13/21, 8:20 AM:
---------------------------------------------------------------

https://github.com/apache/james-project/pull/425 solved this


was (Author: rcordier):
https://github.com/apache/james-project/pull/425

> verifyIdentity param should be rejected if authRequired is set to false in 
> SMTP configuration
> ---------------------------------------------------------------------------------------------
>
>                 Key: JAMES-3579
>                 URL: https://issues.apache.org/jira/browse/JAMES-3579
>             Project: James Server
>          Issue Type: Bug
>          Components: SMTPServer
>            Reporter: René Cordier
>            Priority: Minor
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> According to the smtp conf documentation 
> https://james.apache.org/server/config-smtp-lmtp.html:
> "handler.verifyIdentity
> This is an optional tag with a boolean body. This option can only be used if 
> SMTP authentication is required. If the parameter is set to true then the 
> sender address for the submitted message will be verified against the 
> authenticated subject. Verify sender addresses, ensuring that the sender 
> address matches the user who has authenticated. It will verify that the 
> sender address matches the address of the user or one of its alias (from user 
> or domain aliases). This prevents a user of your mail server from acting as 
> someone else If unspecified, default value is true." 
> However, it has been observed that when authRequired is set to false in 
> smtpserver.xml, if verifyIdentity is set to true, the SMTP server is 
> expecting that the user is authenticated to be able to verify its identity.
> To stick to the documentation of James, we should reject this case on James 
> startup.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to