[
https://issues.apache.org/jira/browse/JAMES-3820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17609658#comment-17609658
]
ouvtam commented on JAMES-3820:
-------------------------------
After migrating the handler from RcptHook to MailHook, I stumbled over the
integration tests (i.e. SMTPServerTest) that failed because of my changes.
First, I thought altering the tests to fail at MAIL FROM (i.e. MailHook) seemed
right. However, a couple of failed AUTH tests (e.g. SMTPServerTest#testAuth)
got me thinking.
For the MTA scenario (i.e. MX/relay) my changes are correct, because AUTH is
not required and MAIL FROM is. So, failing at MAIL FROM is correct. However,
when running James as a MSA with AUTH in place, can MAIL FROM be skipped? If
yes, then a fallback to RCPT TO is still required.
What I came up with: I reintroduced the RcptHook for
SenderAuthIdentifyVerificationHook, DNSRBLHandler and ResolvableEhloHeloHandler
(SPFHandler makes only sense for MTA). The advantage is that those hooks can be
used for both scenarios (MTA and MSA) with the benefit that given a MAIL FROM,
the fast fail happens before the RCPT TO. The disadvantage is that this looks a
bit confusing:
{code:java}
/*
* If doMail() was skipped because of successful AUTH we need to call it
nevertheless.
*/
@Override
public HookResult doRcpt(SMTPSession session, MaybeSender sender, MailAddress
rcpt) {
return doMail(session, sender);
}{code}
Another option would be to separate the code for MTA/MSA scenarios.
Any suggestions?
> DNS Blocklist: implement DNSRBLHandler as MailHook instead of RcptHook
> ----------------------------------------------------------------------
>
> Key: JAMES-3820
> URL: https://issues.apache.org/jira/browse/JAMES-3820
> Project: James Server
> Issue Type: Improvement
> Components: SMTPServer
> Reporter: ouvtam
> Priority: Minor
> Time Spent: 1h
> Remaining Estimate: 0h
>
> At the moment the DNSRBL handler
> (org.apache.james.protocols.smtp.core.fastfail.DNSRBLHandler) is implemented
> as a RcptHook. Thus, for every RCPT TO call this handler will be called and a
> blocklist lookup will be issued.
> One can argue It makes sense to implement the handler as a ConnectHandler, so
> the blocklist check is done as early as possible. However, if SMTP AUTH is
> successful then we should allow the connecting client anyway.
> Therefore it makes sense to implement the DNSRBL handler at MAIL FROM stage
> that is MailHook. One exception is the following. According to [RFC
> 4954|https://datatracker.ietf.org/doc/html/rfc4954#section-5], authentication
> information can optionally provided as ESMTP AUTH parameter with a _single_
> value in the '{{{}MAIL FROM:{}}}' command.
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
