[jira] [Closed] (JAMES-4034) SMTP submission: validate FROM header

Mon, 03 Jun 2024 06:34:04 -0700 


     [ 
https://issues.apache.org/jira/browse/JAMES-4034?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Benoit Tellier closed JAMES-4034.
---------------------------------
    Resolution: Fixed

> SMTP submission: validate FROM header
> -------------------------------------
>
>                 Key: JAMES-4034
>                 URL: https://issues.apache.org/jira/browse/JAMES-4034
>             Project: James Server
>          Issue Type: Improvement
>          Components: SMTPServer
>            Reporter: Benoit Tellier
>            Priority: Major
>              Labels: security
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> h3. Why?
> Prevent and limit email forgery by local users.
> As a James administrator I should have a way to configure SMTP submission to 
> reject emails spoofing somebody else mail adress.
> As of today:
>  - JMAP stacks controls both the transport envelope and the headers (From) as 
> mandated by the JMAP Mail RFC (RFC-8621)
> - However SMTP only controls the transport envelop and not the headers.
> This control is currently implemented into SenderAuthIdentifyVerificationHook 
> and is intendeed as a hook on MAIL FROM SMTP command.
> We shall also enforce a control of the From header upon submission in SMTP.  
> Such controls would be mandatory for use of Apache James in an environment 
> where local users could not be fully trusted, as for instance a SaaS offer.
> h3. How?
> Modify SenderAuthIdentifyVerificationHook in order that it also is a 
> JamesMessageHook called before enqueing and checks each and every From header 
> the same way it checks "MAIL FROM" command.
> Modifying SenderAuthIdentifyVerificationHook would enforce this only for 
> connected users IE mail submission and would not affect email relay. This 
> also ensure this behaviour will apply by default. 
> Refactoring of the underlying AbstractSenderAuthIdentifyVerificationHook 
> might be required.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to