Hello Otto,
Very interesting,
> Delay on authentication failure (S)
I will follow how it will be implemented. Right now, I think about Redis
with expire time key-value, with key is the fingerprint of the client.
> Check user credentials via WebAdmin (M)
What is the key difference between webAdmin endpoint and /jmap/session
endpoint?
Regards,
Tung, Tran Van
On Tue, Nov 2, 2021 at 11:42 PM Otto, Karsten Andreas
<karstenandreas.o...@akquinet.de.invalid> wrote:
> Dear James Community,
>
> Over the last two years, we at Akquinet have developed an email solution
> for the medical and healthcare sector. We chose Apache James for this
> project because it provides
> - a robust clustering solution out of the box,
> - a comprehensive WebAdmin REST interface for integration with other
> product components,
> - a flexible Mailet architecture easily adapting to our specific
> requirements,
> - an open source solution with an active community and commercial
> support where needed.
>
> Our deployment uses the distributed-pop3 app variant, with multiple
> James server instances running on top of a Cassandra cluster,
> S3-compatible blob storage and RabbitMQ. The choice of POP3 may seem
> strange, but our customers typically employ third party systems for
> semi-automatic mail processing. For this use case, POP3 enables much
> simpler systems integration than the more complex protocols.
>
> Despite Apache James being a very flexible solution, we encountered a
> few situations during development where we had to change the original
> codebase in order to meet our requirements. We believe these changes
> might well be of interest to the James community at large, and in the
> spirit of open source we would like to share them with you!
>
> Over the next few weeks we plan to create Jira tickes and pull requests
> for the features below. Let us know what you think, and which you would
> like to see first!
>
> (The list includes a complexity estimate in T-Shirt size, where S is
> just a few / localized changes and L is a lot of code / all over the
> place.)
>
>
> SECURITY ENHANCEMENTS
>
> # TLS authentication via client certificate (M)
>
> Add options to network server configurations to set certificate-based
> authentication mode (none, want, need), and the associated trust store
> to validate these client certificates. Useful to limit server access to
> trusted partners/users.
>
> # Separate trust store for S3 (M)
>
> Extend blob store configuration to specify a trust store, which is used
> to validate the S3 server certificate. Useful if also using TLS client
> cert authentication (see above) to keep the security realms separate.
>
> # Delay on authentication failure (S)
>
> Add an option verifyFailureDelay to usersrepository.xml to delay the
> response if someone tries to authenticate with a non-existing user or
> wrong password. Basic protection against people using James as a
> password oracle for brute-force/dictionary attacks.
>
> # Support password salting (M) *
>
> Add extra hashingMode choices in usersrepository.xml ("salted",
> "legacy_salted") to include the user name in the password hash. Basic
> protection against rainbow table cracking if someone ever manages to
> steal the password database.
>
> # Gradual migration of password hash settings (L) *
>
> Add a hashingMode column to the user table, use it together with the
> algorithm column to verify password hashes. But use the configured
> algorithm and hashingMode from usersrepository.xml when updating the
> password. This way, the user database can gradually migrate to a
> different (hopefully stronger) security setting. Useful to get rid of
> the legacy hashing mode, and to introduce password salting (see above).
>
> *NOTE: Currently only works with Cassandra/Memory, but should be
> possible for JPA as well if someone more experienced with this server
> variant would like to tackle it.
>
>
> POP3 ENHANCEMENTS
>
> # Fix WebAdmin routes for POP3 (S) - already submitted
>
> Include WebAdmin routes and example configuration for managing the
> DeletedMessagesVault in the distributed-pop3 server variant.
>
> # Add Glowroot instrumentation for POP3 (S)
>
> Minor refactoring of POP3 command handlers, and matching glowroot
> configurations. Better diagnostics on what is going on in POP3 handling.
>
> # Configure restore location for deleted messages (S)
>
> Add an option to specify which mailbox receives any restored messages
> from the DeletedMessagesVault, e.g. "INBOX" instead of the default
> "Restored-Messages". Required since POP3 cannot access other mailboxes
> than INBOX.
>
>
> GENERAL FEATURES
>
> # Extra system properties (S)
>
> Read a properties file immediately at server startup and set them as
> system properties. Useful to keep command line clutter down and manageable.
>
> # Check user credentials via WebAdmin (M)
>
> Provide a WebAdmin route to check a username/password combination.
> Reports 204 on success and 401 on failure. Useful for integrating James
> with 3rd party services, e.g. a web admin GUI for users.
>
> # Generalized vacation handling, including via WebAdmin (L)
>
> Refactor the vacation handling code out of JMAP space and make it a
> general James feature. Add a WebAdmin route to query and change a user's
> vacation notice. Useful for integrating James with 3rd party services,
> e.g. a web admin GUI.
>
>
> Regards,
> Karsten Otto
>
> --
>
> akquinet tech@spree GmbH
> Bülowstraße 66 • D-10783 Berlin
> Tel: +49 30 235520-0
> Fax: +49 30 217520-12
>
> E-Mail: karsten.o...@akquinet.de
> Web: www.akquinet.de
>
> Geschäftsführung: Martin Weber, Dr. Torsten Fink, Heinz Wilming
> Amtsgericht Berlin HRB 86780 • USt.-Id. Nr.: DE 225 964 680
>
>
>
--
Tung, Tran Van
*Phone:* (+84) 35 757 6258
*Skype:* tung.tv202
