Hello Tung, Thanks for the feedback.
On 03/11/2021 11:24, Tung Tran Van wrote: > Hello Otto, > Very interesting, > >> Delay on authentication failure (S) > I will follow how it will be implemented. Right now, I think about Redis > with expire time key-value, with key is the fingerprint of the client. > I think what Otto proposes is "if the authentication fails then just Thead.sleep(1000)" which is a simple business rule mitigating disctionary attacks using James as an Oracle. To implement it you do not need any kind of synchronisations. So it is easy to implement. Of course this is not as efficient as (say) fail2ban [1] (tool scrapping the logs and shadowing ips at the firewall level in case of too many bad logins...) but of course such a set up would need to be distributed (and things would start being complicated with some state synchronization eg through REDIS). Fail2ban stuff is inefficient against a bot farm where the pool of ips used allows to bypass the checks.... [1] https://www.fail2ban.org/wiki/index.php/Main_Page My take is that we could implement the easy thing first :-) >> Check user credentials via WebAdmin (M) > What is the key difference between webAdmin endpoint and /jmap/session > endpoint? 1. Not every admin deploys JMAP 2. Discoverability: given that I'm an admin I am likely familiar with WebAdmin /users endpoints familly. To think of using JMAP session (basic auth) to check a password is complex, non straightforward. Smells like a roundabout way to do things ;-) > > Regards, > Tung, Tran Van > > On Tue, Nov 2, 2021 at 11:42 PM Otto, Karsten Andreas > <karstenandreas.o...@akquinet.de.invalid> wrote: > >> Dear James Community, >> >> Over the last two years, we at Akquinet have developed an email solution >> for the medical and healthcare sector. We chose Apache James for this >> project because it provides >> - a robust clustering solution out of the box, >> - a comprehensive WebAdmin REST interface for integration with other >> product components, >> - a flexible Mailet architecture easily adapting to our specific >> requirements, >> - an open source solution with an active community and commercial >> support where needed. >> >> Our deployment uses the distributed-pop3 app variant, with multiple >> James server instances running on top of a Cassandra cluster, >> S3-compatible blob storage and RabbitMQ. The choice of POP3 may seem >> strange, but our customers typically employ third party systems for >> semi-automatic mail processing. For this use case, POP3 enables much >> simpler systems integration than the more complex protocols. >> >> Despite Apache James being a very flexible solution, we encountered a >> few situations during development where we had to change the original >> codebase in order to meet our requirements. We believe these changes >> might well be of interest to the James community at large, and in the >> spirit of open source we would like to share them with you! >> >> Over the next few weeks we plan to create Jira tickes and pull requests >> for the features below. Let us know what you think, and which you would >> like to see first! >> >> (The list includes a complexity estimate in T-Shirt size, where S is >> just a few / localized changes and L is a lot of code / all over the >> place.) >> >> >> SECURITY ENHANCEMENTS >> >> # TLS authentication via client certificate (M) >> >> Add options to network server configurations to set certificate-based >> authentication mode (none, want, need), and the associated trust store >> to validate these client certificates. Useful to limit server access to >> trusted partners/users. >> >> # Separate trust store for S3 (M) >> >> Extend blob store configuration to specify a trust store, which is used >> to validate the S3 server certificate. Useful if also using TLS client >> cert authentication (see above) to keep the security realms separate. >> >> # Delay on authentication failure (S) >> >> Add an option verifyFailureDelay to usersrepository.xml to delay the >> response if someone tries to authenticate with a non-existing user or >> wrong password. Basic protection against people using James as a >> password oracle for brute-force/dictionary attacks. >> >> # Support password salting (M) * >> >> Add extra hashingMode choices in usersrepository.xml ("salted", >> "legacy_salted") to include the user name in the password hash. Basic >> protection against rainbow table cracking if someone ever manages to >> steal the password database. >> >> # Gradual migration of password hash settings (L) * >> >> Add a hashingMode column to the user table, use it together with the >> algorithm column to verify password hashes. But use the configured >> algorithm and hashingMode from usersrepository.xml when updating the >> password. This way, the user database can gradually migrate to a >> different (hopefully stronger) security setting. Useful to get rid of >> the legacy hashing mode, and to introduce password salting (see above). >> >> *NOTE: Currently only works with Cassandra/Memory, but should be >> possible for JPA as well if someone more experienced with this server >> variant would like to tackle it. >> >> >> POP3 ENHANCEMENTS >> >> # Fix WebAdmin routes for POP3 (S) - already submitted >> >> Include WebAdmin routes and example configuration for managing the >> DeletedMessagesVault in the distributed-pop3 server variant. >> >> # Add Glowroot instrumentation for POP3 (S) >> >> Minor refactoring of POP3 command handlers, and matching glowroot >> configurations. Better diagnostics on what is going on in POP3 handling. >> >> # Configure restore location for deleted messages (S) >> >> Add an option to specify which mailbox receives any restored messages >> from the DeletedMessagesVault, e.g. "INBOX" instead of the default >> "Restored-Messages". Required since POP3 cannot access other mailboxes >> than INBOX. >> >> >> GENERAL FEATURES >> >> # Extra system properties (S) >> >> Read a properties file immediately at server startup and set them as >> system properties. Useful to keep command line clutter down and manageable. >> >> # Check user credentials via WebAdmin (M) >> >> Provide a WebAdmin route to check a username/password combination. >> Reports 204 on success and 401 on failure. Useful for integrating James >> with 3rd party services, e.g. a web admin GUI for users. >> >> # Generalized vacation handling, including via WebAdmin (L) >> >> Refactor the vacation handling code out of JMAP space and make it a >> general James feature. Add a WebAdmin route to query and change a user's >> vacation notice. Useful for integrating James with 3rd party services, >> e.g. a web admin GUI. >> >> >> Regards, >> Karsten Otto >> >> -- >> >> akquinet tech@spree GmbH >> Bülowstraße 66 • D-10783 Berlin >> Tel: +49 30 235520-0 >> Fax: +49 30 217520-12 >> >> E-Mail: karsten.o...@akquinet.de >> Web: www.akquinet.de >> >> Geschäftsführung: Martin Weber, Dr. Torsten Fink, Heinz Wilming >> Amtsgericht Berlin HRB 86780 • USt.-Id. Nr.: DE 225 964 680 >> >> >>
